Skip to content

Latest commit

 

History

History
93 lines (66 loc) · 11.1 KB

I00056.md

File metadata and controls

93 lines (66 loc) · 11.1 KB
Raw

Incident I00056: Iran Influence Operations

  • Summary: Iranian interference in the politics of Arab countries has become more self-evident since the Arab Spring of 2011. Iran has been trying to widen its influence in the region in a political confrontation with Saudi Arabia. Factor long-held hostility to US (Iran as a member of the “Axis of Evil”) & Isreal; it’s funding of proxies (Hezbolla) and Shia militia’s in Iraq; and most recently having the Revolutionary Guard being designated a terror organization; the seeming collapse of the Joint Comprehensive Plan of Action (nuclear programme) and expanding economic sanctions all add up to an increased likihood of Iran expanding their information operations. While there is history to Iran’s information/influence operations, starting with FireEye’s report about Iranian “fake news” websites, and subsequent reports by DFRLab (Jan 31, 2019 and March 26, 2019) we have strong document proof and assets that highlight Iran’s activities.

  • incident type: campaign

  • Year started: 2012

  • Countries: Iran , World

  • Found via:

  • Date added: 2019-03-20

Technique Description given for this incident
T0007 Create fake Social Media Profiles / Pages / Groups IT00000171 Fake FB groups/pages/profiles + dark content (non-paid advertising)
T0008 Create fake or imposter news sites IT00000175 Fake news/synthetic web-sites
T0021 Memes IT00000173 Memes... anti-Isreal/USA/West, conspiracy narratives
T0022 Conspiracy narratives IT00000174 Memes... anti-Isreal/USA/West, conspiracy narratives
T0046 Search Engine Optimization IT00000172 SEO optimisation/manipulation ("key words")
T0053 Twitter trolls amplify and manipulate IT00000170 Twitter trolls amplify & manipulate
T0054 Twitter bots amplify IT00000169 Twitter bots amplify & manipulate
T0058 Legacy web content IT00000176 legacy web content

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW

Actor: Iran

Timeframe: 2012 - ongoing

Date: Aug 21, 20198

Presumed goals:

  • Iran’s meddling in the politics of the Arab states has become more conspicuous since the Arab Spring of 2011. Iran has been trying to widen its influence in the region in its political jousting against Saudi Arabia which is sometimes referred to as “the Arab Cold War”. Although the two regional rivals have never declared war, the two players have been involved in proxy wars in the region including Syria and Yemen.
  • Pages promoted or amplified views in line with Iranian government’s international stances. The pages posted content with strong bias for the government in Tehran and against the “West” and regional neighbors, such as Saudi Arabia and Israel.The operation was noteworthy, however, that more than 30 percent of the removed assets were active for five or more years, indicating that Iranian entities have been engaged in social media influence campaigns since as early as 2010 (DFRLab)

Method:

