UK Edition
How Iran built an online disinformation machine to rival Russia's
What do you do when when the world's most powerful country considers you an implacable enemy? What, indeed, do you do when you have few allies, enemies on every side and harsh sanctions constraining your economy?
Last night, Iran gave a glimpse of what it could do to respond to the killing of its commander Qasem Soleimani after it launched more than a dozen missile attacks on US military bases in Iraq, which it claims killed 80 people in the process.
Javad Zarif, Iran's foreign minister, claimed the nation took "proportionate measures in self-defence" under rules set out by the UN Charter as it made its first retaliatory move against the US.
But in and among Iran's arsenal of weapons to fightback are tools that you don't have to pay much for. And few geopolitical assets are cheaper than online influence campaigns.
Although it was Russia which opened the West's eyes to the risk of election meddling and foreign influence via the exploitation of social media, numerous states have used the same playbook – including China, North Korea, Saudi Arabia and, of course, Iran.
Iran vs Princess Eugenie
Iran has been pursuing its strategic goals through social media manipulation for years.
According to the Atlantic Council’s Digital Forensic Lab, its activity peaked as early as 2014. And since 2018 Twitter, which publishes the industry’s largest public archive on state-backed information operations, has taken down three Iranian state sponsored influence campaigns.
Meanwhile, in May 2019 Facebook removed “coordinated” Iranian accounts that targeted Princess Eugenie. One post included a photo of Princess Eugenie marrying Jack Brooksbank with homeless people edited into the image.
The picture claimed that the princess "expects the taxpayer to subsidise her dream wedding, while food banks are over run", in an apparent attempt to stir up anger among the British public. Around 21,000 people followed one or more of the pages involved.
Earlier, in August 2018, Facebook removed hundreds of pages falsely posing as news organisations or grassroots activists in Britain that were promoting former labour leader Jeremy Corbyn and attack Brexit in an apparent attempt to sow further division in the UK.
The takedowns were a result of an investigation by the online threat intelligence company FireEye, which found inauthentic news sites and associated accounts across multiple social media platforms that promote narratives in line with Iranian interests, such as anti-Saudi, anti-Israeli and support for US policies that were favourable to Iran.
By tracking where the website was registered and the phone numbers associated with the account, FireEye concluded that it originated from Iran. Facebook and later Google and Twitter agreed, conducting their own investigation into the networks.
“A lot of attention has been taped to Russia’s intent to sow division in the US and amplify the divide between communities to undermine institutions and perceptions toward democracy,” says Lee Foster, information operations analysis manager at FireEye.
“Likewise, Iran has become involved in traditional notions of propaganda, like discrediting rivals, and has sought to attach itself to domestic issues.”
The birth of a 'cyber-army'
The story begins more than a decade ago, in September 2009, when the Telecommunications Company of Iran was effectively taken over by the Islamic Revolutionary Guard Corps (IRGC).
The IRGC is a kind of state within a state, a separate branch of the armed forces devoted to safeguarding Iran's theocratic constitution. Apart from controlling the paramilitary Basij militia, it has its own economic empire of corporate and charitable holdings.
In 2009 Iran's telephone monopoly, the Telecommunications Company of Iran (TCI), was part privatised, and a joint consortium of the IRGC and the Supreme Leader ended up with a controlling share. The bidding process was controversial, with non-IRGC bidders disqualified at the last minute, and an investigation by Iran's Parliament found that the process was non-competitive.
Regardless, control of TCI gave the IRGC new power and oversight over Iran's communications. Dissidents and the US government allege that it used TCI to spy on and arrest activists, as well as send out text messages warning people to remain indoors during protests. In 2012, TCI also bought powerful monitoring equipment from China; the same month, then-president Mahmoud Ahmadinejad set up the Supreme Cyber Council in order to fight “internet evils”.
The IRGC had already been running a “cyber army” for two years, arresting and even executing internet users. Iran had begun monitoring its own citizens' social media activity in 2010 to dismantle protests, and in the same year made online activism a crime.
Today, experts believe the Cyber Council runs numerous hacking divisions, commonly referred to as “kittens” in reference to the iconic Persian cat. These kittens are understood to have set up personas on Facebook and Linkedin, but their true size is disputed.
Former Intelligence chief Ali Younesi claimed on state television in 2004 that there were thousands of cyber agents in operation. Iranian American historian Abbas Milani later claimed there were 10,000 dedicated to cyber fighting.
During the January 2018 protests, an army of Twitter bots appeared, each claiming videos of protests that had been shared on the website were fake and discouraging further protesting. According to the BBC, some accounts guided protestors to the wrong location and some wrote under videos with claims like “I have just arrived here, there is nothing going on”.
It was inevitable that this substantial infrastructure of online operations would one day be turned on the outside world.
Fake journalists and fellow travelers
According to Lee Foster, who handed over the initial file of evidence to Facebook back in 2018, Iran has long undertaken an “extensive operation” targeting citizens of rival countries around the world.
Late last year, for example, Facebook removed several pages related to Black Lives Matter, after it emerged accounts that appeared to be sharing posts were linked to the Iranian state. “They were piggy-backing on a divide in the US where it believed it could generate an audience,” Foster says.
The country is believed to have invested resources in impersonating political candidates and fabricating US personas to try and gain followers and build a network that could lie dormant until it was needed to spread certain messages.
Renee DiResta, a Mozilla Foundation fellow in media and misinformation, cites Iranian information campaigns in Saudi Arabia and Yemen, as well as in the West. But, she argues, Iran's tactics have tended to differ from Russia's in two key ways.
First, while Russia's Internet Research Agency created its own in-house graphics and memes, writing its own content, Iran's info-warriors tended to simply adapt and repurpose images and words already created by Americans, picking them up and amplifying them beyond their original reach.
