Citation record for Incident 205

Suggested citation format

Lam, Khoa. (2022-02-25) Incident Number 205. in Lam, K. (ed.) Artificial Intelligence Incident Database. Responsible AI Collaborative.

Incident Stats

Incident ID
Report Count
Incident Date
Khoa Lam

Incidents Reports

In response to Russia’s invasion of Ukraine, our teams have been on high alert to identify emerging threats and respond as quickly as we can. Here are a few updates on our security work.

Coordinated Inauthentic Behavior

In the last 48 hours, we uncovered a relatively small network of about 40 accounts, Pages and Groups on Facebook and Instagram. They were operated from Russia and Ukraine and targeted people in Ukraine across multiple social media platforms and through their own websites. We took down this operation, blocked their domains from being shared on our platform, and shared information with other tech platforms, researchers and governments. When we disrupted this network on our platform, it had fewer than 4,000 Facebook accounts following one of more of its Pages and fewer than 500 accounts following one or more of its Instagram accounts.

This network used fake accounts and operated fictitious personas and brands across the internet — including on Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK — to appear more authentic in an apparent attempt to withstand scrutiny by platforms and researchers. These fictitious personas used profile pictures likely generated using artificial intelligence techniques like generative adversarial networks (GAN). They claimed to be based in Kyiv and posed as news editors, a former aviation engineer, and an author of a scientific publication on hydrography — the science of mapping water. This operation ran a handful of websites masquerading as independent news outlets, publishing claims about the West betraying Ukraine and Ukraine being a failed state.

Our investigation is ongoing, and so far we’ve found links between this network and another operation we removed in April 2020, which we then connected to individuals in Russia, the Donbass region in Ukraine and two media organizations in Crimea — NewsFront and SouthFront, now sanctioned by the US government.

Hacking Attempts by Ghostwriter

In the past several days, we’ve seen increased targeting of people in Ukraine, including Ukrainian military and public figures by Ghostwriter, a threat actor that has been tracked for some time by the security community.

Ghostwriter typically targets people through email compromise and then uses that to gain access to their social media accounts and post disinformation as if it’s coming from the legitimate account owners. We detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender. We’ve taken steps to secure accounts that we believe were targeted by this threat actor and, when we can, to alert the users that they had been targeted. We also blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts.

Account Security

We’re recommending that people in Ukraine and Russia take steps to strengthen the security of their online accounts to protect themselves from being targeted by threat actors.

We encourage people to use caution when accepting friend requests and opening links and files from people they don’t know. Please refrain from reusing the same passwords across different services to prevent malicious hackers from gaining access to your information. We also strongly recommend using two-factor authentication on all online accounts.

Earlier this week, we rolled out additional privacy and security protections in Ukraine. We’re now adding them in Russia as well, in response to public reports of targeting of civil society and protesters.

Lock Your Profile: This tool allows people to lock their Facebook profile in one step. When someone’s profile is locked, people who aren’t their friends can’t download, enlarge or share their profile photo, nor can they see posts or other photos on someone’s profile, regardless of when they posted it. Our teams are working with civil society organizations to help ensure people know these tools are available.

Friends Lists: We’re temporarily removing the ability to view and search the friends lists of Facebook accounts to help protect people from being targeted.

Instagram Privacy and Security Reminders: On Instagram, we’re sending everyone in Russia a notification at the top of feed about privacy and account security. For public accounts, we are reminding people to check their settings in case they want to make their accounts private. When someone makes their account private, any new followers will need to be approved, and only their followers will be able to see their posts and stories. For people who already have private accounts, we’re sharing tips on how to keep their account secure through strong passwords and two-factor authentication.

We continue to add measures to help protect people’s privacy and security and will share these updates publicly. Read more about Meta’s ongoing efforts regarding Russia’s invasion of Ukraine.

Updates on Our Security Work in Ukraine

Facebook (FB)'s parent Meta said Monday it has caught dozens of fake, pro-Russian accounts, groups and pages across its platforms trying to spread anti-Ukrainian propaganda as the war in Ukraine continues to rage.

Meta's takedown of the influence campaign also coincided with what company officials described as a separate, intensified push by pro-Russian hackers to compromise the social media accounts of Ukrainian journalists, military leaders and government officials. The hacking campaign, attributed to an actor security researchers have nicknamed "Ghostwriter," appears to have succeeded with at least some Facebook accounts, Meta said.

