The most interesting part of Mark Zuckerberg’s prepared testimony for Congress that was released today shows that Facebook has been fighting Russian election interference since before the 2016 U.S. presidential race. Facebook shut down accounts related to Russian GRU military intelligence-linked group APT28, also known as Fancy Bear, which had created an organization called DCLeaks run by fake personas to seed stolen information to journalists.
Wired detailed the methods of the “Advanced Persistent Threat 28” group in January 2017. APT28 uses zero-day exploits, malware-equipped spearfishing emails, publicly known but unfixed vulnerabilities in computer systems and malicious iFrames embedded in hacked websites to steal people’s files. The group has been connected to attacks against NATO, French television station TV5Monde and the World Anti-Doping Agency.
The Washington Post reported in September 2017 that Facebook had detected the APT28 accounts in June 2016 and reported their activity to the FBI, but didn’t detail that Facebook had fought back directly by shutting down their accounts. Facebook had not previously confirmed this story.
Here’s Zuckerberg’s full explanation of the situation:
Elections have always been especially sensitive times for our security team, and the 2016 U.S. presidential election was no exception. Our security team has been aware of traditional Russian cyber threats — like hacking and malware — for years. Leading up to Election Day in November 2016, we detected and dealt with several threats with ties to Russia. This included activity by a group called APT28, that the U.S. government has publicly linked to Russian military intelligence services. But while our primary focus was on traditional threats, we also saw some new behavior in the summer of 2016 when APT28-related accounts, under the banner of DC Leaks, created fake personas that were used to seed stolen information to journalists. We shut these accounts down for violating our policies.
The Post reported that APT28 was known for stealing data and military plans from political targets, leading Facebook’s security team to assume it was planning traditional espionage rather than a more public-facing disinformation campaign to skew the election. But they did share their findings with the FBI. Later, when Facebook discovered APT28 had created the Guccifer 2.0 hacker persona and DCLeaks Facebook to deliver stolen emails and documents to journalists, Facebook contacted the FBI again. Guccifer 2.0, who had claimed sole responsibility for providing hacked Democratic National Convention emails to WikiLeaks, has since been identified as a GRU operative.
Now Zuckerberg’s testimony indicates Facebook didn’t just hand off responsibility to the FBI, but worked to combat the trolls on its own.
This information could give Facebook and Zuckerberg a better defense as he’s questioned by the U.S. Senate Judiciary and Commerce committees Tuesday, then the U.S. House Energy and Commerce Committee on Wednesday. If Facebook can demonstrate that it wasn’t completely asleep at the wheel regarding election interference, it could get softer treatment than if Congress thinks it was caught completely off-guard.
You can see Zuckerberg’s full prepared testimony below:
Zuckerberg Statement to Congress by Jordan Crook on Scribd