Iran stepping up influence operations and cyber-mischief in lead-up to US election
Oct 27, 2020 | Oved Lobel
On November 5, 2019, a joint statement by US intelligence and security agencies warned: “Our adversaries want to undermine our democratic institutions, influence public sentiment, and affect government policies. Russia, China, Iran, and other foreign malicious actors all will seek to interfere in the voting process or influence voter perceptions. Adversaries may try to accomplish their goals through a variety of means, including social media campaigns, directing disinformation operations, or conducting disruptive or destructive cyberattacks on state and local infrastructure.”
Last week, Director of National Intelligence John Ratcliffe announced at a press conference alongside other US intelligence officials that Iran had obtained some voter registration information. It was also reported the same day that US intelligence had concluded that Iran was behind thousands of emails purporting to come from the far-right Proud Boys threatening democratic voters to vote for Trump. “You will vote for Trump on Election Day or we will come after you. Change your party affiliation to Republican to let us know you received our message and will comply,” read one of the emails. The emails falsely claimed that they had obtained personal voter information, such as addresses, because local election systems had been hacked, in an attempt to undermine voter confidence in the integrity of the election. In reality, voter registration information is publicly available. The US was able to immediately attribute the emails to Iran thanks to information gleaned from a video attached to some of the messages. “Either they made a dumb mistake or wanted to get caught,” one senior US official told Reuters.
Separately, Twitter recently announced it had removed about 130 accounts linked to Iran based on information from the FBI, while the US government seized 92 domain names linked to Iran’s Islamic Revolutionary Guards Corps (IRGC), which were being used to spread propaganda and disinformation. On October 21, the US Department of Justice (DOJ) announced it had seized two domain names used by Kataib Hezbollah, the IRGC proxy militia that dominates Iraq. An investigation by McClatchy and the Miami Herald, also published last week, discovered that the Islamic Republic of Iran Broadcasting Corporation (IRIB), Iran’s official state propaganda network, actually has had parts of its sites hosted physically in the US despite being sanctioned.
AIJAC readers will not be surprised to learn any of this. Since 2018, AIJAC has been covering Iran’s expansive propaganda and influence operations as well as its cyberattacks and hacking attempts. There is the International Union of Virtual Media (IUVM), a vast network of websites and social media accounts and pages that produce or launder pro-regime propaganda across the world, as well as its official counterpart, the IRIB. Twitter, Facebook, Google, and Microsoft are constantly announcing mass takedowns of sites, accounts and pages linked to IRIB and IUVM.
Then there are more refined operations, like “Endless Mayfly,” where Iranian operatives invented about a dozen personas to plant articles and target specific individuals, including Israelis, Iranian expats and dissidents and even reportedly Hisham al-Hashimi, an Iraqi security expert and advisor recently assassinated by IRGC proxies. An Iran-linked hacking group dubbed “Charming Kitten” involved in this operation also masqueraded as journalists and utilised “typosquatting,” the mimicking of a link, account or website but changing one or two letters to mislead inattentive users. As AIJAC wrote at the time:
In one incident, right after then-Israeli Defence Minister Avigdor Lieberman resigned in protest over a ceasefire with Hamas, a fake article on a fake version of the Belfer Center website quoted ex-Mossad chief Tamir Pardo telling the Belfer Center that Lieberman had been dismissed because he was a Russian agent. The article was then spread by the fake persona “Bina Melamed.” Pardo had in fact just spoken at the Belfer Center, and the ability to immediately create a clone website that drew on real events demonstrates much more situational awareness than previous disinformation campaigns.
With these spoofed Proud Boys emails, Iran has once again demonstrated its ability to quickly react to events in real time – in this case, Donald Trump refusing to condemn the Proud Boys during the first presidential debate – to employ effective disinformation and engage in blatant election interference. As cybersecurity expert and analyst John Hultquist put it, “This incident marks a fundamental shift in our understanding of Iran’s willingness to interfere in the democratic process. While many of their operations have been focused on promoting propaganda in pursuit of Iran’s interests, this incident is clearly aimed at undermining voter confidence.”
Iran has also been heavily involved in targeting coronavirus-related research across the world, including trying to hack accounts of World Health Organisation (WHO) staff. Adam Rawnsley, who covers Iran-linked information operations at the Daily Beast, reported that someone seemingly linked to Endless Mayfly managed to set up a verified Twitter account in the name of a senior WHO official to push racist COVID-19 vaccine conspiracy theories.
Rawnsley also reported on the hacking the Twitter account of Israel Hayom, where the hackers, likely Iranian, posted disinformation and then amplified that disinformation using pro-Iran accounts. This was a similar incident to the hacking of Kuwait’s State-Run news agency KUNA in January and almost certainly related to Endless Mayfly. Accounts involved also amplified a fake story written in poor Hebrew planted on Hidabroot, an Orthodox media site, by hackers, recalling the spoofing of the US-based Foreign Policy Research Institute (FPRI) in January, where a fake article in poor English on the fake version of the site was clearly intended to increase tensions between the US and Iraq. The article spread so widely that the Iraqi Prime Minister at the time issued a denial of its contents and FPRI itself also had to issue a statement.
The cyberwar between Iran, Israel and the US has continued into 2020, with cybersecurity firms ClearSky and Profero reporting that IRGC-linked hackers dubbed “MuddyWater” attempted several ransomware attacks on Israeli firms. Iran, meanwhile, recently announced it had suffered large cyber-attacks against several government institutions, including the Port Authority. One of Iran’s hacking fronts, the Rana Intelligence Computing Company, was itself hacked and its tools leaked online, a substantial blow to Iran’s Ministry of Intelligence and Security (MOIS).
The Proud Boys email spoof is the next step in the trend towards more sophisticated, targeted Iranian influence operations. As Amir Rashidi, director of digital rights and security at the Miaan Group, told the New York Times, “Iran’s behavior on the internet, from censorship to hacking, has become more aggressive than ever.”