Inauthentic Facebook network shut down in Georgia

Assets were linked to Georgia Dream-affiliated Espersona and targeted political opposition, health authorities, or pro-democracy activists

@DFRLab
@DFRLab
May 5, 2020 · 10 min read
(Source: @KaranKanishk/DFRLab)

Six months before parliamentary elections are scheduled to be held in Georgia, Facebook removed a network of pages, groups, and accounts openly linked to Espersona, a media organization owned by an individual with ties to the ruling Georgian Dream party. Facebook also removed a second set of assets connected to the opposition United National Movement, but the DFRLab did not have access to that set prior to its removal.

The assets connected to Espersona impersonated Georgian health authorities and political opposition members and sought to discredit pro-democracy activists and members of opposition parties. Some of the pages belonged to Georgian fringe media outlets, which are connected to each other.

As the fall elections approach, the political situation in Georgia has become increasingly polarized. A wave of anti-government rallies has shaken the country since June 2019, as demonstrators have called for reforms to the country’s electoral system and protesting the excessive use of force by police against protesters. Following the protests, opposition leaders started to negotiate a new electoral process with the ruling Georgian Dream party, though the talks stalled after one opposition leader was jailed.

It was in this political setting that Facebook removed 790 assets linked to Espersona. In its announcement of the takedown, Facebook stated:

The individuals behind this activity used fake accounts — some of which had been previously detected and disabled by our automated systems — to create fictitious personas, impersonate opposition leaders and local health officials, manage Groups and Pages, and make their content appear more popular that it is. Some of these Groups went through name and admin changes over time and appear to have been purchased. The people behind this network also ran Pages designed to look like user profiles — using false names and stock profile images — to post and amplify their content, as well as to avoid detection and removal. Some of these Pages posed as independent news outlets. The Page admins and account owners typically posted about domestic news and political issues such as elections, government policies and officials, as well as criticism of the opposition, journalists and local activists. Most recently, this network shared some content about COVID-19, including posts which was removed for violating our policies against harmful health misinformation.

Although the people behind this operation attempted to conceal their identities, our investigation linked them to Espersona, a media firm in Georgia. This organization is now banned from our platforms.

The DFRLab had access to a subset of 488 assets connected to the online network prior to removal and independently corroborated the assets were operated by Espersona. The network targeted a domestic Georgian audience with posts about politics, elections, and government policies, and that attempted to discredit or criticize the opposition and local activist organizations.

This takedown comes four months after an earlier takedown in December 2019, which Facebook attributed to Panda, a private marketing company with ties to the Georgian Dream-led government, and which the DFRLab investigated.

Facebook removed pages owned by and linked with the webpage Espersona. According to the site, it is a media platform that combines profiles of popular public figures and “hot” news in one space, covering politics, business, and society. On the former, the website has a separate section for profiles of popular and well-known politicians, celebrities, and sports stars, both Georgian and foreign.

The main and about pages of the website of Espersona. (Source: Espersona/archive, left; Espersona/archive, right)

Espersona is owned by Koka Kandiashvili. According to the Espersona website and the office of Prime Minister, from April through December 2013, Kandiashvili was head of the Department of Public Relations at the Chancellery of the Government of Georgia, ruled by the Georgian Dream party. After that, Kandiashvili transitioned to be a consultant for the Chancellery of the Government on public relations.

Kandiashvili is a known figure when it comes to information operations in Georgia. He was recently linked to a Georgian troll factory, after local media and nongovernmental organizations identified him as its head, though Kandiashvili has repeatedly denied his links with it. In this takedown, Facebook removed Kandiashvili’s personal account as well as an eponymous page (which he managed) and Facebook groups (that he also managed).

The personal account (left) and an eponymous Facebook page (right) for Koka Kandiashvili were both removed as a part of this takedown. (Source: Facebook)

Facebook also shut down the personal account of Kandiashvili’s ex-wife Nona Kandiashvili, who served as Head of Press Office at Chancellery of the Government of Georgia from 2012 until 2017 when she became the Head of Public Relations at Tbilisi City Assembly. Nona Kandiashvili has also been linked directly to Georgian Dream, with public records indicating personal donations to the party.

Koka Kandiashvili’s Espersona operated at least eight Facebook pages with variations of the name “Espersona.” The cumulative total of followers for all of the pages was around 40,000. Some of the pages shared the content from Espersona website, while others had close to zero activity.