Both initiatives underscore how groups supporting Russia's invasion of Ukraine have attempted to win the information war playing out online, not just on Facebook but on an array of social media platforms and websites.

Over the weekend, Meta said, the company became aware of roughly 40 accounts, groups and pages masquerading as real people. To pull off the deception, the disinformation agents used AI-generated profile pictures and claimed to be writing from Kyiv, according to the company.

One of the fictitious accounts pretended to be an aviation engineer; others claimed to be news editors or scientific authors, Meta said. The accounts published content on Facebook, Instagram and across the wider internet discrediting Ukraine as a failed state, among other claims, Meta said.

The company added that the influence campaign appears to be linked to another campaign Facebook disrupted in 2020. At the time, Facebook's investigation tied the earlier influence operation to people in Russia, as well as NewsFront and SouthFront, two Crimea-based alleged disinformation sites that have since been sanctioned by the US government.

Nathaniel Gleicher, Meta's head of security policy, declined to elaborate on the nature of the links, and also repeatedly declined to tell reporters how widely the more recent campaign's content may have been shared, viewed or engaged with on Meta's platforms.

But he described the campaign as "relatively small," with fewer than 4,000 Facebook followers and fewer than 500 followers on Instagram. And he added that Meta was able to disrupt the network before it could amass a large audience.

Thus far, Meta has not found any evidence of pro-Ukrainian fake activity on its platform but the company would announce if it did, Gleicher told CNN.

"Why we share these operations is to make sure that people understand and can see what's happening on all sides of any conflict," Gleicher said. "What we're seeing here is activity from actors who, from the content they're sharing and the behavior they're engaged in, appears aligned more in undermining trust of the Ukrainian government and boosting the activities of Russian actors."

Meanwhile, the campaign to hack into the social media accounts of Ukrainians has targeted "a handful" of victims, Gleicher said, adding that the effort had gone after at least one journalist and multiple Ukrainian military and government officials. Meta has notified its users who were targeted by Ghostwriter, Gleicher said.

After successfully taking control of a person's social media account, Ghostwriter will attempt to post pro-Ukrainian content, said David Agranovich, Meta's director of threat disruption. In one example, he said, a hijacked account was witnessed sharing a link to a YouTube video that purported to show Ukrainian troops surrendering. (Asked whether the video appeared to be authentic, Agranovich said he could not speculate on the YouTube content.)

The Ghostwriter campaign works by compromising a victim's email accounts — often through the use of targeted phishing attacks — and then uses that access to gain entry to the person's social media accounts.

Ghostwriter has been active since at least 2016, has targeted victims across Europe and has links to Belarus, according to the cybersecurity firm Mandiant. Last fall, the European Union claimed that Ghostwriter was linked to the Russian government.

But since the Russian invasion, Agranovich said, "we've seen a pivot in Ghostwriter's focus to, in particular, people in Ukraine."

Separately, Gleicher added, Meta is increasingly ramping up user security protections in Russia as protesters opposing the invasion have continued to organize on the company's platforms. For example, Meta will soon be rolling out a tool in Russia that it has already deployed in Ukraine allowing users to quickly "lock" their profiles, restricting access to a person's content. In addition, Meta will also be placing a notification at the top of Russian users' feeds reminding them about steps they can take to secure their accounts.

Meta says it's shut down a pro-Russian disinformation network, warns of a social media hacking operation

The hacking group linked to the Belarusian government is known for breaking into real news sites to plant fake stories.

Facebook says it has cracked down on a shadow hacking group that’s been ramping up its efforts to hack Ukrainian military officials and a number of other targets as Kyiv fends off a Russian invasion.

In an announcement early Monday morning, security officials at Meta, Facebook’s parent company, said they’ve “seen increased targeting” of Ukrainian social media users by a hacking group that researchers refer to as “Ghostwriter.” After uncovering a group of phishing websites used by the group, Meta says it blocked the domains across its social media platforms in order to protect users.

The cybersecurity firm Mandiant first identified Ghostwriter in 2020 and late last year linked its hacking sprees to the Belarusian government. Since March 2017, Ghostwriter operatives have broken into legitimate news websites to plant fake stories with conspiracy theories about NATO and COVID-19. Hackers from the group have also impersonated prominent political figures, military officials, and journalists in an attempt to spread the fake stories via email.

