How FireEye Helped Facebook Spot a Disinformation Campaign

SAN FRANCISCO — FireEye, a cybersecurity company that has been involved in a number of prominent investigations, including the 2016 attack on the Democratic National Committee, alerted Facebook in July that it had a problem.

Security analysts at the company noticed a cluster of inauthentic accounts and pages on Facebook that were sharing content from a site called Liberty Front Press. It looked like a news site, but most of its content was stolen from outlets like Politico and CNN. The small amount of original material was written in choppy English.

FireEye’s tip eventually led Facebook to remove 652 fake accounts and pages. And Liberty Front Press, the common thread among much of that sham activity, was linked to state media in Iran, Facebook said on Tuesday.

Facebook’s latest purge of disinformation from its platforms highlighted the key role that cybersecurity outfits are playing in policing the pages of giant social media platforms. For all of their wealth and well-staffed security teams, companies like Facebook often rely on outside firms and researchers for their expertise.

The discovery of the disinformation campaign also represented a shift in the bad behavior that independent security companies are on the lookout for. Long in the business of discovering and fending off hacking attempts and all sorts of malware, security companies have expanded their focus to the disinformation campaigns that have plagued Facebook and other social media for the past few years.

Founded in 2004 in Milpitas, Calif., FireEye has a work force of about 3,000 people, a fraction of Facebook’s. But it employs security analysts with particular skills, including employees who are fluent in English, Arabic, Russian, French and Italian, helping them to identify and track misinformation around the world.

Lee Foster, the manager of FireEye’s information operations analysis team, described in an interview with The New York Times how his company spotted the Iranian disinformation campaign. He declined to say whether his research into the Iranian campaign was on behalf of a particular client because FireEye has a policy against naming who it is working with.

“It started with a single social media account or a small set of accounts that were pushing this political-themed content that didn’t necessarily seem in line with the personas that the accounts had adopted,” said Mr. Foster. Many of the fake accounts, which sprawled across Facebook, Instagram, Twitter and Reddit, shared content from Liberty Front Press.

Over two months, Mr. Foster and a small group of analysts mapped the connections between the accounts and unearthed more of them.

The evidence pointed toward Iran. A website for Liberty Front Press was initially registered to an email linked to ads for web designers in Tehran before being switched to a registrant purportedly based in San Jose, Calif.

The web designer email had also been used to register another news site. That site, in turn, was associated with a number of email addresses linked to even more inauthentic news sites. Digging deeper, FireEye found that many of the Twitter accounts sharing Liberty Front Press content were linked to Iranian phone numbers, although the profiles claimed to be operating in the United States.

Stepping from fake news site to news site and from Twitter to Facebook, FireEye pieced together a campaign that tried to influence audiences in the Middle East, as well as in the United States, Britain and Latin America.

The analysts were careful to collect data without being noticed. “I have to be conscious about tipping off the operators of this,” Mr. Foster said. “I want to make sure I’ve got everything, so we don’t deal with one small component of the threat and we find out there’s this whole other cluster of it.”

Iran’s cyber capabilities have grown in recent years and Iranian hackers have been blamed for a number of significant attacks. Earlier this year, federal law enforcement officials said nine Iranians were behind intrusions at American government agencies, universities and private companies.

Attributing attacks to Iran has been tricky. Security experts who have studied Iranian hackers said many take part in attacks, or disinformation campaigns, while they are still in college. They are often recruited for government work, but may also float in and out of government-backed contracts.

Those loose affiliations make it difficult to pinpoint which attacks are directed by Iranian authorities.

FireEye’s information set off Facebook’s own investigation, which uncovered three other Iranian disinformation efforts and another that appeared to originate in Russia.

One of the Iranian campaigns Facebook discovered dabbled in a mix of misinformation and more traditional hacking, Facebook’s head of cybersecurity policy, Nathaniel Gleicher, wrote in a blog post.

“They typically posed as news organizations and didn’t reveal their true identity,” he said. “They also engaged in traditional cybersecurity attacks, including attempts to hack people’s accounts and spread malware, which we had seen before and disrupted.”

The Russian pages discovered by Facebook were unrelated to FireEye’s research. Facebook said the accounts were linked to people that law enforcement in the United States had identified as Russian military intelligence. Unlike other fake pages that have been attributed to Russians over the last year, those accounts posted content focused on politics in Syria and Ukraine.

FireEye’s information operations analysis team was formed in 2016, when hacked emails from several political figures were beginning to appear on the site DCLeaks. “All through that period, we were tracking the Russian effort to influence U.S. elections,” Mr. Foster said. “Obviously, social media is a very important kind of medium by which these campaigns are undertaken.”

Mr. Foster had been tracking influence campaigns long before they became a major narrative in American politics. He previously worked at iSight Partners, a cyberintelligence firm acquired by FireEye in January 2016, where he tracked so-called hacktivist groups like Anonymous.

An attack on Sony’s computer network by North Korean hackers in 2014 put cybersecurity companies on notice that they had to pay more attention to information warfare. The Sony intrusion was destructive to technical systems, “but there was more to it than that,” Mr. Foster said. “It was about conveying a message and trying to influence an audience.”

In time, “we realized there was a bigger kind of potential threat there that we need to address,” he added.

The Sony attack was also a game changer for governments and other major companies, said Graham Brookie, the director of the Digital Forensic Research Lab at the Atlantic Council, which has analyzed misinformation on Facebook. Thousands of embarrassing emails between Sony executives were dumped online. The hackers also stole employees’ personal information, including Social Security numbers, and wiped Sony’s servers.

The incident prompted officials in the United States to establish protocols for sharing information about cybersecurity threats and influence operations, Mr. Brookie said.

But information sharing still seems to have its limits.

Unlike Facebook, Twitter did not receive advance notice from FireEye about the fake Twitter profiles the security company had uncovered. Several of them were still live Tuesday night, hours after Facebook’s announcement. Twitter has since suspended 284 accounts based on the information revealed by Facebook and FireEye, the company said in a tweet.

As internet outlets struggle to keep up with influence campaigns, Mr. Foster believes complex disinformation schemes will become more common.

“What this is great for demonstrating is, it really doesn’t matter what the political goals or ideological goals are, these techniques are seen as an attractive way to try to achieve them,” Mr. Foster said.