Meta’s threat report highlights clumsy attempt to manipulate Ukraine discourse

Meta’s quarterly “Adversarial Threat Report” paints a somewhat depressing picture of the once feared global troll ecosystem: A number of outfits “relatively low in sophistication” attempting fruitlessly to spam their way to relevance. But just because they’re bad at their jobs doesn’t mean we can let our guard down.

Various forms of hackery and attempts to manipulate online conversation are characterized in the report, but it makes for sad reading. A handful of people in Greece, Pakistan or Russia in some dilapidated office working a 9-5 and getting dunked on by automated systems before they can cause any serious harm.

The common theme among most of the threats is impersonation, with malicious actors making fake accounts of real people or generating original ones using things like AI-powered content generation. Using networks of these accounts, often imitating attractive young women, they contact people across the globe and attempt to get them to follow links to malware or fake apps and services.

Needless to say, don’t trust any beautiful stranger you meet online — or anywhere, for that matter. But the tools they’re bringing to bear are frequently not state of the art, noted Meta’s security writers:

This threat actor is a good example of a global trend we’ve seen where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities.

There were also a few groups operating farms of a few hundred to a few thousand accounts that were engaging in mass reporting and brigading of content on Instagram, Facebook and other social media. These groups are usually ideologically driven, targeting various ethnicities, religious groups and political opponents. Some Greek extremists took it too far (as extremists are wont to do — it’s right there in the name) and ended up in a petard-hoist situation:

According to public reporting, individuals connected to this activity were linked to the kidnapping of a high school principal for enforcing COVID-19 checks. They brought him to the police to report him for breaching the constitution, which led to the arrest of the kidnappers.

A good reminder that online harassment frequently spills over into the real world. Being targeted by an angry internet mob is increasingly a threat to one’s safety.

The longest part of the Meta report goes into detail on “Cyber Front Z,” a Russian troll farm first reported by journalists in the country. They were attempting to put together an astroturfing campaign around the Russian invasion of Ukraine, but as the report puts it, “This deceptive operation was clumsy and largely ineffective.”

There were something like a thousand accounts, with 50,000 or so followers, and twice as many on a Telegram channel. Basically the plan was to request actual engagement from followers — “Let’s go shout down this activist” type stuff — then manufacture engagement using fake accounts, making it look as if there was a real grassroots effort happening.

Unfortunately for them the activity was quickly detected and taken down wherever possible. They didn’t seem to take much care in not appearing to be rabble rousers, sometimes posting opposite viewpoints in English and Russian within minutes. As with other farms, activity patterns indicated that those being paid to post on the organization’s behalf were likely just doing it as a side hustle. (This also helps explain the inexpert methodology.)

All of these networks posted to a fixed schedule with a clear working-day pattern, seven days a week, with a slow start in the morning and a surge toward the end of the day — possibly as the operators rushed to meet their posting quotas.

While this all sounds fairly non-threatening, even a bit pathetic, remember that these operations are the background noise of the security world, just like there are always a few real-life cons and scams going on in any city. That they are easily detected and shut down is good, but sophisticated groups are working on much more damaging things like large-scale breaches and more successful manipulation of public perception. That much we can see happening on the home front often enough.