Facebook announced Thursday that it had dismantled more than 350 Facebook accounts and pages connected to the Saudi Arabian government for engaging in “coordinated inauthentic behavior,” the social network’s catchall term for misinformation, impersonation, and spamming.
The accounts shared pro-Saudi images and messages and targeted the kingdom’s enemies, Nathaniel Gleicher, Facebook’s head of cybersecurity policy, said. The accounts’ administrators attempted to reach people primarily in the Middle East and North Africa, posing as news outlets and locals with fake names, according to Facebook, and calling into question the legitimacy of human rights organizations and existing news sites.
Though Russia is more often associated with online misinformation campaigns and cybercrime, Saudi Arabia has ramped up its digital efforts in recent months, especially in targeting Amazon founder and CEO Jeff Bezos over the coverage of the murder of journalist Jamal Khashoggi by the Washington Post, which he owns. In October, not long after the murder of Khashoggi, Twitter banned a network of bots sending pro-Saudi messages, often via the hashtag #We_all_trust_Mohammad_Bin_Salman.
ADVERTISEMENT
Facebook cited reporting by Bellingcat, an independent news site that investigates misinformation campaigns and cybercrime, as helpful in its determination to slash the offending accounts. In late June, the site published a report on Saud al-Qahtani, the Crown Prince’s cyber-czar, that detailed Qahtani’s involvement in the murder of Kashoggi, his purchase of malicious spyware, and his creation of fake social media profiles.
“Our investigation benefited from the research published by Bellingcat on the information environment in Saudi Arabia. However, we did not see direct links between this network and an individual named in the Bellingcat report,” a Facebook spokesperson told The Daily Beast.
An anonymous researcher going by the pseudonym “b33lz3bub” authored the Bellingcat report based off of digital clues from Qahtani exposed by the breach of an Italian spyware vendor, Hacking Team. The company offered what companies sometimes refer to as “lawful intercept” services, which allow governments and law enforcement agencies to spy on everyone from criminals to dissidents. Email addresses, phone numbers, and usernames found in the Hacking Team breach suggested that Qahtani had at some point approached the company about its services.
The Daily Beast spoke to “b33lz3bub” about Facebook’s removal of Saudi-linked accounts spreading disinformation and agreed to withhold the researcher’s identity based on security concerns.
“My main impression is that I’m glad Facebook is proactively looking for these disinfo ops and that I hope I ruined Qahtani’s day,” b33lz3bub told The Daily Beast.
B33lz3bub expressed some surprise at Facebook’s revelation of a broad disinformation campaign on the platform tied to Qahtani, since most of the previous activity was focused on Twitter. There were early clues he had set his sites on trolling Facebook, though.
“He was pretending to be an old Egyptian man [on Facebook] and he was pushing pro-Mubarak content linked to an email account with the handle ‘nokia2mon2’” b33lz3bub said. “If I had to speculate, that [pro-Mubarak account] would’ve been patient zero.”
The Bellingcat report showed Qahtani practiced amateurish operational security as he trawled hacking forums looking for new tools and techniques, leaving behind a trail of traceable phone numbers, nicknames, and email addresses. Qahtani also “posted at least three times while drunk, by his own admission, and opined on topics unrelated to hacking such as the role of religion in politics and policy toward Iran,” according to the Bellingcat report.
The removal of the Saudi accounts comes in tandem with the deletion of more than 350 Facebook accounts and pages with 13.7 million followers operated from Egypt and the United Arab Emirates. Two marketing firms ran these accounts, which engaged in coordinated inauthentic behavior, Gleicher wrote.
One post shared by Facebook showed Crown Prince Mohammad bin Salman kissing the head of a wounded soldier. Another blasted Qatar for its reported involvement in a recent bombing in Somalia. A third detailed sanctions against Turkey. The accounts also praised the Crown Prince’s economic plan and the actions of Saudi armed forces in Yemen.
Gleicher broke down the activity on Facebook’s social networks in a news release. Facebook’s action affects 217 Facebook accounts, 144 Facebook pages, 5 Facebook groups, and 31 Instagram accounts. Those pages totaled 1.4 million followers ad 145,000 people followed one of the accounts on Instagram. The campaign spent around $108,000 combined, in Saudi riyal and U.S. dollars.
The Royal Saudi Embassy did not immediately respond to request for comment. And Facebook declined to comment further, beyond Gleicher’s post.
“The individuals behind this activity posed as locals in countries targeted by this campaign—often using fake accounts—and created fictitious personas to run Pages and Groups, disseminate their content, increase engagement and drive people to an off-platform domain,” wrote Gleicher. “Although the people behind this activity attempted to conceal their identities, our review found links to individuals associated with the government of Saudi Arabia.”
