How FireEye helped Facebook spot a disinformation campaign
SAN FRANCISCO — FireEye, a cybersecurity company that has been involved in a number of prominent investigations, including the 2016 attack on the Democratic National Committee, alerted Facebook in July that it had a problem.
Security analysts at the company noticed a cluster of inauthentic accounts and pages on Facebook that were sharing content from a site called Liberty Front Press. It looked like a news site, but most of its content was stolen from outlets like Politico and CNN. The small amount of original material was written in choppy English.
FireEye’s tip eventually led Facebook to remove 652 fake accounts and pages. And Liberty Front Press, the common thread among much of that sham activity, was linked to state media in Iran, Facebook said Tuesday.
Facebook’s latest purge of disinformation from its platforms highlighted the key role that cybersecurity outfits are playing in policing the pages of giant social-media platforms. For all of their wealth and staff, companies like Facebook often rely on outside firms and researchers for their expertise.
The discovery of the disinformation campaign also represented a shift in the bad behavior that independent security companies are on the lookout for. Long in the business of discovering and fending off hacking attempts and all sorts of malware, security companies have expanded their focus to the disinformation campaigns that have plagued Facebook and other social media for the past few years.
Founded in 2004 in Milpitas, California, FireEye has a workforce of about 3,000 people, a fraction of Facebook’s. But it employs security analysts with particular skills, including employees who are fluent in English, Arabic, Russian, French and Italian, helping them to identify and track misinformation around the world.
Lee Foster, manager of FireEye’s information-operations-analysis team, described in an interview with The New York Times how his company spotted the Iranian disinformation campaign. He declined to say whether his research was on behalf of a particular client because FireEye has a policy against naming who it is working with.
“It started with a single social-media account or a small set of accounts that were pushing this political-themed content that didn’t necessarily seem in line with the personas that the accounts had adopted,” said Foster. Many of the fake accounts, which sprawled across Facebook, Instagram, Twitter and Reddit, shared content from Liberty Front Press.
Over two months, Foster and a small group of analysts mapped the connections between the accounts and unearthed more of them.
The evidence pointed toward Iran. A website for Liberty Front Press was initially registered to an email linked to ads for web designers in Tehran before being switched to a registrant purportedly based in San Jose, California.
The web-designer email had also been used to register another news site. That site, in turn, was associated with a number of email addresses linked to even more inauthentic news sites. Digging deeper, FireEye found that many of the Twitter accounts sharing Liberty Front Press content were linked to Iranian phone numbers, although the profiles claimed to be operating in the U.S.
Stepping from fake news site to news site and from Twitter to Facebook, FireEye pieced together a campaign that tried to influence audiences in the Middle East, as well as in the United States, Britain and Latin America.