Facebook says Ukraine military accounts were hacked to post calls for surrender

Facebook today reported an increase in attacks on accounts run by Ukraine military personnel. In some cases, attackers took over accounts and posted "videos calling on the Army to surrender," but Facebook said it blocked sharing of the videos.

Specifically, Facebook owner Meta's Q1 2022 Adversarial Threat Report said it has "seen a further spike in compromise attempts aimed at members of the Ukrainian military by Ghostwriter," a hacking campaign that "typically targets people through email compromise and then uses that to gain access to their social media accounts across the Internet." Ghostwriter has been linked to the Belarusian government.

"Since our last public update [on February 27], this group has attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel," Meta wrote today. Ghostwriter successfully hacked into the accounts in "a handful of cases" in which "they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners. We blocked these videos from being shared."

Ghostwriter links to Belarus government

In its February 27 update, Meta said it detected Ghostwriter's "attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender." Meta said it had "taken steps to secure accounts that we believe were targeted by this threat actor" and "blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts." But Ghostwriter continued its operations and hacked into accounts of Ukrainian military personnel, as previously mentioned.

The Ghostwriter name was first used by security firm Mandiant to describe an influence campaign that "promotes narratives critical of the North Atlantic Treaty Organization's (NATO) presence in Eastern Europe." Mandiant says the Ghostwriter campaign is conducted at least partly by "UNC1151, a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns."

In November 2021, Mandiant said its research "assesses with high confidence that UNC1151 is linked to the Belarusian government... We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions." Belarus has close ties to the Russian government and has supported the invasion of Ukraine.

An Insikt Group report said that the "lack of technical evidence indicating Russian involvement... is very likely an intended component of the threat activity. We have found many overlaps in tactics, techniques, and procedures (TTPs) used by UNC1151 and Ghostwriter activity and Russian threat activity groups. Additionally, we note that false flags are prevalent among Russian military advanced persistent threat groups."

Russian accounts try to “silence” Ukrainians

Separately, Facebook recently removed a network of Russian accounts that were trying to silence Ukrainians by reporting "fictitious policy violations."

"Under our Inauthentic Behavior policy against mass reporting, we removed a network in Russia for abusing our reporting tools to repeatedly report people in Ukraine and in Russia for fictitious policy violations of Facebook policies in an attempt to silence them," Meta said today.

Providing more detail in its quarterly report, Meta said the removed network included 200 accounts operated from Russia. "The individuals behind it coordinated to falsely report people for various violations, including hate speech, bullying, and inauthenticity, in an attempt to have them and their posts removed from Facebook. The majority of these fictitious reports focused on people in Ukraine and Russia, but the network also reported users in Israel, the United States, and Poland," the report said.

The now-removed accounts "relied on fake, authentic, and duplicate accounts to submit hundreds—in some cases, thousands—of complaints against their targets through our abuse reporting tools." The group's activity increased in mid-February, before Russia's invasion of Ukraine.

"Likely in an effort to evade detection, the people behind this activity coordinated targeting of mass reporting in their cooking-themed Group, which had about 50 members when we took it down," the report said. Facebook said it found the network in an "internal investigation into suspected inauthentic behavior in the region," and that many of the accounts "were detected and disabled by our automated systems."

“Fictitious personas” generated by AI

Meta previously removed a smaller network of Russian Facebook and Instagram accounts that used similar tactics to target users in Ukraine.

"This network used fake accounts and operated fictitious personas and brands across the Internet—including on Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki, and VK—to appear more authentic in an apparent attempt to withstand scrutiny by platforms and researchers," today's quarterly report said. "These fictitious personas used profile pictures likely generated using artificial intelligence techniques like generative adversarial networks (GAN). We took down this operation, blocked their domains from being shared on our platform, and shared information with other tech platforms, researchers, and governments."

Meta's quarterly report said it also disrupted a group "linked to the Belarusian KGB who suddenly began posting in Polish and English about Ukrainian troops surrendering without a fight and the nation's leaders fleeing the country on February 24, the day Russia began the war."

Additionally, Facebook said it "detected and took down an attempt to come back by a network we removed in December 2020 and linked to individuals associated with past activity by the Russian Internet Research Agency (IRA)." Since Russia's invasion of Ukraine, this group's website—which poses as "an NGO focused on civil rights in the West"—has published "articles blam[ing] Russia's attack on NATO and the West and accused Ukrainian forces of targeting civilians," Facebook said.

Going forward, Meta is "reviewing additional steps to address misinformation and hoaxes coming from Russian government pages," President of Global Affairs Nick Clegg told reporters, according to Reuters.