Cyber Incident Victim: Factcheck.bg

On or around September 21, 2023, Bulgaria’s most prominent fact-checking platform, Factcheck.bg, was subjected to a cyber attack. The platform is known for its work countering Russian disinformation and is managed by the Association of European Journalists – Bulgaria (AEJ). The attack also impacted the posts and online presence of the AEJ itself, as well as two other associated platforms: sCoolmedia.com, a national platform for student journalism, and the training platform Media Lab. The incident manifested on the morning of Thursday, September 21, when Facebook began automatically removing posts originating from these entities. Users and the platforms themselves received notifications from Facebook stating that the reasons for the takedowns were related to violations of cyber security policies, privacy policies, or spam regulations.

The scope of the attack was significant, leading to the deletion of numerous posts on both the Factcheck.bg website and its connected Facebook page. The impact was not limited to new content; both current posts and those published months earlier were affected and subsequently removed by Facebook’s automated systems. Among the specific content taken down were AEJ positions related to clashes involving Kostadin Kostadinov, the chairman of the pro-Russian radical party “Vazrazhdane,” with independent liberal media in Bulgaria. Furthermore, viral fact-check posts directed against pro-Russian disinformation campaigns on Facebook were deleted. A reported video showing protesting grain farmers kicking out Kostadinov as he attempted to talk to them was also removed from the platform. Some users reported they could not even see which of their specific posts had been taken down, receiving only a generic message stating the content did not meet community standards.

The technical investigation into the incident revealed the presence of a suspicious plugin within the WordPress platform, which is the content management system used by the attacked sites. This finding suggests the compromise may have originated through this vector, though the exact mechanism of the initial intrusion was not detailed in the immediate aftermath. The problems with sharing content on Facebook persisted until the evening of September 22, at which point the ability to share links to the pages of AEJ – Bulgaria, Scoolmedia.com, and Media Lab began to be gradually restored on the social media platform. The restoration process indicated that Facebook had identified and was rectifying the issue that had caused the erroneous flagging and removal of the legitimate content.

The Association of European Journalists, which manages the fact-checking platform, provided an official comment on the incident, stating that at the moment, it could not be established whether it was a simple attack involving malicious software or a targeted one specifically related to the activities of Factcheck.bg and AEJ – Bulgaria. This statement highlights the initial uncertainty surrounding the attribution and precise motivation behind the cyber attack. The incident also had a broader impact beyond the directly targeted Bulgarian sites; reports were received that content had been taken down from or linked to other fact-checking sites, such as “AFP Check,” though the nature of this connection was not fully elaborated. The official position from Meta, Facebook’s parent company, regarding the issue and whether it was related to similar problems experienced by users in other parts of the world remained to be clarified at the time of reporting. The attack damaged the online presence and operational capacity of a key Bulgarian institution dedicated to combating disinformation, resulting in a temporary but significant suppression of its content and voice on a major social media platform.