The Iranian disinformation machine
LONDON, WASHINGTON: Nile Net Online website promises Egyptians “true news” from its offices in the heart of Cairo’s Tahrir Square, “to expand the scope of freedom of expression in the Arab world.”
Its views on America do not chime with those of Egypt’s state media, which celebrate Donald Trump’s warm relations with Cairo. In one recent article, Nile Net Online derided the American president as a “low-level theater actor” who “turned America into a laughing stock” after he attacked Iran in a speech at the UN.
Until recently, Nile Net Online had more than 115,000 page-followers across Facebook, Twitter and Instagram. But its contact telephone numbers, including one listed as 0123456789, don’t work. A Facebook map showing its location dropped a pin onto the middle of the street, rather than any building. And regulars at the square, including a newspaper stallholder and a policeman, say they have never heard of the website.
The reason: Nile Net Online is part of an influence operation based in Tehran.
It’s one of more than 70 websites found by Reuters which push Iranian propaganda to 15 countries, in an operation that cybersecurity experts, social media firms and journalists are only starting to uncover. The sites found by Reuters are visited by more than half-a-million people a month, and have been promoted by social media accounts with more than a million followers.
The sites underline how political actors worldwide are increasingly circulating distorted or false information online to influence public opinion. The discoveries follow allegations that Russian disinformation campaigns have swayed voters in the US and Europe. Moscow has denied the charges.
Former CIA Director John Brennan told Reuters that “countries around the globe” are now using such information warfare tactics.
“The Iranians are sophisticated cyber players,” he said of the Iranian campaign. “There are elements of the Iranian intelligence services that are rather capable in terms of operating (online).”
Traced by building on research from cybersecurity firms FireEye and ClearSky, the sites in the campaign have been active at different times since 2012. They look like normal news and media outlets, but only a couple disclose any Iranian ties.
Reuters could not determine whether the Iranian government is behind the sites; Iranian officials in Tehran and London did not reply to questions.
But all the sites are linked to Iran in one of two ways. Some carry stories, video and cartoons supplied by an online agency called the International Union of Virtual Media (IUVM), which says on its website it is headquartered in Tehran. Some have shared online registration details with IUVM, such as addresses and phone numbers. Twenty-one of the websites do both.
Emails sent to IUVM bounced back and telephone numbers the agency gave in web registration records did not work. Documents available on the main IUVM website say its objectives include “confronting with remarkable arrogance, Western governments and Zionism front activities.”
Nile Net Online did not respond to questions sent to the email address on its website. Its operators, as well as those of the other websites identified by Reuters, could not be located. Previous owners identified in historical registration records could not be reached. The Egyptian government did not respond to requests for comment.
Some of the sites in the Iranian operation were first exposed in August by companies including Facebook, Twitter and Google’s parent, Alphabet, after FireEye found them.
The social media companies have closed hundreds of accounts that promoted the sites or pushed Iranian messaging.
Facebook said last month it had taken down 82 pages, groups and accounts linked to the Iranian campaign; these had gathered more than 1 million followers in the US and Britain.
But the sites uncovered by Reuters have a much wider scope. They have published in 16 different languages, from Azerbaijani to Urdu, targeting internet users in less-developed countries.
That they reached readers in tightly controlled societies such as Egypt, which has blocked hundreds of news websites since 2017, highlights the campaign’s reach.
The news on the sites is not all fake. Authentic stories sit alongside pirated cartoons, as well as speeches from Iran’s Ali Khamenei. The sites clearly support Iran’s government and amplify antagonism to countries opposed to Tehran — particularly Israel, Saudi Arabia and the US. Nile Net’s “laughing stock” piece was copied from an Iranian state TV network article published earlier the same day.
Some of the sites are slapdash. The self-styled, misspelled “Yemen Press Agecny” carries a running update developments in Yemen targeting Saudi Arabia. Emails sent to the agency’s listed contact, Arafat Shoroh, bounced back. The agency’s address and phone number led to a hotel in the Yemeni capital, Sanaa, whose staff said they had never heard of Shoroh.