Second, where Russia seemed committed to boosting both the far Left and the far Right in an attempt to exacerbate partisan rancour, Iran's propagandists, with a few exceptions actually tended to favour one coherent worldview – a hard Left one which finds solidarity with Iran in its "anti-imperialist" struggle against the USA.
"It was a very visible targeting of the American Left," DiResta says, describing how Iranian operatives picked up memes from Left-wing online groups such as Occupy Democrats and The Other 99 Per Cent.
The tactic makes sense, given that Iran already finds some natural sympathy among Western socialists – most notably from Jeremy Corbyn, who has appeared on Iranian state television multiple times – without needing to manipulate anyone from the shadows.
And, of course, where Russia seems to have desired a Donald Trump presidency, Iran's agents squarely and sincerely continue to fight against it. Trump's bellicose tone towards Iran and promotion of longtime hawks such as John Bolton is a direct and unambiguous threat to the Iranian regime.
Another sophisticated method Iran sometimes employs is to to have government employees pretend to be journalists, requesting interviews from academics and experts on subjects related to Iran’s interests. These fake reporters would set up Skype interviews then edit the material to use the messages to their advantage.
A hard rain is promised
With the death of General Quassim Soleimani, evidence of an Iranian disinformation campaign quickly began to bubble up. Accounts that were created months ago kicked into action in what Foster describes as evidence of a "coordinated" operation.
One day after Soleimani was killed in a drone attack ordered by US president Donald Trump, more than 21,000 Instagram posts used a hashtag, "hard revenge", that has now been blocked by the photo-sharing app, along with almost 7,000 unique Twitter accounts. Hundreds of these accounts had been created following the head of the elite Quds Force’s death.
These accounts, the origins of which experts are still unclear on, have the hallmarks of previous campaigns that were removed by social media companies like Twitter and Facebook after investigations found they were linked to the Iranian government.
They offer a breadcrumb trail to group messages on messaging apps that share messages in Persian, some asking for a “blood campaign” and requesting those who have joined the chat to “influence” others by sharing it with their smartphone contact book. Each message shares a link that a user can easily forward to their contacts, and many include hashtags, which the sender requests readers’ use to promote their messages on social media.
Some channels appear like a legitimate safe spot for thousands of viewers to read news articles about Soleimani in Persian, share quotes from his grieving wife and pictures that are edited to make him appear heroic and almost godlike. In life, Soleimani enjoyed a deep and genuine cult of personality which required no covert intervention to prop up.
Yet in between the messages, which are shared exclusively by the group's administrator, are calls for vengeance and for users to “return to Iran”. One image, replicated across social media, shows two clock hands which Telegram channels claim is symbolic of US troops in Iraq who are currently “vertical” being sent back to their home country “horizontal”.
'Participatory propaganda'
One wrinkle with all of this is that it's not always easy to tell a state-backed disinformation campaign from the enthusiasm of patriotic citizens. And in a country with a strong religious, where millions of people turned out to attend Soleimani's various funerals and vigils, much of the pro-Iran advocacy on US social media is likely to be genuine.
Soleimani was already a figure of great popularity, and notoriety, on the Farsi-speaking internet. Many people made memes of him, from the heroic to the parodic, casting him as a kind of grandfatherly yet fearsome figure not all that dissimilar from the online fame that American action star Chuck Norris enjoyed in the Noughties.
DiResta calls this phenomenon “participatory propaganda”: the tendency of sufficiently motivated crowds to autonomously advocate for their chosen cause, sometimes behaving in ways which make them look like they are part of a coordinated campaign but without their allies' knowledge or direction.
“Any reasonably intelligent person who can make a meme and construct a Facebook ad and go forth to spontaneously run content and memes for a candidate [in an election],” she says."The candidate has no idea, and doesn't want it, but you can just do it.
“When it is such a fundamentally participatory process, the question becomes: to what extent can we say concretely this is directed by the state, versus this is spontaneous commentary by citizens who simply want to make their voices heard? That blurry line is one of the real challenges that we have, particularly when it's a oment of high emotional resonance or tension within a country.”
Disinformation goes corporate?
But what does Iran stand to gain from a disinformation campaign? After uncovering Russia’s Internet Research Agency, which successfully spread a web of fake news around the world but may not have significantly altered the result of the US election, surely the effect of such shenanigans is now limited?
“Nobody knows that it materially changed people’s votes,” says Foster. But, he argues, “over the long term, that constant dropping of particular themes or narratives have the potential to alter baseline topics and narratives.”
It's even possible that the 2020 US election will see rival interference campaigns from Russia and Iran attempting to swing the result for and against Donald Trump respectively.
Meanwhile, Intelligence and cybersecurity experts are preparing for the possibility that Iran may instead target the backbone of capitalist America, its private sector. The US Department of Homeland Security on Tuesday warned that companies should “consider and assess” possible impacts of a cyber attack amid heightened tension with Iran.
Tehran-backed hackers were indeed charged with attacks on Wall Street in 2016. The hackers targeted the New York Stock Exchange, Nasdaq, Bank of America, JP Morgan Chase and AT&T, plus remote access to a computer controlling a dam in New York for three weeks in 2013.
“We have seen previous incidents of effectively what to be influence activity targeted private entities,” says Foster. “The tactics and methods that we see used in the political public space are readily deployable to private sector entities. It completely depends on motivation.
“You could go after a country’s prominent industry; that would have an adverse effect on the country itself, but you could also disrupt a company to disrupt its stock price to profit on that....you could try to discredit competitive industries in other companies that compete with your primary industries with the hope of bolstering your own economies.”