They set up phony news sites with stories ripped from other sources, backing up their state-sponsored agenda. They stole photos for their social media profiles and made up names to catfish unsuspecting victims. They formed an incestuous web of promotion across Facebook, Twitter, YouTube, Google+, Reddit, and other platforms. They seemed to have a thing for Bernie Sanders. And then they got caught.
Yes, that’s the story of the infamous Russian trolls who spread divisive content throughout the 2016 presidential campaign season. But it just as easily applies to the recently discovered propaganda network that Facebook and Google have linked to Iran’s state media corporation, Islamic Republic of Iran Broadcasting. They and Twitter have since deleted hundreds of accounts between them, thanks to a tipoff from vigilant researchers at the cybersecurity firm FireEye.
Over the last two months, the FireEye team pulled on what looked to the untrained eye like unrelated threads—the phone numbers these accounts used to sign up for Twitter, the emails they used to register domains, the changes to their account names over time. This week, the broader operation unraveled.
In a new report published Thursday, FireEye illuminates exactly how this front in the global information wars played out.
‘On the Iranian side, I get the sense that it was one-sided. ‘
Lee Foster, FireEye
In a lot of ways, the latest influence campaign followed a playbook similar to the one used by Russian propagandists at the Internet Research Agency during the 2016 election. But there are key differences. The biggest: While the Russian trolls staked out both sides of almost any issue in order to pit Americans against each other, these Iranian accounts primarily supported their own domestic interests.
“The Russian accounts seemed to be designed to sow divisions between groups for the purpose of undermining trust in the democratic process, and creating a distraction within US politics,” says Lee Foster, manager of information operations analysis at FireEye. “On the Iranian side, I get the sense that it was one-sided. We didn’t see pro- and anti-Palestinian content. We saw anti-Israeli commentary and pro-Palestinian commentary.”
In the US, Russians posed as both Trump supporters and Bernie bros, the Iran-linked websites and pages pushed explicitly anti-Trump content, seizing on hashtags like #Resist, #LockHimUp, and #NotMyPresident. Though Facebook found some accounts dating back to 2011, much of the network FireEye discovered seems to have been created in early 2017, after Trump assumed office.
The anti-Trump onslaught from Iran stands to reason. As a candidate, Trump campaigned on overturning what he referred to as the “disastrous” Iran Deal, which lifted certain global sanctions on the country in exchange for tightened restrictions on Iran’s nuclear program. In May of this year, Trump followed through on that promise, heightening fears of escalating cyberattacks from an already active Iran. (In March, the US indicted nine Iranians for cyberattacks on 144 US universities. This week, cybersecurity firm Secureworks published a new report indicating that those attacks are ongoing.)
The main node promoting these messages in the United States was called Liberty Front Press, a website that purported to be “comprised of independent journalists, activists, and anyone who wants to shape the direction of our world toward a better future.” In truth, much of the content was stolen from sites like RawStory, CNN, and Politico. Not only that, but the email address used to register the site appears to be associated with a web designer in Iran. It was also used to register a separate website in the network called Instituto Manquehue, which targeted Latin Americans with positive messages about the Venezuelan and Bolivian president, who have friendly relationships with Iran.
FireEye’s investigation began with Liberty Front Press and the accounts that heavily pushed its content, and spread from there. “We looked at who else is pushing content from this site online, and we were able to identify additional clusters of accounts and look at what they are pushing,” Foster says. “Repeating the cycle, we end up with this network of these different inauthentic news sites and social media accounts.”
In addition to Instituto Manquehue, the analysts found two additional networks masquerading as US news groups (US Journal and Real Progressive Front), two sites purporting to be based in the United Kingdom (The British Left and Critics Chronicle), and a constellation of fake personas promoting their content.
Despite their purported origins, these sites repeatedly honed in on news regarding the Middle East, covering topics like the Syrian civil war and Palestinian rights. The phony personas stole pictures from stock photos, news stories, and at least one French actress’s headshot. Using open source tools, the researchers found that the Twitter accounts affiliated with these sites and with the coalition of fake personas were registered with phone numbers using Iran’s +98 country code. They also appeared to be most active at times that corresponded with the Iranian work week.
Much of the content was stolen from sites like RawStory, CNN, and Politico.
Unlike the Russian campaign, these interlocking networks don’t appear to have targeted any one election or vote. Foster says the analysts also found no evidence of these accounts trying to penetrate existing communities in these countries the way the Russian trolls did. In many cases, the Internet Research Agency accounts and pages reached out to American activists to get them to co-host events or even sign up to teach self-defense classes, anything to engender trust with American voters in order to further manipulate them. The Iran-linked pages, by contrast, appear to have engaged in old-school broadcast-style propaganda, promoting news stories skewed toward Iranian interests.
At least, that’s how much is known now. Foster acknowledges there’s lots more work to do analyzing the content of these accounts and pages. Much of it will have to come from the tech companies themselves. FireEye has no access, for instance, to information about the audiences these pages and accounts amassed and whether they were made up of authentic or inauthentic users. This week, representatives from the tech industry are reportedly gathering in San Francisco to share information about what types of information operations they’ve uncovered, and how they plan to tackle the problem going forward.
In the meantime, Foster says, his team at FireEye will continue to keep watch across all of these platforms for signs of what the big tech companies may have missed. “We’ll be continuing as if it was any other day,” Foster says, “looking for new activity, not just from Iran, but from wherever it may emanate.”