Today we released our threat research into influence operations we disrupted. A few highlights:

1. Lookback on Russia’s IO since invasion of Ukraine began (both covert + overt)
2. Three new CIB takedowns in Bolivia, Cuba, and Serbia

First, we dive into the increase in RU-origin covert IO, which remained largely ineffective but increasingly relied on slapdash, unsophisticated techniques. In contrast, overt IO (eg from RU state media) declined significantly in popularity on platform after we took steps to limit their reach, per latest research from Graphika (http://graphika.com/lose-influence).

This new research shows that engagement with RU state media content on our services declined considerably (~80%) after we launched interventions to label content as state-controlled and to limit their reach on platform.

This shows what the impact of non-binary content moderation levers can be: our goal here is to make sure people have context about the origin of content they encounter before amplifying it. But it also raises important questions about when/how such levers should be applied.

It also follows on research from @BrookingsInst that found similar drops in engagement across RU SCME in LatAm after our interventions were applied https://www.brookings.edu/research/working-the-western-hemisphere/

Second, our report details three new CIB cases, all of which were linked in some way to governments/ruling parties and targeted people in each country.

We’ve called out this trend as particularly concerning: it combines the deceptive nature of IO with the powers of a state. And domestic ops (gov + non-gov) have been outpacing foreign ones. Of 200+ CIB operations we’ve disrupted since 2017, more than 2/3 are wholly or partially domestic.

Finally, we continue to see threat actors target multiple platforms. In this report, that included Facebook, Instagram, Telegram, Twitter, YouTube, TikTok, Spotify, Picta, and websites created by the threat actors posing as news outlets. This cross-platform behavior requires defenders across the industry to be alert to threats, to share information, and to take action where appropriate.

Some additional info on those CIB cases:

A short thread on two of the CIB operations in LatAm we detail in our new report today (https://about.fb.com/news/2023/02/metas-adversarial-threat-report-q4-2022/):
1. An operation linked to the current gov and the MAS party in Bolivia
2. A government-linked operation in Cuba

In Bolivia, we removed over 1600 accounts, Pages, and Groups for violating our policies against both coordinated inauthentic behavior and coordinated abusive reporting (aka mass reporting). This network originated in Bolivia and focused primarily on domestic audiences in that country.

Our internal investigation linked it to the current Bolivian government and Movimiento al Socialismo (MAS), including individuals claiming to be part of a group known as “Guerreros Digitales” (“digital warriors”). We banned this group from our services.

Like other operations we’ve disrupted in LatAm, the network was reported to be operating fake accounts from office buildings in Santa Cruz, Bolivia, and was active across many internet services, including Facebook, Instagram, Twitter, YouTube, TikTok, Spotify, Telegram, and their own websites.

This operation engaged in both coordinated inauthentic behavior and coordinated abusive reporting in support of the Bolivian government and to criticize and attempt to silence the opposition by submitting false reports to try to get them taken down.

In Cuba, we removed 900+ accounts, pages and groups for violating our policy against coordinated inauthentic behavior. This network originated in Cuba and primarily targeted domestic audiences in Cuba and also the Cuban diaspora abroad.

Our internal investigation linked the activity to the Cuban government, and the operation focused on promoting the govt and criticizing opposition in Cuba.

The operation pursued two main efforts across many platforms, including Facebook, Instagram, Telegram, Twitter, YouTube and Picta, a Cuban social network: (1) fake amplification and (2) fake personas and brands designed to deceive.

A few tactics that we’ve seen in other campaigns showed up here, including AI-generated profile photos and calls to report critics in hopes of getting their content taken down. Neither of these tactics appeared to be very effective.

Notably, after we removed this deceptive campaign, we saw them try aggressively to rebuild their operations. We expect threat actors to do this and we moved quickly to block these attempts. We saw the operation eventually shift elsewhere, including to Telegram.

After our initial takedown, they’ve had to spend their resources and effort trying to evade our enforcement rather than pursuing their goals, leaving them with little to show for their efforts. That is exactly what we want to see.