Espersona operated at least eight different Facebook pages with similar names, all variations of “Espersona.” (Source: Facebook)

Seven out of the eight “Espersona”-named pages the DFRLab analyzed also managed Facebook groups, as discussed later under “Inauthentic groups.”

Groups managed by Espersona pages. (Source: Facebook)

Other pages in the set posted content that was also regularly shared in the groups; the pages were used as a means of discrediting political opposition and activists.

Georgian Facebook pages discrediting political opposition and activists. (Source: Facebook)

Some of the removed pages were duplicates that modified their URL tag names only slightly. For example, the page “იყავი და გაგეკეთებინა • Ikavi da Gageketebina,” created on March 2, 2018, had a counterpart in another page named “იყავი და გაგეკეთებინა • Ikavi da Gageketebina,” which was created on July 30, 2019. While the page names were identical, the URLs for the pages had variations — https://www.facebook.com/Ikavidagageketebina/ and https://www.facebook.com/ikavidagageketebinaaa/, with the only difference being the number of “a’s” at the end of the URL.

The initial pages of the duplicates all appeared to have been created in 2018, while their duplicate counterparts were created on July 29 or July 30, 2019.

Duplicated Facebook pages discrediting Georgian opposition leaders and activists were created in 2018 and 2019. The first line (in pink) shows the pages created in 2018, while the second line (in green) illustrates the pages with the same name and content created in 2019. (Source: Facebook)

The number of the followers of the pages created in 2018 ranged from 11,000 to 40,000, while their 2019 duplicates had only garnered 300 to 600 by the time of the takedown.

The network also included pages impersonating opposition leaders and health authorities. This is especially relevant given the tense situation caused by the COVID-19 pandemic, as Georgian society has placed much of its trust to the few doctors and virologists who have been reporting on COVID-19 developments in the country on a daily basis. They were also being impersonated, and the assets doing so may have been trying to build a large audience for the page to serve as a channel for disinformation at a later date. One of the removed accounts impersonated Levan Ratiani, one of the more prominent health officials, and posted updates regarding the case numbers around the COVID-19 outbreak in Georgia.

Another of the removed pages was allegedly that of the leader of political opposition, Vano Merabishvili. The page claimed that Merabishvili would not partake in domestic political warfare, perhaps as a means of dissuading the actual Merabishvili to curb his political activity or to persuade his supporters to give up dreams of victory, thereby discouraging their democratic participation. The page also suggested the followers to follow “his” Twitter account, though the link provided only pointed to an error page on Twitter.

The removed assets impersonating the leader of the political opposition (the page at left) and a prominent Georgian doctor (the account at right). (Source: Facebook)

The DFRLab analyzed 269 pages that were removed from the platform. Some of the pages in the network belonged to fringe political news portals. The DFRLab counted 14 such news portals, the official pages for which Facebook removed. The total number of followers of these 14 pages was slightly more than 8,400, ranging from 67 followers on the low end to 5,900 for the most popular page. These external news portals mainly publish pro-government content, and their content is mostly critical toward the opposition parties. Content of these fringe media portals was also disseminated in multiple groups, which Facebook also took down.

A collection of articles posted by removed Facebook pages, which were connected with external fringe news portals. The screencaps in the top line are all examples of unsubstantiated smears directed at opposition figures, while those at the bottom are examples of posts that praised the government and the leader of Georgian Dream party. (Source: Facebook)

The DFRLab also checked creation dates of the fringe media Facebook pages, a majority of which were created on a single day, May 27, 2019. Others in the set were created a bit later in June 2019. The DFRLab also checked the domain data of the websites for these news portals and found out that the majority of the external websites were also created on a single day, May 12, 2019.

The majority of news portal Facebook pages were created on a same day and Domain data of news portal websites showed that they were also created at the same day. (Source: GGigitashvili_/DFRLab via Facebook and Whois.com)

Some of the fringe portals had a similar interface to their external websites and contained highly similar descriptions in the “About“ section of their Facebook pages. Between the same-day creation dates for both the Facebook pages and the external websites, as well as the design similarities between those same things, the possibility that these assets were a single network managed by the same people was very high.