Separately, Meta officials say they removed a “small” troll network of 40 accounts “operated from Russia and Ukraine” that the company found targeting Ukrainian audiences with disinformation about Ukraine.

The sock puppet accounts used AI-generated avatars and pretended to be “news editors, a former aviation engineer,” and a scientist working on hydrography operating fake news sites and accounts across Facebook, Telegram, YouTube, VK, and other social media platforms. The network they belonged to leveraged fake news outlets to publish stories that hyped talking points about “the West betraying Ukraine and Ukraine being a failed state” and similar narratives, according to Meta.

Since Russia’s invasion of Ukraine began, Meta has rolled out a series of new security features for users in Ukraine that allow accounts to quickly lock down their privacy settings and prevent others from viewing their avatars and posts. On Monday, the company said it would also begin rolling out the features to users in Russia, where the government has been cracking down on Russians’ ability to access the social media platform.

Facebook Blocks ‘Ghostwriter’ Hackers Targeting Ukraine’s Army

Meta Platforms (FB.O) said a hacking group used Facebook to target a handful of public figures in Ukraine, including prominent military officials, politicians and a journalist, amid Russia's ongoing invasion of the country.

Meta said in the last 48 hours it had also separately removed a network of about 40 fake accounts, groups and pages across Facebook and Instagram that operated from Russia and Ukraine targeting people in Ukraine, for violating its rules against coordinated inauthentic behavior.

A Twitter spokesperson said it had also suspended more than a dozen accounts and blocked the sharing of several links for violating its rules against platform manipulation and spam. It said its ongoing investigation indicated the accounts originated in Russia and were attempting to disrupt the public conversation around the conflict in Ukraine.

In a blog post on Monday, Meta attributed the hacking efforts to a group known as Ghostwriter, which it said successfully gained access to the targets' social media accounts. Meta said the hackers attempted to post YouTube videos from the accounts portraying Ukrainian troops as weakened, including one video which claimed to show Ukrainian soldiers coming out of a forest and flying a white flag of surrender.

Ukrainian cybersecurity officials said on Friday that hackers from neighboring Belarus were targeting the private email addresses of Ukrainian military personnel "and related individuals," blaming a group code-named "UNC1151." The U.S. cybersecurity firm FireEye has previously connected the group with Ghostwriter activities.

Meta's security team said it had taken steps to secure targeted accounts and had blocked the phishing domains used by the hackers. It declined to give the names of any of the targets but said it had alerted users where possible.

Meta said the separate influence campaign, which used a number of fictitious personas, claimed to be based in Kyiv and ran a small number of websites masquerading as independent news outlets. These outlets published claims about the West betraying Ukraine and Ukraine being a failed state.

The company said it had found links between this influence network and an operation it removed in April 2020, which it had connected to individuals in Russia, the Donbass region in Ukraine and two media outlets based in Crimea - NewsFront and SouthFront, which are now sanctioned by the U.S. government. Neither NewsFront or SouthFront immediately responded to requests for comment.

Meta declined to give a number of impressions or views for the influence campaign's content but said it had seen a "very low level" of shares, posts or reactions. It said the campaign had fewer than 4,000 Facebook accounts following one of more of its pages and fewer than 500 accounts following one or more of its Instagram accounts. It did not say how long the campaigns had been active on its platforms.

It said the campaign had also used Alphabet Inc's (GOOGL.O) YouTube, Telegram and Russian social media sites Odnoklassniki and VK. YouTube, Telegram and VK (VKCOq.L) , which also owns Odnoklassniki, did not immediately respond to requests for comment.

The crisis in Ukraine has seen escalating clashes between Moscow and major tech companies. On Friday, Russia said it would partially restrict access to Facebook, a move Meta said came after it refused a government request to stop the independent fact-checking of several Russian state media outlets. On Saturday, Twitter also said its service was being restricted for some Russian users.

Ukraine's health ministry said on Sunday that more than 300 children, had been killed since the beginning of the invasion.

Russia calls its actions in Ukraine a "special operation."

Ukraine has been buffeted by digital intrusions and denial-of-service actions both in the run-up to and during the Russian invasion. Several big tech companies have announced measures to bolster the security and privacy of their users in the country.

Meta, which has in recent days made changes like removing the ability to view and search the friends lists of Facebook accounts in Ukraine, said on Monday it was also making this change in Russia in response to public reports of civil society and protesters being targeted.

Facebook-owner Meta says Ukraine's military, politicians targeted in hacking campaign