\n<\/p>\n
As part of our regular updates on notable <\/span>threat disruption efforts<\/span><\/a>, we\u2019re sharing our findings into coordinated inauthentic behavior (CIB) targeting Moldova that we disrupted in early Q3 of this year, including threat indicators linked to this activity to contribute to the security community\u2019s efforts to detect and counter malicious activity across the internet.<\/span><\/p>\n As a reminder, we view CIB as coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation. In each case, people coordinate with one another and use fake accounts to mislead others about who they are and what they are doing. When we investigate and remove these operations, we focus on behavior, not content \u2014 no matter who\u2019s behind them, what they post or whether they\u2019re foreign or domestic.\u00a0<\/span><\/p>\n Here is what we found:<\/strong><\/p>\n We removed seven Facebook accounts, 23 Pages, one Group and 20 accounts on Instagram for violating our policy against coordinated inauthentic behavior. This network originated primarily in the Transnistria region of Moldova, and targeted Russian-speaking audiences in Moldova. We removed this campaign before they were able to build authentic audiences on our apps.<\/p>\n This operation centered around about a dozen fictitious, Russian-language news brands posing as independent entities with presence on multiple internet services, including ours, Telegram, OK (Odnoklassniki), and TikTok. It included brands like Tresh Kich, Moldovan Mole, Insider Moldova, Gagauzia on Air.<\/span><\/p>\n The individuals behind this activity used fake accounts \u2013 some of which were detected and disabled prior to our investigation \u2013 to manage Pages posing as independent news entities, post content, and to drive people to this operation\u2019s off-platform channels, primarily on Telegram. Some of these accounts went through significant name changes over time and used profile photos likely created using generative adversarial networks (GAN).\u00a0<\/span><\/p>\n They posted original content, including cartoons, about news and geopolitical events concerning Moldova. It included criticism of President Sandu, pro-EU politicians, and close ties between Moldova and Romania. They also posted supportive commentary about pro-Russia parties in Moldova, including a small fraction referencing exiled oligarch Shor and his party. The operators also posted about offering money and giveaways, including food and concert tickets, if people in Moldova would follow them on social media or make graffiti with the campaign\u2019s brand names.\u00a0<\/span><\/p>\n This campaign frequently posted summaries of articles from a legitimate news site point[.]md, but with an apparent pro-Russia and anti-EU slant added by the operators. They also amplified a Telegram channel of the host of a satirical political show in Moldova critical of pro-European candidates. One of this operation\u2019s branded Telegram channels was promoted by a Page we removed last quarter as part of a Russia-origin CIB network (case #3 in the <\/span>Q2 2024 report<\/span><\/a>).\u00a0<\/span><\/p>\n We found this network as part of our internal investigation into suspected coordinated inauthentic behavior in the region. Although the people behind this activity attempted to conceal their identity and coordination, our investigation found links to individuals from Russia and Moldova operating from the Transnistria region, including those behind a fake engagement service offering fake likes and followers on Facebook, Instagram, YouTube, OK, VKontakte, X and the petition platform Change.org. We also found some limited links between this CIB activity and a network from the Luhansk region in Ukraine that we <\/span>removed <\/span><\/a>in December 2020.<\/span><\/p>\n This section details unique threat indicators that we assess to be associated with the malicious network we disrupted. It is not meant to provide a full cross-internet, historic view into this operation. It\u2019s important to note that, in our assessment, the mere sharing of these operations\u2019 links or engaging with them by online users would be insufficient to attribute accounts to a given campaign without corroborating evidence.\u00a0<\/span><\/p>\n To help the broader research community to study and protect people across different internet services, we\u2019ve collated and organized these indicators according to the <\/span>Online Operations Kill Chain<\/span><\/a> framework, which we use to analyze many sorts of malicious online operations, identify the earliest opportunities to disrupt them, and share information across investigative teams. The kill chain describes the sequence of steps that threat actors go through to establish a presence across the internet, disguise their operations, engage with potential audiences, and respond to takedowns.\u00a0<\/span><\/p>\n\n
Threat indicators<\/b><\/h2>\n