Meta said it disrupted a network of fake accounts targeting Ukrainians with espionage

Several Russian and Belarusian social media campaigns that targeted Ukrainians with espionage over the last two months have been disrupted by Meta, the company said Thursday in a new security report.

In its latest Adversarial Threat Report, the social media giant highlights several campaigns originating from government-linked groups in Russia and Belarus conducting cyber espionage operations directed at the Ukrainian telecom industry as well as the Ukrainian defense and energy sectors; tech platforms; and journalists and activists in Ukraine, Russia, and abroad.

The campaigns included an alleged effort by the Belarusian KGB to spread news in Polish and English about Ukrainian troops surrendering without a fight and the nation’s leaders fleeing the country. 

That same campaign apparatus was originally used to criticize the Polish government for its treatment of migrants from the Middle East on Facebook, but in March it shifted to organizing protests in Poland against the government.

“We removed a small network of 27 Facebook accounts, two Pages, three Groups, and four Instagram accounts for violating our policy against coordinated inauthentic behavior. This network operated from Russia and Ukraine and targeted primarily Ukraine,” Meta explained. 

“This network used fake accounts and operated fictitious personas and brands across the internet — including on Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki, and VK.”

The report notes that another network based in Saint Petersburg, Russia targeted Nigeria, Cameroon, Gambia, Zimbabwe and the Democratic Republic of the Congo with news critical of France’s influence across the African continent. 

Meta said it was able to tie the activity to the notorious Russian Internet Research Agency, an organization well-known for its role in interfering in the US presidential election in 2016

Meta added that it caught Russia-based accounts conducting mass reporting operations against anyone posting news about Russia’s invasion of Ukraine. 

Numerous campaigns

The report also highlighted a range of bot activity, espionage and coordinated attacks on Facebook and Instagram in a number of countries, including Azerbaijan, Brazil, Costa Rica, the Philippines, El Salvador and Iran. 

The social media giant said it disrupted a complex network in Azerbaijan that was involved in cyber espionage and other activity that violated their platforms’ rules. The campaigns targeted democracy activists, opposition, journalists, and government critics in Azerbaijan.


Meta said it tied a cyber espionage network to Azerbaijan's government. Image: Diego Delso

Meta was able to confirm that the activity is tied to the Azeri Ministry of Internal Affairs and ranged from phishing, social engineering, and hacking to coordinated inauthentic behavior.

“This operation targeted websites and the online accounts of democracy activists, opposition, and journalists in Azerbaijan in pursuit of what appears to be two goals: obtain personal information about the targets and promote particular narratives about them or on their behalf. They focused on news websites and a number of internet services, including Facebook, Twitter, LinkedIn, YouTube, and Russian VK and OK,” Meta explained. 

“This group operated across the internet, with over 70 websites and domains that they either ran themselves or compromised. They targeted sites in Azerbaijan and, to a lesser extent, Armenia; a small number of sites had Russian or Turkish domains. Once they compromised these websites, the group harvested databases containing usernames and passwords, likely to further compromise online accounts of their targets who might have reused the same credentials across the internet.” 

The group also used malware, hash-cracking tools and more to steal credentials. They even compromised the accounts of public figures and posed as members of Facebook’s security team as a way to steal information and credentials. 

Meta noted that it removed several accounts in Brazil that violated its “policy against coordinated inauthentic behavior” for attempting to promote news that criticized legitimate environmental NGOs who spoke out against deforestation in the Amazon.

Meta tied this activity to individuals associated with the Brazilian military. 

The social media company took similar action against bot activity in Costa Rica and El Salvador which centered around competing political candidates as well as one telecom company in Costa Rica. Meta tied this to a now-banned PR firm named Noelix Media.  

Similar activity was found in the Philippines, where Meta says it removed a network of more than 400 accounts accusing certain public figures of being Communists. 

Hackers in Iran were accused of targeting the Saudi military, dissidents and human rights activists from Israel and Iran, politicians in the US, and Iran-focused academics, activists and journalists around the world with a range of malicious activity. The threat actors were mostly attempting to steal credentials. 

The group, which they tagged as UNC788, used a previously unreported malware strain named HilalRAT to compromise Android devices through fake apps. 

Hacking groups from Iran were accused of targeting energy companies in Saudi Arabia, Canada, Italy, and Russia; the information technology industry in India and United Arab Emirates; the maritime logistics industry in UAE, Iceland, Norway, Saudi Arabia, US, Israel, and India; telecommunications companies in Saudi Arabia and UAE; and the semiconductor industry in Israel, US, and Germany.

The report also highlighted the increasingly common tactic of bot networks from other countries being used for campaigns in other countries. 

“For example, multiple Vietnam- and Bangladesh-based spam clusters posed as supporters of the Canadian Trucker Convoy to cash in on people’s interest in this protest. In one case, they created Groups for convoy supporters or Facebook Pages designed to look like they were providing updates on the convoy, and then posted links to e-commerce websites or links to third-party affiliate marketing sites,” Meta said. 

“In one case we investigated last quarter, a cluster of fake accounts created in Bangladesh appeared to have changed hands and been used as part of fake engagement efforts to comment on, like, and share content by the Page of a former US Senate candidate from Arizona.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.