Some of the fringe media portals had very similar interfaces on their websites (top row), and Facebook pages for the fringe portals also had highly similar text in “About“ section. (Source: ikitxe.com/archive, top left; 7dge.com/archive, top right; Facebook, bottom left and right)

The DFRLab also examined around 90 Facebook pages that did not post anything on their own timeline but that did actively post content to groups they administered. Facebook allows both pages and user accounts to be administrators of groups. Some of these pages posted only content from the above-mentioned fringe news portals to the various groups. Most probably, the owners of this collection of inauthentic pages used the ability to manage the groups through a page (rather than an account) as a means of masking their true identity.

A majority of the pages used exclusively to manage groups were created in late 2019 with names that contained the word “news” (or “nius,” as seen below). In the takedown, Facebook also disabled the groups managed by these pages.

A collection of Facebook pages that were created to manage groups. Red, green, and blue rectangles mark common groups jointly managed by these pages. (Source: Facebook)

The inauthentic network also included dozens of less political pages dedicated to movies, soccer, entertainment, and love, among other things. Perhaps because of their less political nature, in comparison with other pages in the network, they had relatively larger audiences. As with other operations, these pages may have been in an audience-building stage, trying to attract a large number of followers before pivoting to more political content at a later date.

Screencaps of jokes, nature photos, and beauty related posts from less political pages. (Source: Facebook)

Facebook also removed 99 groups that were created and managed by the operators of the inauthentic network. Content posted in these groups was diverse, ranging from news to religion. The DFRLab spotted multiple instances when the same content was posted simultaneously across multiple groups.

Some of the groups had multiple administrators, including real individuals, fake accounts, and pages. Pro-government and anti-opposition content from Espersona and the fringe news portals mentioned above was frequently disseminated in these groups. Facebook also removed personal accounts of some individuals who were connected with both Espersona and the fringe outlets and who were posting their content to the groups.

A collection of articles posted in removed Facebook groups. The upper row are pro-government posts, while the bottom row shows examples of posts depicting the opposition as an aggressive force. The green rectangles mark the removed account of a journalist who previously worked for Espersona and now is an editor of Mtavari Ambebi, a fringe media portal. (Source: Facebook).

The DFRLab also found out that in some of the removed groups, content was regularly posted from two news portals with Russian domains, Geoposts1.ru and Informaciebia.ru. When a user clicks on an article link on these websites, however, they are automatically transferred to other Russian “news” websites — Debatnews.ru and todaynewss.ru respectively. Both of these websites publish stories with sensational, catchy headlines in Georgian and both of them run advertisements, indicating a financial incentive via clickbait content. Despite this apparent financial incentive, the websites post content predominantly favorable to the Georgian Dream-led government.

Some of disabled pages frequently posted content with sensational headlines from Geopost1.ru and informaciebia.ru, apparent clickbait websites, to some of the removed groups. (Source: Facebook)

The DFRLab checked Geoposts1.ru using its Google Analytics ID, the unique account number that enables the websites to have paid-for advertisements, and found 10 other affiliated websites. These websites use the same Google Analytics ID and their domain addresses are similar. The DFRLab also looked into the Google Analytics ID for Informaciebia.ru website but found no affiliated webpages.”

A total of 11 websites shared the same Google Analytics ID, including Geoposts1.ru. (Source: @GGigitashvili_/DFRLab via DNSlytics.com)

The design and interface of these websites are almost identical, and their content is highly similar. The true purpose of managing so many similar websites is unclear, but increased traffic through prevalence is a frequent tactic used to generate more money through views or clicks of advertisements.

Facebook also shut down at least 43 Instagram accounts linked to the network. The removed assets included accounts with no activity, completely private accounts, and accounts sharing photos in support of the Georgian Dream party, as well as photos of baking, make up techniques, and more.

Removed Instagram accounts included empty accounts with no posts (left), private accounts (center), and accounts with varying topicales focus (right). (Source: Instagram)

This takedown comes at a particularly heated period in Georgian politics, ahead of the late-2020 parliamentary elections. Likely as a means of re-appropriating legitimate credibility through name recognition or institutional trust, some of the assets camouflaged themselves as news outlets, while others impersonated opposition leaders and health authorities. This, in turn, was likely a means of affecting the online political landscape in the country, as many of the assets promoted a specifically anti-opposition, pro-Georgian Dream political agenda.

Eto Buziashvili is a Research Associate, Caucasus, with the Digital Forensic Research Lab.

Givi Gigitashvili is Research Assistant, Caucasus, with the Digital Forensic Research Lab.

Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.