  • In August 2018, Facebook removed 652 pages, groups, and accounts on Facebook and Instagram originating from Iran for engaging in a “coordinated inauthentic behaviour”. 15 These operations targeted people in the Middle East, Latin America, the UK, and the US. In October 2018, Facebook announced the removal of another 82 pages, groups, and accounts on Facebook and Instagram. This time the company announced that these accounts and pages targeted people in the US and the UK.16 Some of these accounts masqueraded as American citizens pushing anti-Saudi and anti-Israel narratives.
  • In October 2018, Twitter published two data sets comprising 3,841 accounts affiliated with the Internet Research Agency (IRA), and 770 accounts that could be traced back to Iran. These accounts were suspended by Twitter in August 2018 for engaging in coordinated manipulation on the platform. Twitter believes that the information operations linked to Iran are potentially backed by the state
  • 70 websites found by Reuters which push Iranian propaganda to 15 countries, in an operation that cybersecurity experts, social media firms and journalists are only starting to uncover. The sites found by Reuters are visited by more than half a million people a month, and have been promoted by social media accounts with more than a million followers… the sites in the campaign have been active at different times since 2012. They look like normal news and media outlets,but only a couple disclose any Iranian ties.
  • The social media companies have closed hundreds of accounts that promoted the sites or pushed Iranian messaging. Facebook said last month it had taken down 82 pages, groups and accounts linked to the Iranian campaign; these had gathered more than one million followers in the United States and Britain. But the sites uncovered by Reuters have a much wider scope. They have published in 16 different languages, from Azerbaijani to Urdu, targeting Internet users in less-developed countries. That they reached readers in tightly controlled societies such as Egypt, which has blocked hundreds of news websites since 2017, highlights the campaign’s reach.
  • Ten outlets targeting readers in Yemen, where Iran and U.S. ally Saudi Arabia have been fighting a proxy conflict since civil war broke out in 2015; A media outlet offering daily news and satirical cartoons in Sudan. Reuters could not reach any of its staff; A website called Realnie Novosti, or “Real News,” for Russian readers. It offers a downloadable mobile phone app but its operator could not be traced.
  • One of IUVM’s most popular users is a site called Sudan Today, which SimilarWeb data shows receives almost 150,000 unique visitors each month. On Facebook, it tells its 57,000 followers that it operates without political bias. Its 18,000 followers on Twitter have included the Italian Embassy in Sudan, and its work has been cited in a report by the Egyptian Electricity Ministry. The office address registered for Sudan Today in 2016 covers a whole city district in north Khartoum, according to archived website registration details provided by WhoisAPI Inc and DomainTools LLC. The phone number listed in those records does not work.
  • We have observed inauthentic social media personas, masquerading as American liberals supportive of U.S. Senator Bernie Sanders, heavily promoting Quds Day, a holiday established by Iran in 1979 to express support for Palestinians and opposition to Israel. (FireEye)
  • Broadly speaking, the intent behind this activity appears to be to promote Iranian political interests, including anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as to promote support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA). In the context of the U.S.-focused activity, this also includes significant anti-Trump messaging and the alignment of social media personas with an American liberal identity. However, it is important to note that the activity does not appear to have been specifically designed to influence the 2018 U.S. midterm elections, as it extends well beyond U.S. audiences and U.S. politics. (FireEye)
  • All 17 of the pages containing information about manager location had managers from Iran. Canada, Saudi Arabia, and Syria were other common locations of page managers. (DFRLab) Promoting Shi’a Political and Militant Views
  • One of the removed pages — @alalsadrr1 — promoted Moqtada al-Sadr, an influential Shi’a cleric and militia leader from Iraq and leader of the Mahdi Army. According to the Wilson Center, in the mid-2000’s, the Mahdi Army received weapons and training from the Islamic Revolutionary Guard Corps and Lebanese Hezbollah agents. In May 2018, The Atlantic reported that the “controversial” leader and his followers had committed brutal atrocities in Iraq, fought the U.S. military in Sadr City and Basra, and were known for corruption. (DfRLab)
  • In January, Facebook took down 783 accounts and pages, which it assessed as “directed from Iran, in some cases repurposing Iranian state media content.” (DFRLab - March 26, 2019) The operation strongly resembled the earlier IUVM operation. Facebook did not attribute it to IUVM directly, but the latest network used the same techniques and pointed to some of the same websites, making attribution to the same network likely, although not confirmed. In particular, pages across the network reproduced IUVM content, as well as content from other websites which have featured in earlier exposés and takedowns. The network functioned by steering users towards ostensibly independent news websites, which amplified Iranian regime propaganda, often copied verbatim from regime assets. The social media content therefore served as a secondary amplifier, rather than a direct audience-engagement tool. Despite the heterogeneous nature of the assets — they were spread across many countries, languages, and cultures — their messaging was largely homogeneous. It dealt with issues of importance to the Iranian government, supporting Palestinians and Shia Muslims on one hand, and attacking Israel, the United States, Saudi Arabia, and the conduct of the military campaign in Yemen on the other. The focus on South Asia was noteworthy. Indonesia and India had the most pages targeted at them; African countries also featured prominently. This expands the known area of Iranian influence operations, which have thus far been primarily exposed in the Middle East and in the West.

Counters:

  • Facebook and Twitter content take-downs

Related incidents:

References: