Facebook Anonymously Admits It IDed Guccifer 2.0 in Real Time

The headline of this story focuses on how Obama, in the weeks after the election, nine days before the White House declared the election, “free and fair from a cybersecurity perspective,” begged Mark Zuckerberg to take the threat of fake news seriously.

Now huddled in a private room on the sidelines of a meeting of world leaders in Lima, Peru, two months before Trump’s inauguration, Obama made a personal appeal to Zuckerberg to take the threat of fake news and political disinformation seriously. Unless Facebook and the government did more to address the threat, Obama warned, it would only get worse in the next presidential race.

But 26 paragraphs later, WaPo reveals a detail that should totally change the spin of the article: in June, Facebook not only detected APT 28’s involvement in the operation (which I heard at the time), but also informed the FBI about it (which, along with the further details, I didn’t).

It turned out that Facebook, without realizing it, had stumbled into the Russian operation as it was getting underway in June 2016.

At the time, cybersecurity experts at the company were tracking a Russian hacker group known as APT28, or Fancy Bear, which U.S. intelligence officials considered an arm of the Russian military intelligence service, the GRU, according to people familiar with Facebook’s activities.

Members of the Russian hacker group were best known for stealing military plans and data from political targets, so the security experts assumed that they were planning some sort of espionage operation — not a far-reaching disinformation campaign designed to shape the outcome of the U.S. presidential race.

Facebook executives shared with the FBI their suspicions that a Russian espionage operation was in the works, a person familiar with the matter said. An FBI spokesperson had no immediate comment.

Soon thereafter, Facebook’s cyber experts found evidence that members of APT28 were setting up a series of shadowy accounts — including a persona known as Guccifer 2.0 and a Facebook page called DCLeaks — to promote stolen emails and other documents during the presidential race. Facebook officials once again contacted the FBI to share what they had seen.

Like the U.S. government, Facebook didn’t foresee the wave of disinformation that was coming and the political pressure that followed. The company then grappled with a series of hard choices designed to shore up its own systems without impinging on free discourse for its users around the world. [my emphasis]

But the story doesn’t provide the details you would expect from such disclosures.

For example, where did Facebook see Guccifer 2.0? Did Guccifer 2.0 try to set up a Facebook account? Or, as sounds more likely given the description, did he/they use Facebook as a signup for the WordPress site?

More significantly, what did Facebook do with the DC Leaks account, described explicitly?

It seems Facebook identified, and — at least in the case of the DC Leaks case — shut down an APT 28 attempt to use its infrastructure. And it told FBI about it, at a time when the DNC was withholding its server from the FBI.

This puts this passage from Facebook’s April report, which I’ve pointed to repeatedly, in very different context.

Facebook is not in a position to make definitive attribution to the actors sponsoring this activity. It is important to emphasize that this example case comprises only a subset of overall activities tracked and addressed by our organization during this time period; however our data does not contradict the attribution provided by the U.S. Director of National Intelligence in the report dated January 6, 2017.

In other words, Facebook had reached this conclusion back in June 2016, and told FBI about it, twice.

And then what happened?

Again, I’m sympathetic to the urge to blame Facebook for this election. But this article describes Facebook’s heavy handed efforts to serve as a wing of the government to police terrorist content, without revealing that sometimes Facebook has erred in censoring content that shouldn’t have been. Then, it reveals Facebook reported Guccifer 2.0 and DC Leaks to FBI, twice, with no further description of what FBI did with those leads.

Yet from all that, it headlines Facebook’s insufficient efforts to track down other abuses of the platform.

I’m not sure what the answer is. But it sounds like Facebook was more forthcoming with the FBI about APT 28’s efforts than the DNC was.

24 replies
  1. orionATL says:

    “… I’m not sure what the answer is. But it sounds like Facebook was more forthcoming with the FBI about APT 28’s efforts than the DNC was….”

    so, ew, you can read this whole major bit of wapo reporting with its extraordinary conclusions about the certain, early identity of dcleaks and gucicer 2.0 and end your commentary with a final sentenance that reads “… I’m not sure what the answer is. But it sounds like Facebook was more forthcoming with the FBI about APT 28’s efforts than the DNC was…”


    brings to mind a tale of a friend and neighbor who went to the 7-11 for a 12 pack about midnight one evening and got mugged on the way back. lost her wallet (id, credit and debit, etc), got skinned up on the sidewalk, but otherwise unharmed.

    most of her friends were solicitous, but some friends, and some neighbors, berated her for being stupid enough to go out that late and walk back home.

    there was a time, some years back, when this unkind attitude toward a victim of others harmful behavior was called “victim blaming” – rather than focus on the wholely inappropriate or criminal behavior of the perpetrator(s), the focus was on the person harmed for not taking sufficient or even extraordinary precautions. have times have changed, or has politics changed people; i’m not sure which?

