Hacking group posted fake Ukrainian surrender messages, says Meta in new report

Illustration by Alex Castro / The Verge

According to a new security report from Meta, a group of people from the former Yugoslavia tried to compromise the Facebook accounts of Ukrainian military personnel and posted videos calling on the Ukrainian army to surrender.

The hacking campaign was carried out by a group known as UNC1151 which has been linked to the Belarusian government. A February security update from Meta flagged activity from the Ghostwriter operation, but since that update, the company said that the group had attempted to compromise more accounts.

Meta said that it had blocked the videos from being shared further because they appeared to come from the compromised accounts.

The fake surrender messages have already been spread by hackers who planted false reports of a Ukrainian surrender into the chyrons of live broadcast news. The purpose of such statements is thought to be to erode Ukrainians' trust in the media.

The details of the latest Ghostwriter hacks were published in the first part of Meta's quarterly Adversarial Threat Report, a new offering from the company that builds on a similar report from December 2021. Meta has previously published regular reports on coordinated inauthentic behavior on the platform, but the scope of the new threat report is wider and includes espionage operations and other emerging threats.

The latest report details a range of other actions conducted by pro-Russian threat actors, including covert influence campaigns against a variety of Ukrainian targets. Meta claims that a group linked to the Belarusian KGB tried to organize a protest against the Polish government in Warsaw, but the event and the account that created it were quickly taken offline.

The most dramatic details of the report are foreign influence operations, but Meta says it has also seen an increase in influence campaigns against their own citizens. In a conference call with reporters Wednesday, Facebook's president for global affairs said that attacks on internet freedom had intensified.

More than half of the operations we disrupted in the first three years were domestic.

The authoritarian regimes looked to control access to information by pushing propaganda through state-run media and influence campaigns, and by trying to shut down the flow of credible alternative sources of information.

The latter approach has been used to restrict information about the Ukraine conflict, with the company removing a network of around 200 Russian-operated accounts that engaged in coordinated reporting of other users for fictitious violations.

The threats outlined in the report showed why we need to protect the open internet, not just against authoritarian regimes, but also against the lack of clear rules.