Buried in a Washington Post story out Sunday night is a surprising new development: Facebook’s cybersecurity team told the FBI in June 2016 that it believed the Russian hacking team APT 28, also known as “Fancy Bear” and believed to be a proxy for the Russian state security service GRU, was active on the platform.
From the Post:
Soon thereafter, Facebook’s cyber experts found evidence that members of APT28 were setting up a series of shadowy accounts — including a persona known as Guccifer 2.0 and a Facebook page called DCLeaks — to promote stolen emails and other documents during the presidential race. Facebook officials once again contacted the FBI to share what they had seen.
As cybersecurity analyst Marcy Wheeler observes, this is quite an admission—anonymously sourced—from the company, which said in April that it wasn’t in a position to attribute the unusual activity to anybody in particular.
The company has consistently downplayed the effect of false information on its users and the significance of what now appear to be a great many dummy accounts on its platform run by Russian trolls.
“Facebook conducted research into overall civic engagement during this time on the platform, and determined that the reach of the content shared by false amplifiers was marginal compared to the overall volume of civic content shared during the US election,” the company’s threat analysts wrote in that April report.
At first, Facebook’s own review “did not find clear evidence of Russian disinformation or ad purchases by Russian-linked accounts,” the Post reported, but that public assessment changed radically on Sept. 6 when the company announced it had found $100,000 worth of advertisements purchased by the Internet Research Agency, a troll farm with Kremlin ties.
Yet according to the timeline laid out in the Post’s report, Facebook was concerned enough to raise the alarm to law enforcement in June 2016, just as the Russian disinformation campaign began in earnest. The first word that the federal governmental was investigating Russia’s influence in the campaign came in July 2016, a few weeks after Guccifer 2.0’s first post—in which he tries to claim sole credit for hacking the Democratic National Committee. Less than a week later, a Motherboard reporter who interviewed someone claiming to be Guccifer 2.0 appeared to be the first to suggest that the hacker might be Russian rather than Romanian, as he claimed.
Special counsel Robert Mueller’s team of investigators recently have focused more on Facebook itself, rather than on hyperpartisan “fake news.” That suggests Americans were unable to see how they were being manipulated on the platform, despite the tactics appearing obvious in hindsight: While a number of stories in the conservative news media were sourced to dumps of emails hacked by the Russians, the news outlets themselves weren’t exactly breaking with tradition by reporting that information in a disingenuous and credulous way. Russians didn’t make the American news ecosystem on social media so toxic—that was already true—they just used it to amplify stories that might serve their specific interests.
Fancy Bear, too, was hardly a secret. The Russian hacking collective had been a topic of much discussion among American cybersecurity researchers for more than a year before it breached the DNC. It made news among cybersecurity researchers in May 2015 for a brazen attempt to hack American banks. The group also breached the World Anti-Doping Agency and distributed strategically falsified information alongside information from that hack in August 2016.
But it’s safe to say that no one in the mainstream press immediately understood the primary role social networks like Facebook and Twitter would come to play in Fancy Bear’s operations. News organizations questioned the origins of emails stolen from the DNC, Democratic Congressional Campaign Committee, and Clinton campaign chairman John Podesta—as far as the public knew, those were primarily distributed through DCLeaks and Guccifer 2.0, both WordPress sites, and later by WikiLeaks—but until recently, personal social media accounts weren’t considered any more suspicious than the news articles they shared.
At the moment, it’s also unclear how much of the U.S. government’s investigation into Russian hacking attacks explored Facebook, and what it may have found. The FBI announced only that it had investigated “malicious cyber activity” in a brief joint report with the Department of Homeland Security issued in December 2016. The Joint Analysis Report (JAR) contains nary a mention of Facebook, although it does warn readers generally about suspicious social media interactions.
One could now read between the lines in Facebook’s April repot and see the suggestion that the Russian government was directly stumping for Trump on Facebook, although the authors did not write the word “Russia” once in its pages. Months after the U.S. government formally accused the Kremlin of that malicious activity, Facebook defined “influence operations” as “Actions taken by governments or organized non-state actors to distort domestic or foreign political sentiment, most frequently to achieve a strategic and/or geopolitical outcome.” The title of the report is Influence Operations and Facebook.
It’s also now possible to read comments from people who might have known more about the attacks a little closer: James Clapper, the former director of national intelligence, suggested in January that disinformation masquerading as news had been a part of the Russian campaign on Facebook.
We know there appears to have been a concerted propaganda effort across at least $100,000 worth of Facebook advertisements, many of them promoted by accounts made with stolen user photos and some used to organize rallies on U.S. soil. The company’s CEO, Mark Zuckerberg, has come forward to say Facebook will try to make it “much harder” for foreign operators to interfere with the American political process. But the Post story raises another question: Who else knew about the unusual activity Facebook detected on its platform and when—and what did they do to try to stop it?