London, 28 August – After being alerted by the vigilant researchers at the cybersecurity firm FireEye, Facebook, Google, and Twitter have deleted hundreds of accounts.
The FireEye team followed what looked to the untrained eye like unrelated threads for the last few month. They examined the phone numbers used by these accounts to sign up for Twitter, the emails they used to register domains, and the changes to their account names over time. The Iranian operation began to unravel.
FireEye published a report on Thursday, explaining exactly how their investigation played out, saying that the campaign followed a playbook similar to the one used by Russian propagandists at the Internet Research Agency during the 2016 election. However, the big difference was that the Russians staked out both sides of almost any issue — pitting Americans against each other in an aim to divide the country. The Iranian accounts, instead, supported their own domestic interests.
Lee Foster, manager of information operations analysis at FireEye explained,” The Russian accounts seemed to be designed to sow divisions between groups for the purpose of undermining trust in the democratic process, and creating a distraction within US politics.” Foster continued, “On the Iranian side, I get the sense that it was one-sided. We didn’t see pro- and anti-Palestinian content. We saw anti-Israeli commentary and pro-Palestinian commentary.”
The Russians posed as both Trump and Bernie Sanders supporters, but the Iran-linked websites and pages pushed anti-Trump content. Much of the network FireEye discovered seems to have been created in early 2017, after Trump assumed office.
Trump campaigned on overturning the Iran Nuclear Deal, which lifted economic sanctions on the country in exchange for tightened restrictions on Iran’s nuclear program. Trump exited the Deal in May of this year, heightening the danger of escalating cyberattacks from an already active Iran. In fact, last March, the US indicted nine Iranians for cyberattacks on 144 US universities. This week, the cybersecurity firm Secure works published a new report indicating that those attacks continue.
The main node promoting these messages in the United States was called Liberty Front Press, and the email address used to register the site appears to be associated with a web designer in Iran. It was also used to register a separate website in the network called Instituto Manquehue, which targeted Latin Americans with positive messages about the Venezuelan and Bolivian president, who have friendly relationships with Iran.
FireEye’s investigation began with Liberty Front Press and spread from there. “We looked at who else is pushing content from this site online, and we were able to identify additional clusters of accounts and look at what they are pushing,” Foster says. “Repeating the cycle, we end up with this network of these different inauthentic news sites and social media accounts.”
In addition to Instituto Manquehue, FireEye’s analysts found two additional networks masquerading as US news groups — US Journal and Real Progressive Front, and two sites purporting to be based in the United Kingdom — The British Left and Critics Chronicle.
These sites repeatedly focused on news regarding the Middle East, covering topics like the Syrian civil war and Palestinian rights. Much of the content was stolen from sites like RawStory, CNN, and Politico. Using open source tools, the researchers found that the Twitter accounts affiliated with these sites also stole pictures from stock photos and news stories to populate fake personas who were registered with phone numbers using Iran’s +98 country code. They also appeared to be most active at times that corresponded with the Iranian work week.
According to Foster, there is still more work to do analyzing the content of these accounts and pages. Much of it must come from the tech companies themselves. FireEye has no access to information about the audiences these pages and accounts amassed, or whether they were made up of authentic or inauthentic users. The team at FireEye will also continue to keep watch across all of these platforms for signs of what the big tech companies may have missed. “We’ll be continuing as if it was any other day,” Foster says, “looking for new activity, not just from Iran, but from wherever it may emanate.”
Representatives from the tech industry are reportedly gathering in San Francisco this week to share information about what types of information operations they’ve uncovered, and how they plan to tackle the problem going forward.