Russia (still) trying to weaponize Facebook for spying, Ukraine-war disinfo

Facebook is fighting a surge in cyber-espionage attempts and misinformation campaigns related to the Russian invasion of Ukraine, according to a new report by parent group Meta.

Since the start of the war, Meta security teams have been busy disrupting threats and taking down fake news and accounts on its social media platforms, according to the company's quarterly adversarial threat report.

This includes Kremlin-backed operations looking to spy on and influence specific Ukrainian industries, including defense, energy, and telecoms, as well as journalists and activists in Ukraine, Russia and abroad. 

In one example, Meta says it removed fake-news posts linked to the Belarusian KGB. This account began posting misinformation in Polish and English about Ukrainian troops surrendering without a fight and the nation's leaders fleeing the country on February 24 when Russia began its "special military operation" against the neighboring state. 

Additionally, the social media giant tracked a growing number of misdeeds from the Ghostwriter criminal group since the war began. This gang, which threat intel firm Mandiant has linked to Belarus and/or Russia, typically starts with email compromise, and then uses that to gain access to social media accounts. 

In a February 27 security update, Meta documented increased targeting of Ukrainians, including military and public figures, by Ghostwriter. This included an attempt to trick people on Facebook into posting a fake YouTube video purporting to show Ukrainian soldiers emerging from a forest waving white flags.  

Since then, Ghostwriter has tried to hack into "dozens" of Ukrainian military personnel's Facebook accounts, according to Meta's new threat report. "In a handful of cases, they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners," it said. "We blocked these videos from being shared."

• Google: Russian credential thieves target NATO, Eastern European military
• Expect 'long tail of cyber retaliation' from Russia for sanctions, says ExtraHop CEO
• China APT group using Russia invasion, COVID-19 in phishing attacks
• Modem-wiping malware caused Viasat satellite broadband outage in Europe

Additionally, Meta shut down further attempts by the Russian Internet Research Agency (IRA), posing as a civil rights NGO, to create Facebook accounts. Back in December 2020, Facebook removed individuals associated with the IRA from the platform. The network tried unsuccessfully to create new accounts in late 2021 and January 2022, Meta reports. 

Since the Russian invasion, the group's website has posted fake news articles blaming Russia's attack on NATO and the West, Meta reported.

More financially motivated miscreants

In addition to the state-sponsored attempts at espionage and spreading misinformation about the war in Ukraine, Meta also noted an uptick in cybercriminals using the crisis to scam Facebook users for their own monetary gain. 

This isn't unusual. Miscreants are always quick to turn natural and man-made disasters into money-making opportunities. Still, the sheer number of scammers using others' misfortune for personal profit is shocking.

Since the war began, Meta claims it removed "tens of thousands" of accounts, pages and groups that used both automated and manual systems. "We've seen spammers from around the world use inauthentic behavior tactics including streaming live-gaming videos and reposting popular content including other people's videos from Ukraine as a way to pose as sharing live updates," according to the threat report.

Some of the lowlifes repeatedly switched names to trick others into following them in attempts to make money by either selling merch on the social media platforms, or sending traffic to off-platform websites.

Additionally, Meta shut down "multiple clusters of long-abandoned compromised accounts" that are now operating out of Russia. "Many of them shared identical pro-separatist videos and amplified accounts in their own clusters, likely as part of paid inauthentic engagement," the report noted. ®