The identity or location of the past owners of some of the websites is visible in historical internet registration records: 17 of 71 sites have in the past listed their locations as Iran or Tehran, or given an Iranian telephone or fax number. But who owns them now is often hidden, and none of the Iranian-linked operators could be reached.
More than 50 of the sites use American web service providers Cloudflare and OnlineNIC — firms that provide website owners with tools to shield themselves from spam and hackers. Frequently, such services also effectively conceal who owns the sites or where they are hosted. The companies declined to tell Reuters who operates the sites.
Under US law, hosting and web services companies are not generally liable for the content of sites they serve, said Eric Goldman, co-director of the High Tech Law Institute at Santa Clara University.
Still, since 2014, US sanctions on Iran have banned “the exportation or re-exportation, directly or indirectly, of web-hosting services that are for commercial endeavors or of domain name registration services.”
Douglas Kramer, general counsel for Cloudflare, said the services it provides do not include web-hosting services. “We’ve looked at those various sanctions regimes, we are comfortable that we are not in violation,” he told Reuters.
A spokesman for OnlineNIC said none of the sites declared a connection to Iran in their registration details, and the company was in full compliance with US sanctions and trade embargoes.
The US Treasury’s Office of Foreign Assets Control (OFAC) declined to comment on whether it planned an investigation.
Another Western dawn
The Kremlin is widely seen as the superpower in modern information warfare. From what is known so far, Russia’s influence operation — which Moscow denies — dwarfs Iran’s. According to Twitter, nearly 4,000 accounts connected to the Russian campaign posted over 9 million tweets between 2013 and 2018, against over 1 million tweets from fewer than 1,000 accounts believed to originate in Iran.
Even though the Iranian operation is smaller, it has had impact on volatile topics. AWDnews — the site with the focus on “unspoken truth” — ran a false story in 2016 which prompted Pakistan’s defense minister to warn on Twitter he had the weapons to nuke Israel. He only found out that the hoax was part of an Iranian operation when contacted by Reuters.
“It was a learning experience,” said the deceived politician, 69-year-old Khawaja Asif, who left Pakistan’s government earlier this year. “But one can understand that these sorts of things happen, because fake news has become something huge. It’s something which anyone is capable of now, which is very dangerous.”
Israeli officials did not respond to a request for comment.
AWDnews publishes in English, French, Spanish and German and, according to data from web analytics company SimilarWeb, receives around 12,000 unique visitors a month. Among others who shared stories from AWDnews and the other websites identified by Reuters were politicians in Britain, Jordan, India, and the Netherlands; human-rights activists; an Indian music composer and a Japanese rap star.
In August 2015, an official account for a European department of the World Health Organization (WHO) tweeted an AWDnews story. Annalisa Buoro, secretary for the WHO’s European Office for Investment for Health and Development, said the person running the department’s Twitter account at the time did not know the website was part of an Iranian campaign.
She said the tweet had gone out when the account had a relatively small following, limiting the damage, but “on the other hand, I am very concerned … because as a UN agency we have a huge responsibility.”
Jobs for women
FireEye, a US cybersecurity firm, originally named six websites as part of the Iranian influence operation. Reuters examined those sites, and their content led to the Tehran-based International Union of Virtual Media.
IUVM is an array of 11 websites with names such as iuvmpress, iuvmapp and iuvmpixel. Together, they form a library of digital material, including mobile phone apps, items from Iranian state media and pictures, video clips and stories from elsewhere on the web, which support Tehran’s policies.
Tracking usage of IUVM content across the Internet led to sites which have used its material, registration details, or both. For instance, 22 of the sites have shared the same phone number, which does not work and has also been listed for IUVM. At least seven have used the same address, which belongs to a youth hostel in Berlin. Staff at the hostel told Reuters they had never heard of the sites in question. The site operators could not be reached to explain their links with IUVM.