  2. Charles says:

    I think it’s important to acknowledge that the Democrats, and especially the Clintons, had valid reasons to withhold the server from the FBI: the FBI’s long history of political abuses against Democrats and especially the Clintons. The Clintons got sensitized early on with the Gary Aldrich book, Unlimited Access, which represented a right-wing operation to damage the Clintons (http://articles.chicagotribune.com/1996-07-03/news/9607030107_1_fbi-files-gary-aldrich-clinton-white-house).

    Nor was this an isolated example. Most notoriously, during the campaign, FBI Director James Comey cost Clinton about 3-4 percentage points of her lead on Trump, according to Nate Silver.

    Therefore, why would the DNC turn over its server–which would presumably contain names of big donors and communications by them–to an agency that had been so hostile? All the DNC needed to provide, and did provide, were records essential to establishing unauthorized access.

    Unlike the DNC, Facebook had a clear financial motive to get the FBI involved. After all, Russian intelligence might start blackmailing its users, which would kill the company.

    Maybe the DNC is doing something underhand. It’s not like they’re angels. But it’s unjust in the absence of evidence to make an invidious comparison between the DNC and Facebook. The DNC did what it thought was in its interests. Same for Facebook. And evidently Facebook did not think it was in their interest to conduct a prompt investigation of Russian exploitation of Facebook as a propaganda platform when they were asked to do so by the Ranking Member on the Senate Intelligence Committee.

    It’s fair to wonder why.

    • emptywheel says:

      I’ve done that repeatedly.

      What is new here is that at a time when the DNC was still not working with the FBI, Facebook was.

      That’s news, and not the news the article pitches, which is that Facebook caused the Democrats’ woes.

      • Desider says:

        Though I don’t see it too clear how extensively Facebook worked with the FBI, just “they reported it twice”. Which could be “hey guys, this looks really bizarre”, or a more mild “we see some funny IPs”. The way Facebook’s low-balled their investigation, I might be skeptical, though pre-election they might not have been in CYA mode.

        And it seems strange that the Clinton story is the FBI contacted her campaign which didn’t call back, but Facebook contacted the FBI who didn’t follow up. Which can mean no one was doing much of anything in response, campaigns or FBI or Facebook, or  maybe the indicators didn’t seem to point to a big deal at the time, or some other thought in play, or maybe the narrative’s a bit off.

      • orionATL says:

        you have a lot of background info on all this sort of stuff i don’t, ew. that’s what makes you such a valuable source.

        the sentence of yours, the last in your post, that i criticized above places the dnc as the key operator in that sentence with a strongly negative connotation attached to “the dnc” .

        when i read that sentence it was with a history of my own strongly in mind. that history was of reading this site – emptywheel – vituperatively criticizing, especially on twitter, the clinton campaign or the dnc or associated individuals week after week after week during the late winter and spring of 2016.

        now back to the present –

        your academic and professional training leads you to read far more precisely than i do, but i did not sense that the wapo article forced a decision on a reader that either facebook wrong/culpable or dnc wrong/culpable. nor do i consider facebook responsible for dnc russian problems; the russians are responsible for all that.

        not that it matters, but what the wapo article did to my understanding was to make it unambiguous that dcleaks and gucifer 2.0 were russian operations – no if’s, and’s, or but’s. this ought to kill the core of that deep state hocus-pocus that has protected the russian operation from the severe condemnation it merits. it also raises serious questions in my mind about the fbi’s hesitation in 2016 to join in with other intelligence agencies in saying the russians were after clinton.

        the facebook revelation puts the fbi and comey especially in a severely negative light as having protected themselves from republican wrath rather than protected the american political party and by extension the nation.

        facebook, by the way, has lots of questions to answer about its behavior. these, too, are slowly being asked, but facebook has not been forthcoming UNTIL appearing forthcoming was in its corporate and its founder, zuckerberg’s, interest.

      • greengiant says:

        Facebook,  and twitter and others have/had a lot more clues about hacking, fake news, and dark ads on their sites that has not been made visible.  They are the ones dealing with millions of fake accounts and FB should have the network of accounts and IPs correlated to generating the different accounts and blogs used.  Relatively EW has data on who drives by just like the DNC should have even if it was spoofed,  from a TOR exit node or from a dynamic cloud IP.  So probably already forwarded to investigators. Anyone expect the NSA to cough up the metadata?  [ Drivebys from random TOR? exit nodes at one of my sites stopped in June,  the Russian click bait phishes from France stopped in March when DGSE seized the French TOR servers,  hat tip to SLF ]

        Are all the FB captured IPs include similar to ones Gucifer 2.0 used?  What IRA and APT28 activities at FB have not yet been fessed up? Unless it is a cut out for dark ads,  the media game is inflating shares, replies,  likes so that the phished will relay the narrative or click on the bait link. The game is definitely not to give FB real money for that which can be sub contracted out for far less. FB is not yet forthcoming on these activities. Who has confidence that FB knows all.

        I understand the G data went to Nevins and then to Stone.  Gucifer 2.0 could have been an operation to cover for their collection of it off the dark web before Assange released the unRussified ad hoc package?  The point being to mess with Trump and/or Clinton since the message was  “Russians” had diddled incompetent DNC/Clinton,  cause the G data itself is like so what.

