Long in the business of discovering and fending off hacking attempts and all sorts of malware, security companies have expanded their focus to the disinformation campaigns that have plagued Facebook and other social media for the past few years.

Share story

SAN FRANCISCO — FireEye, a cybersecurity company that has been involved in a number of prominent investigations, including the 2016 attack on the Democratic National Committee, alerted Facebook in July that it had a problem.

Security analysts at the company noticed a cluster of inauthentic accounts and pages on Facebook that were sharing content from a site called Liberty Front Press. It looked like a news site, but most of its content was stolen from outlets like Politico and CNN. The small amount of original material was written in choppy English.

FireEye’s tip eventually led Facebook to remove 652 fake accounts and pages. And Liberty Front Press, the common thread among much of that sham activity, was linked to state media in Iran, Facebook said Tuesday.

Facebook’s latest purge of disinformation from its platforms highlighted the key role that cybersecurity outfits are playing in policing the pages of giant social-media platforms. For all of their wealth and staff, companies like Facebook often rely on outside firms and researchers for their expertise.

The discovery of the disinformation campaign also represented a shift in the bad behavior that independent security companies are on the lookout for. Long in the business of discovering and fending off hacking attempts and all sorts of malware, security companies have expanded their focus to the disinformation campaigns that have plagued Facebook and other social media for the past few years.

Founded in 2004 in Milpitas, California, FireEye has a workforce of about 3,000 people, a fraction of Facebook’s. But it employs security analysts with particular skills, including employees who are fluent in English, Arabic, Russian, French and Italian, helping them to identify and track misinformation around the world.

Lee Foster, manager of FireEye’s information-operations-analysis team, described in an interview with The New York Times how his company spotted the Iranian disinformation campaign. He declined to say whether his research was on behalf of a particular client because FireEye has a policy against naming who it is working with.

“It started with a single social-media account or a small set of accounts that were pushing this political-themed content that didn’t necessarily seem in line with the personas that the accounts had adopted,” said Foster. Many of the fake accounts, which sprawled across Facebook, Instagram, Twitter and Reddit, shared content from Liberty Front Press.

Over two months, Foster and a small group of analysts mapped the connections between the accounts and unearthed more of them.

The evidence pointed toward Iran. A website for Liberty Front Press was initially registered to an email linked to ads for web designers in Tehran before being switched to a registrant purportedly based in San Jose, California.

The web-designer email had also been used to register another news site. That site, in turn, was associated with a number of email addresses linked to even more inauthentic news sites. Digging deeper, FireEye found that many of the Twitter accounts sharing Liberty Front Press content were linked to Iranian phone numbers, although the profiles claimed to be operating in the U.S.

Stepping from fake news site to news site and from Twitter to Facebook, FireEye pieced together a campaign that tried to influence audiences in the Middle East, as well as in the United States, Britain and Latin America.

The analysts were careful to collect data without being noticed. “I have to be conscious about tipping off the operators of this,” Foster said. “I want to make sure I’ve got everything, so we don’t deal with one small component of the threat and we find out there’s this whole other cluster of it.”

Iran’s cyber-capabilities have grown in recent years and Iranian hackers have been blamed for a number of significant attacks. Earlier this year, federal law-enforcement officials said nine Iranians were behind intrusions at U.S. government agencies, universities and companies.

Attributing attacks to Iran has been tricky. Security experts who have studied Iranian hackers said many take part in attacks, or disinformation campaigns, while they are still in college. They are often recruited for government work, but may also float in and out of government-backed contracts.

Those loose affiliations make it difficult to pinpoint which attacks are directed by Iranian authorities.

FireEye’s information set off Facebook’s own investigation, which uncovered three other Iranian disinformation efforts and another that appeared to originate in Russia.

One of the Iranian campaigns Facebook discovered dabbled in a mix of misinformation and more traditional hacking, Facebook’s head of cybersecurity policy, Nathaniel Gleicher, wrote in a blog post.

“They typically posed as news organizations and didn’t reveal their true identity,” he said. “They also engaged in traditional cybersecurity attacks, including attempts to hack people’s accounts and spread malware, which we had seen before and disrupted.”

The Russian pages discovered by Facebook were unrelated to FireEye’s research. Facebook said the accounts were linked to people that law enforcement in the United States had identified as Russian military intelligence. Unlike other fake pages that have been attributed to Russians over the last year, those accounts posted content focused on politics in Syria and Ukraine.

An attack on Sony’s computer network by North Korean hackers in 2014 put cybersecurity companies on notice that they had to pay more attention to information warfare. The Sony intrusion was destructive to technical systems, “but there was more to it than that,” Foster said. “It was about conveying a message and trying to influence an audience.”

In time, “we realized there was a bigger kind of potential threat there that we need to address,” he added.

The Sony attack was also a game changer for governments and other major companies, said Graham Brookie, director of the Digital Forensic Research Lab at the Atlantic Council, which has analyzed misinformation on Facebook. Thousands of embarrassing emails between Sony executives were dumped online. The hackers also stole employees’ personal information and wiped Sony’s servers.

The incident prompted officials in the United States to establish protocols for sharing information about cybersecurity threats and influence operations, Brookie said.

As internet outlets struggle to keep up with influence campaigns, Foster believes complex disinformation schemes will become more common.

“What this is great for demonstrating is, it really doesn’t matter what the political goals or ideological goals are, these techniques are seen as an attractive way to try to achieve them,” Foster said.