Facebook has announced the removal of more than 650 accounts originating in Iran. These accounts were identified as displaying ‘coordinated inauthentic behavior’, and while the campaigns may not have been directly affiliated with one another, they were all similarly targeted as misleading Facebook users about their origination and goals.

In an announcement, Facebook indicated that the accounts were banned in order to increase user trust in the platform as a whole; however, there is a significant challenge associated with efforts to root out malicious actors as “the people responsible are determined and well-funded.”

The term ‘inauthentic’ describes sites that make efforts to hide origins and affiliations, and use fabricated social media personas to promote content. In order to make these personas more difficult to identify as fake, information promoted on these sites included a mix of original content, and actual news articles that were either taken as written from other news sources or in some cases, altered.

The activity was discovered by researchers at FireEye, who identified an ‘influence operation’ originating in Iran, expressing pro-Iranian interests through a network of inauthentic news sites and associated accounts. The purpose of this effort was to direct political discourse in the US, UK, Latin America, and the Middle East in a pro-Iranian direction, including expressing anti-Saudi, anti-Israeli, and pro-Palestinian themes.

FireEye discovered that emails for news sites ‘Liberty Front Press’ and ‘Instituto Manquehue’ were associated with advertisements for website designers in Tehran, and Twitter accounts affiliated with the sites were linked to Iranian phone numbers.

Based on the information from FireEye, Facebook began an investigation into the ‘Liberty Front Press’ and discovered direct links to website registrations, IP addresses and Facebook Page administrators.

The next step of the investigation found links to other accounts posing as news organizations, that engaged in traditional cybersecurity attacks, including attempts to hack accounts and distribute malware through the platform.

Finally, as part of the ongoing investigation, Facebook removed the accounts, users and Pages that were part of the network from the platform. It notified the US State and Treasury Departments of its efforts, as trade sanctions against Iran are currently in place. The company also indicated its commitment to continuing efforts by “building better technology, hiring more people and working more closely with law enforcement, security experts and other companies.”