Facebook is moving swiftly to disrupt and remove nation-state backed attackers from its social media platform. It's all part of a renewed effort from the company to help restore confidence in its platform, ahead of the upcoming midterm elections in the United States.
On Oct. 26, Facebook announced that has removed 82 pages, groups and accounts for coordinated inauthentic behavior. According to Facebook, the actions originated in Iran and targeted individuals in the U.S. and the UK. In a call with press, Nathaniel Gleicher, Facebook's head of cyber-security policy, explained what happened and the processes that Facebook now has in place to rapidly respond to "inauthentic" behavior.
"Coordinated in authentic behavior is when people or organizations create networks of accounts to mislead others about who they all are [and] what they're doing and are prohibited on Facebook because we want people who use our services to be able to trust the connections they make here," Gleicher said.
Gleicher said Facebook's threat intelligence team first detected signs of the inauthentic activity at the end of the prior week. He noted that Facebook quickly launched an investigation, including manual reviews of the accounts. While the rogue activity was traced back to Iran, Gleicher said Facebook has found no ties to the Iranian government.
Gleicher said that in most cases, the page administrators and account owners attempted to hide their true identities by passing themselves as U.S. citizens, and in a few cases UK citizens.
"These accounts frequently posted about politically charged topics such as race relations, opposition to political leaders and immigration, and their activity was targeted at people using Facebook in the United States," he said.
Gleicher said 1 million accounts followed at least one of the removed pages and about 25,000 accounts joined at least one of these groups and more than 28,000 accounts followed at least one of the Instagram accounts. terms of advertising, Facebook found less than $100 in spending so far on Instagram and Facebook.
"Given that the U.S. midterm elections are a few weeks away, we took action as soon as we completed our initial investigation," he said.
Facebook has shared information with both U.S. and UK government officials, U.S. law enforcement, Congress and other technology companies, according to Gleicher.
"We continue to get better at finding and taking down these bad actors through a combination of machine learning and manual investigations," he said. "But we face smart, well-funded adversaries that will never give up and constantly change tactics."
The Iran account takedown is part of Facebook's improving efforts to limit interference in U.S. politics and why the company built a war room to help coordinate intelligence and response.
Gleicher said that one of Facebook's priorities is to make sure that as its government partners identify particular threats, they are able to quickly reach out to Facebook. The government partners include federal law enforcement, as well as state elections officials, the people who are on the ground and running polling places.
"As we lead into the final days before the midterms, our expectation is that they will be seeing challenges and that we have made sure that they can reach out to us and we can work with them quickly to identify those and respond. That's exactly why we have built the war room," he said.
While it would be ideal if unauthentic activity never occurred on Facebook, the reality is that it does. Inauthentic activity may well have played a role in past elections, but Facebook in 2018 has taken multiple steps to improve the security of its platform overall.
"We moved from detection to disruption in the course of a week, which was a really important milestone for us," Gleicher said. "We've been pushing to be able to identify and act much more quickly, and this was in an opportunity for us to do that."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.