FireEye has identified a suspected influence operation that appears
to originate from Iran aimed at audiences in the U.S., U.K., Latin
America, and the Middle East. This operation is leveraging a network
of inauthentic news sites and clusters of associated accounts across
multiple social media platforms to promote political narratives in
line with Iranian interests. These narratives include anti-Saudi,
anti-Israeli, and pro-Palestinian themes, as well as support for
specific U.S. policies favorable to Iran, such as the U.S.-Iran
nuclear deal (JCPOA). The activity we have uncovered is significant,
and demonstrates that actors beyond Russia continue to engage in and
experiment with online, social media-driven influence operations to
shape political discourse.
What Is This Activity?
Figure 1 maps the registration and content promotion connections
between the various inauthentic news sites and social media account
clusters we have identified thus far. This activity dates back to at
least 2017. At the time of publication of this blog post, we continue
to investigate and identify additional social media accounts and
websites linked to this activity. For example, we have identified
multiple Arabic-language, Middle East-focused sites that appear to be
part of this broader operation that we do not address here.
Figure 1: Connections among components of
suspected Iranian influence operation
We use the term “inauthentic” to describe sites that are not
transparent in their origins and affiliations, undertake concerted
efforts to mask these origins, and often use false social media
personas to promote their content. The content published on the
various websites consists of a mix of both original content and news
articles appropriated, and sometimes altered, from other sources.
Who Is Conducting this Activity and Why?
Based on an investigation by FireEye Intelligence’s Information
Operations analysis team, we assess with moderate confidence that this
activity originates from Iranian actors. This assessment is based on a
combination of indicators, including site registration data and the
linking of social media accounts to Iranian phone numbers, as well as
the promotion of content consistent with Iranian political interests.
- Registrant emails for the sites ‘Liberty Front Press’ and
‘Instituto Manquehue’ are associated with advertisements for website
designers in Tehran and with the Iran-based site gahvare[.]com,
- We have identified multiple Twitter accounts
directly affiliated with the sites, as well as other associated
Twitter accounts, that are linked to phone numbers with the +98
Iranian country code.
- We have observed inauthentic social
media personas, masquerading as American liberals supportive of U.S.
Senator Bernie Sanders, heavily promoting Quds Day, a holiday
established by Iran in 1979 to express support for Palestinians and
opposition to Israel.
We limit our assessment regarding Iranian origins to moderate
confidence because influence operations, by their very nature, are
intended to deceive by mimicking legitimate online activity as closely
as possible. While highly unlikely given the evidence we have
identified, some possibility nonetheless remains that the activity
could originate from elsewhere, was designed for alternative purposes,
or includes some small percentage of authentic online behavior. We do
not currently possess additional visibility into the specific actors,
organizations, or entities behind this activity. Although the
Iran-linked APT35 (Newscaster) has previously used inauthentic news
sites and social media accounts to facilitate espionage, we have not
observed any links to APT35.
Broadly speaking, the intent behind this activity appears to be to
promote Iranian political interests, including anti-Saudi,
anti-Israeli, and pro-Palestinian themes, as well as to promote
support for specific U.S. policies favorable to Iran, such as the
U.S.-Iran nuclear deal (JCPOA). In the context of the U.S.-focused
activity, this also includes significant anti-Trump messaging and the
alignment of social media personas with an American liberal identity.
However, it is important to note that the activity does not appear to
have been specifically designed to influence the 2018 U.S. midterm
elections, as it extends well beyond U.S. audiences and U.S. politics.
The activity we have uncovered highlights that multiple actors
continue to engage in and experiment with online, social media-driven
influence operations as a means of shaping political discourse. These
operations extend well beyond those conducted by Russia, which has
often been the focus of research into information operations over
recent years. Our investigation also illustrates how the threat posed
by such influence operations continues to evolve, and how similar
influence tactics can be deployed irrespective of the particular
political or ideological goals being pursued.
FireEye will be releasing additional details on this operation that
will lay out the clusters of influence activity identified so far, the
links between these, and how our observations support our attribution
assessment. Submit your name and email address in the box at the top
right of the page to receive the report when it is available.