This is pretty cool - I can freely link to Instagram here! https://www.instagram.com/p/ClOsyVOJGO6/?igshid=YmMyMTA2M2Y=

(Photo of the reflection on Fallen Leaf Lake a few weeks ago after Tahoe’s first snowfall)

A quick example of why ADS-B is really important, from the perspective of someone who spends a lot of time in extremely busy, congested airspace, often doing unpredictable stuff.

Most smaller (non-airline) planes today use ADSB for traffic deconfliction, and it’s been a huge, affordable improvement for safety in congested airspace. I have a $50 Linux home built ADSB receiver I use with students, and it’s helped us avoid dangerous situations like this F-18 on a Bay Tour.

It's the end of the year, which means it's time to post a threat report (or three)! Our team just shared three reports based on our threat research into influence operations and cyber-espionage activity over the past year.

🫡 Lookback at 200+ CIB disruptions: https://about.fb.com/news/2022/12/metas-2022-coordinated-inauthentic-behavior-enforcements/

🕵️‍♂️ Surveillance-for-Hire investigations: https://about.fb.com/wp-content/uploads/2022/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf

👨‍⚖️ Policy recs to tackle the surveillance industry: https://about.fb.com/wp-content/uploads/2022/12/Meta-Policy-Recommendations-for-Tackling-the-Surveillance-for-Hire-Industry.pdf

First, these reports show how we’ve expanded the adversarial threat disruption model since 2017 to multiple threats: influence ops, cyber-espionage, surveillance, spam, scams, etc. We’ve now taken down more than 200 CIB networks globally - and fittingly, our first and 200th takedown were both info ops from Russia.

That said, our work to counter these threats is global - we’ve disrupted IO from 68 countries in more than 42 languages (cool map attached)

You can read about these cases in our new Security Center, which houses our investigative reports and deep dives into threat disruptions, in chronological order: https://transparency.fb.com/metasecurity/threat-reporting

Our surveillance-for-hire report focuses on new entities engaged in recon, engagement, or exploitation on behalf of clients around the world, building on our last year’s report. Key takeaway: this industry is much more than 1-2 firms, so requires a comprehensive society-wide response.

Claims these firms only target terrorists and criminals just don’t hold water. We continue to see indiscriminate targeting of journalists, dissidents, and businesses. We alerted people we believe were targeted, and provided specific steps to help protect their presence online (example of notifs also attached).

We’ve seen surveillance actors aggressively try to reconstitute and target people across the internet, highlighting the need for a more holistic response to constrain abusive behavior. To that end, we published recs for gov, civil society, and industry to tackle the problem. Link here: https://about.fb.com/wp-content/uploads/2022/12/Meta-Policy-Recommendations-for-Tackling-the-Surveillance-for-Hire-Industry.pdf

There are many important recommendations, so definitely read the paper, but three key ones I want to call out:

1. Demand for these tools invites abuse. Governments should restrict, or in some cases, ban, the sale of spyware and malware, and commit to not purchasing these capabilities. https://www.nytimes.com/2022/11/12/us/politics/fbi-pegasus-spyware-phones-nso.html

2. Impunity enables bad behavior. Governments and regulators should consider leveraging sanctions (incl. Magnitsky Act) to hold surveillance-for-hire companies accountable when they sell tools to indiscriminately target people https://www.wyden.senate.gov/imo/media/doc/Global%20Magnitsky%20Sanctions%20Letter%20to%20Sec.%20Yellen%20&%20Blinken.pdf

3. People often don’t know if they’ve been targeted and can't easily confirm suspicions. Govts should create accountability reqs for surveillance-for-hire companies, including notice to targeted individuals, and impose oversight to ensure compliance. https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/

Companies that indiscriminately sell surveillanceware democratize access to sophisticated hacking capabilities while obscuring the people behind their activity. This report, and collective effort from industry, gov, and civil society, can help shine a light on the darkness.