We’re sharing our pilot quarterly adversarial threat report that provides a broad view into the risks we see worldwide and across multiple policy violations. In many of these cases, threat actors targeted multiple platforms, including Facebook, Instagram, Youtube, Twitter, LinkedIn, Telegram, VK and OK, in addition to running their own websites and compromising legitimate sites. We shared our latest findings with our peers at tech companies, security researchers, governments and law enforcement. We’re also alerting the people who we believe were targeted by these campaigns, when possible.

Our public security reporting began over four years ago when we first shared our findings about coordinated inauthentic behavior (CIB) by the Russian Internet Research Agency. Since then, global threats have significantly evolved, and we have expanded our ability to respond to a wider range of adversarial behaviors. To provide a more comprehensive view into the risks we see, we’re now expanding our regular reporting to include cyber espionage, inauthentic behavior and other emerging harms in one place, as part of the quarterly reporting we’re testing. We’re also sharing threat indicators at the end of our report to contribute to the efforts by the security community to detect and counter malicious activity elsewhere on the internet. We welcome ideas from the security community to help us make these reports more informative, and we’ll adjust as we learn from feedback.

Summary of Our Findings

• In Iran, we took action against two cyber espionage operations. The first network was linked to a group of hackers known in the security industry as UNC788. The second was a separate, previously unreported group that targeted industries like energy, telecommunications, maritime logistics, information technology, and others.
• In Azerbaijan, we removed a hybrid network operated by the Ministry of Internal Affairs that combined cyber espionage with CIB to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.
• We’re also sharing an update on our enforcements in Ukraine, including attempts by previously disrupted state and non-state actors to come back on the platform, in addition to spam networks using deceptive tactics to monetize public attention to the ongoing war.
• Under our Inauthentic Behavior policy against mass reporting, we removed a network in Russia for abusing our reporting tools to repeatedly report people in Ukraine and in Russia for fictitious policy violations of Facebook policies in an attempt to silence them.
• In South America, we removed CIB operations from Brazil and Costa Rica and El Salvador. The Brazilian network is the first operation we’ve disrupted that primarily focused on environmental issues.
• In the Philippines, as part of disrupting new and emerging threats, we removed a coordinated violating network that claimed credit for bringing websites down and defacing them, including those of news entities. Under our Inauthentic Behavior (IB) policies, we also took down tens of thousands of accounts, Pages and Groups around the world for inauthentically inflating the distribution of their content and abusive audience building, including in the Philippines. Our report provides insights into how spammers leverage IB strategies to monetize people’s attention to the upcoming election in the Philippines and the measures we took to stop them.

See the full Adversarial Threat Report for more information.