Opaque social media accounts, fake websites and silly memes. All are part of Iran’s wide-reaching influence operation on the West that has forced Twitter, Facebook and Google into action.
An investigation by cyber-security company FireEye, the most sweeping examination into Iranian cyber-efforts to date, details the true scale and reach of Tehran's propaganda efforts and the attempts by its agents to shape the views of western audiences.
It is an effort of comparative scale to that of Russia’s troll factories that have sought to influence elections, referendums and governments from Washington to Paris to London.
Last week, social media giants collectively removed hundreds of social media accounts after a tip-off from FireEye, because they were suspected of originating from Iranian sources with links to the regime.
Iran denies the accusation that it is behind the massive online operation, but FireEye has released its findings and explained how Iran used these fronts to target users in the United States, Britain, Latin America and the Middle East. It shows the lengths the Iranian regime is going to not only to lobby western officials into its corner, but also the public they serve.
Such was the scale of the operation that Facebook alone had to remove 254 Facebook pages and 116 Instagram accounts that garnered more than one million followers collectively on both platforms. Those pages spent about $12,000 on promoting their material between 2012 and 2017.
The platform had also detected attempts to spread malware by the Tehran operation.
Twitter said it had taken down 284 accounts, many of them suspected of links to Iran, for “co-ordinated manipulation”.
Google, the third social media giant to remove Iranian-linked accounts, took down 58 users from its YouTube video platform and other sites Google Plus and Blogger. All of the accounts had ties to the Ayatollah-linked Islamic Republic of Iran Broadcasting, or Irib, and “disguise their connection”, according to company officials.
The search platform analysed the accounts by inspecting their IP addresses, the metadata of the accounts and who owned the domains. It connected the accounts to Iran and found they had been active since early last year.
Other accounts linked to Iran gave away their link relatively easily. FireEye found registrant emails for at least two suspected Iranian disinformation sites tied to advertisements for website designers in Tehran and the website gahvare.com, based in Iran. FireEye then found multiple Twitter accounts linked to those sites, ones that had phone numbers beginning with Iran’s +98 country code.
It also discovered that a number of the accounts were tweeting mostly between 0400 Coordinated Universal Time (UTC) and 1300 UTC, in line with the Iranian work day. The accounts often fell silent on Thursdays and Fridays, the Iranian weekend.
One of the Facebook pages employed by Tehran was named the Liberty Front Press. It posed as an independent page offering its views from Iran. But it was uncovered to be closely linked to Press TV, a news station with deep links to the Iranian state.
Some of the material pumped out by these accounts was supportive of left-leaning positions opposed to the administration of US President Donald Trump, who in May pulled Washington out of the landmark nuclear deal signed between Tehran and world powers.
Other posts included cartoons of Saudi Arabia’s King Salman with critical messages about the Arab Coalition’s campaign to recapture Yemeni cities from the Iran-backed Houthi rebels. Another accused Riyadh of interfering in the 2016 US presidential election in favour of Donald Trump.
One tweet called for the boycott of the Hajj in Makkah in protest against the Saudi government’s policies. Other tweets had anti-Israel themes and material that supported Britain’s left-wing leader Jeremy Corbyn.
In Latin America, Iran is suspected of using a front site called Instituto Manquehue to promote Iranian allies, Venezuelan President Nicolas Maduro and Bolivian President Evo Morales. In the US, Iran had a front site known as Real Progressive Front. In Britain, it was two sites: the British Left and Critics Chronicle.
The operation demonstrates that it is not only Russia seeking to influence political discourse in the West. This threat from state actors online “continues to evolve,” FireEye said in its 32-page report, and it is likely that Iran will continue these efforts.
But as Tehran continues to push its interests in countries around the world, Silicon Valley may have just called time on Tehran’s trolls for good.