In response to Russia’s invasion of Ukraine, our teams have been on high alert to identify emerging threats and respond as quickly as we can. Here are a few updates on our security work.
In the last 48 hours, we uncovered a relatively small network of about 40 accounts, Pages and Groups on Facebook and Instagram. They were operated from Russia and Ukraine and targeted people in Ukraine across multiple social media platforms and through their own websites. We took down this operation, blocked their domains from being shared on our platform, and shared information with other tech platforms, researchers and governments. When we disrupted this network on our platform, it had fewer than 4,000 Facebook accounts following one of more of its Pages and fewer than 500 accounts following one or more of its Instagram accounts.
This network used fake accounts and operated fictitious personas and brands across the internet — including on Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK — to appear more authentic in an apparent attempt to withstand scrutiny by platforms and researchers. These fictitious personas used profile pictures likely generated using artificial intelligence techniques like generative adversarial networks (GAN). They claimed to be based in Kyiv and posed as news editors, a former aviation engineer, and an author of a scientific publication on hydrography — the science of mapping water. This operation ran a handful of websites masquerading as independent news outlets, publishing claims about the West betraying Ukraine and Ukraine being a failed state.
Our investigation is ongoing, and so far we’ve found links between this network and another operation we removed in April 2020, which we then connected to individuals in Russia, the Donbass region in Ukraine and two media organizations in Crimea — NewsFront and SouthFront, now sanctioned by the US government.
In the past several days, we’ve seen increased targeting of people in Ukraine, including Ukrainian military and public figures by Ghostwriter, a threat actor that has been tracked for some time by the security community.
Ghostwriter typically targets people through email compromise and then uses that to gain access to their social media accounts and post disinformation as if it’s coming from the legitimate account owners. We detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender. We’ve taken steps to secure accounts that we believe were targeted by this threat actor and, when we can, to alert the users that they had been targeted. We also blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts.
We’re recommending that people in Ukraine and Russia take steps to strengthen the security of their online accounts to protect themselves from being targeted by threat actors.
We encourage people to use caution when accepting friend requests and opening links and files from people they don’t know. Please refrain from reusing the same passwords across different services to prevent malicious hackers from gaining access to your information. We also strongly recommend using two-factor authentication on all online accounts.
Earlier this week, we rolled out additional privacy and security protections in Ukraine. We’re now adding them in Russia as well, in response to public reports of targeting of civil society and protesters.
We continue to add measures to help protect people’s privacy and security and will share these updates publicly. Read more about Meta’s ongoing efforts regarding Russia’s invasion of Ukraine.