    • Mitchell says:

      I’m sure the FBI was on it and would have given it some sort of priority but there was that email thing that was more important — and which, if that resulted in anything harmful to the nation, would have been known years earlier.

      The Bureau did a great service to the nation in the course of the election. But Comey was running scared of the New York office. In view of all the good the NY office has done, maybe cleaning it up would have been a better idea than, you know, running scared. And now the deep state has to clean up the mess. Of course, this would be more depressing if we were a true, functional democracy.

      One would like to think that Facebook was capable of doing anything about this, but led by anti-social capitalists, that’s never going to happen voluntarily. But this is, to me, a huge failure by the FBI.

      • orionATL says:

        our fbi, so proud!

        what would we do (be) without their continuous bungling. it brings tingles of patriotic pride to think of all the dangerous low threat/low iq young muslimmen, , environmentalists, and animal rights nuts they spent time tricking into felonies with undercover agent after undercover agent.

        and big jim comey, the hero who runs upstairs, what a mensch – republican style.

        and then there’s the republican party’s very own right-wing contingent of fbi sitting on the nycity police’s murder of eric garner and getting off on anthony weiner’s (yes, unfortunately named) laptop full of secret clinton emails that finally proved to voters what an untrustworthy person clinton was.

        and now the royal devider has his own loyal servant in charge at the fbi. good times comin’ for sure – unless you are into political and social protest.

  3. Willis Warren says:

    That’s interesting.  Facebook did nothing about my reports of Russian prop sites.  Most of them are still there.  Although the ‘Chris Cornell was murdered by Hillary’ site seems to have been taken down

  4. SpaceLifeForm says:

    OT: Simon and Speck

    No, it’s not a law firm.
    Nor a new TV show.

    It’s a DOA encryption method.


    Asked if it could beat Simon and Speck encryption, the NSA officials said: “We firmly believe they are secure.”

    [Maybe from other attackers]

    In the case of Simon and Speck, the NSA says the formulas are needed for defensive purposes. But the official who led the now-disbanded NSA division responsible for defense, known as the Information Assurance Directorate, said his unit did not develop Simon and Speck.

    “There are probably some legitimate questions around whether these ciphers are actually needed,” said Curtis Dukes, who retired earlier this year. Similar encryption techniques already exist, and the need for new ones is theoretical, he said.

    • Mitchell says:

      Help me with the math.

      North Korea: One offensive act of war in 67 years. Posturing notwithstanding, no good reason to think that’s changing anytime soon.

      The US: Counting covert actions as well as military actions, far more than I can count. Now led by a sociopath desperate to act tough militarily.

      • SpaceLifeForm says:

        And therein lies the problem. The covert stuff.
        And presidents bypassing the US Congress.

        The 67 years refers to the ‘Korean War’ where the US Congress neither declared that the US was *at* War, nor did the US Congress even do a AUMF.

        Technically, the Korean War continues to this day.


        “Where is Korea?” the commenters, below, cry. That is a good and tricky question. The Korean War was not authorized by Congress. President Truman committed American troops in Korea in 1950 under the United Nations Participation Act of 1945, which was ratified by the U.S. Senate, citing resolutions passed by the United Nations Security Council in 1950. This precedent — the constitutionality of which has been debated — has been cited by subsequent presidents as justification for using military force without congressional authorization, as in Panama in 1989 and Iraq in 1990 under George H.W. Bush, and Haiti and Bosnia under President Clinton in 1994. According to a 1995 article in the American Journal of International Law, “Presidents and their advisers point to more than two hundred incidents in which Presidents have used force abroad without first obtaining congressional approval.”

  5. lefty665 says:

    Thanks for showing that the Wash Post has once again in the carry over reported that their headline and lede are contradicted by the reporting. Democracy lives in the fine print.

    “I’m sympathetic to the urge to blame Facebook for this election.”  Hope you don’t give into it. The blame for this election lies with the candidates and the parties that vomited them up. Has Hillary added Facebook to her list of those who lost the election for her while exonerating herself for calling half the electorate “deplorable” and failing to campaign in places like Michigan? Facebook seems like pretty small potatoes in comparison. Straining at gnats is what my mother used to call it.


    • orionATL says:

      here is another version of the same story:


      note how horner’s brother describes his activities as “satire”.

      ah, yes. the satire defense. it has become the go-to shield to scrounge 1st amendment rights for authors of flagrantly false stories with likely political impact.

      hmmm. flagrant political lying as “satire”. does flagrant lying about a commercial product earn it the right to style itself as “attractive exaggeration”?

  6. orionATL says:

    hot off the press – zuckerberg accepts some facebook responsibility, sort of:


    but don’t put too much on this. zuckerberg never does a sincere mea culpa, he only professes one.

    facebook only “apologizes” when it has no other recourse except to obfuscate.

    one only has to look at the erratic, if not inane, way facebook de-certifies content to know that that corporation is out for itself only.

Comments are closed.