Full Report
Meta on Thursday revealed that it disrupted three covert influence operations originating from Iran, China, and Romania during the first quarter of 2025. "We detected and removed these campaigns before they were able to build authentic audiences on our apps," the social media giant said in its quarterly Adversarial Threat Report. This included a network of 658 accounts on Facebook, 14 Pages, and
Analysis Summary
# Threat Actor: Storm-2035 (and two other unnamed influence operations)
## Attribution & Identity
* **Iranian Network (Storm-2035):** Attributed as an Iranian network previously described by Microsoft (August 2024) and OpenAI for influence operations.
* **Chinese Network:** One of the three distinct influence operations disrupted by Meta, originating from China.
* **Romanian Network:** One of the three distinct influence operations disrupted by Meta, originating from Romania.
* **Aliases/Associated Groups:** The Iranian cluster is formally dubbed **Storm-2035**.
## Activity Summary
Meta disrupted three separate covert influence operations in Q1 2025 originating from Iran, China, and Romania before they could build significant authentic audiences.
* **Romanian Operation (Origin: Romania):** Focused on targeting audiences in Romania across Meta platforms, TikTok, X, and YouTube. They managed 658 fake accounts, 14 Pages, and 2 Instagram accounts. They posted primarily in Romanian about local news and elections.
* **Iranian Operation (Storm-2035):** Targeted Azeri-speaking audiences in Azerbaijan and Turkey across Meta, X, and YouTube. Activities included posting content, managing Pages, and artificially inflating engagement by commenting on their own posts. This cluster was previously known for targeting US voters with polarizing messaging on presidential candidates, LGBTQ rights, and the Israel-Hamas conflict.
* **Taiwan/Myanmar/Japan Operation (Origin: China/Unspecified):** Removed 157 Facebook accounts, 19 Pages, 1 Group, and 17 Instagram accounts targeting audiences in Myanmar, Taiwan, and Japan (the article snippet specifically mentions the origin as Chinese for **one** of the three operations, but the targeting geography here might belong to the third operation described).
## Tactics, Techniques & Procedures
* **Fictitious Personas:** Leveraging fake accounts masquerading as locals (e.g., in Romania) or specific identifiable groups (e.g., female journalists, pro-Palestine activists in the Iranian campaign).
* **Platform Coordination:** Coordinating activity across multiple platforms including Facebook, Instagram, TikTok, X, and YouTube.
* **Content Manipulation:** Using fake accounts to comment on posts by politicians and news entities, and artificially inflating content popularity by commenting on their own posts.
* **OpSec:** Employed consistent operational security (OpSec) to conceal origin, including relying on proxy IP infrastructure (Romanian campaign).
* **Hashtag Spamming:** Using popular hashtags (e.g., #palestine, #gaza) to inject content into existing public discourse (Iranian campaign).
* **AI Weaponization (Storm-2035):** Previously known to use OpenAI's ChatGPT to generate content for social media sharing.
## Targeting
* **Sectors:** Not explicitly detailed, but operations focused on socio-political discourse, elections, and current events.
* **Geography:**
* Romania
* Azerbaijan and Turkey (targeting Azeri-speaking audiences)
* Myanmar, Taiwan, and Japan
* **Victims:** General public audiences in targeted geographies; specific mentions of targeting posts concerning Romanian elections, US President Biden, and criticisms of Israel.
## Tools & Infrastructure
* **Malware Families Used:** Not specified in the context of this report (focus is on influence ops, not typical malware deployment).
* **Infrastructure (C2, domains, IPs):** Relied on proxy IP infrastructure to conceal operational origins.
## Implications
These coordinated influence operations demonstrate continued foreign state interest in shaping discourse, interfering with elections, and polarizing public opinion across Europe, the Middle East, and East Asia. The use of proxy infrastructure shows a commitment to maintaining attribution evasion. Storm-2035's continued activity across various platforms confirms its status as a persistent, multi-domain influence actor.
## Mitigations
* Enhance monitoring for coordinated inauthentic behavior (CIB) across Facebook, Instagram, X, and YouTube.
* Review security surrounding local elections/political discourse, particularly in Romania.
* Implement robust IP reputation checks and anomaly detection to counter proxy infrastructure usage.
* Monitor for artificial inflation tactics such as self-commenting on social media content.