Two sites even posted job advertisements for IUVM, inviting applications from women with “ability to work effectively and knowledge in dealing with social networks and (the) Internet.”
One of IUVM’s most popular users is a site called Sudan Today, which SimilarWeb data shows receives almost 150,000 unique visitors each month. On Facebook, it tells its 57,000 followers that it operates without political bias. Its 18,000 followers on Twitter have included the Italian Embassy in Sudan, and its work has been cited in a report by the Egyptian Electricity Ministry.
The office address registered for Sudan Today in 2016 covers a whole city district in north Khartoum, according to archived website registration details provided by WhoisAPI Inc. and DomainTools LLC. The phone number listed in those records does not work.
Reuters could not trace staff members named on Sudan Today’s Facebook page. The five-star Corinthia hotel in central Khartoum, where the site says it hosted an anniversary party last year, told Reuters no such event took place. And an address listed on one of its social media accounts is a demolished home.
Sudan used to be an Iranian ally but has changed sides to align itself with Saudi Arabia, costing Tehran a foothold in the Horn of Africa just as it becomes more isolated by the West. In that environment, Iran sees itself as competing with Israel, Saudi Arabia and the US for international support, and is taking the fight online, said Ariane Tabatabai, a senior associate and Iran expert at the Center for Strategic and International Studies in Washington, D.C.
Headlines on Sudan Today’s homepage include a daily round-up of stories from local newspapers and Ugandan soccer results. It also features reports on bread prices — which doubled in January after Khartoum eliminated subsidies, triggering demonstrations.
Ohad Zaidenberg, senior researcher at Israeli cybersecurity firm ClearSky, said this mixture of content provides the cover for narratives geared at influencing a target audience’s attitudes and perceptions.
The site also draws attention to Saudi Arabia’s military actions in Yemen. Since Sudanese President Omar Bashir ended his allegiance with Iran he has sent troops and jets to join Arab forces in the Yemeni conflict.
One cartoon from IUVM published by Sudan Today in August shows Trump astride a military jet with an overflowing bag of dollar bills tucked under one arm. The jet is draped with traditional Saudi dress and shown dropping bombs on a bloodstained map of Yemen. The map is littered with children’s toys and shoes.
Turkish cartoonist Mikail Ciftci drew the original. He told Reuters he did not give Sudan Today permission to use it.
Alnagi Albashra, a 28-year-old software developer in Khartoum, said he likes to read articles on Sudan Today in the evenings when waiting for his baby to fall asleep. But he and three other Sudan Today readers reached by Reuters had no idea who was behind the site.
“This is a big problem,” he said. “You can’t see that they are not in Sudan.”
Government officials in Khartoum, the White House, the Italian Embassy and the Egyptian Electricity Ministry did not respond to requests for comment.
It is unclear who globally is tasked with responding to online disinformation campaigns like Iran’s, or what if any action they should take, said David Conrad, chief technology officer at ICANN, a non-profit which helps manage global web addresses.
Social media accounts can be deleted in bulk by the firms that provide the platforms. But the Iranian campaign’s backbone of websites makes it harder to dismantle than social media, because taking down a website often requires the cooperation of law enforcement, Internet service providers and web infrastructure companies.
Efforts by social media companies in the United States and Europe to tackle the campaign have had mixed results.
Shortly after being contacted by Reuters, Twitter suspended the accounts for Nile Net Online and Sudan Today. “Clear attribution is very difficult,” a spokeswoman said, but added that the company would continue to update a public database of tweets and accounts linked to state-backed information operations when it had new information.
Google did not respond directly to questions about the websites found by Reuters. The company has said it identified and closed 99 accounts which it says are linked to Iranian state media. “We’ve invested in robust systems to identify influence operations launched by foreign governments,” a spokeswoman said.
Facebook said it was aware of the websites found by Reuters and had removed five more Facebook pages. But a spokesman said that based on Facebook user data, the company was not yet able to link all the websites’ accounts to the Iranian activity found earlier. “In the past several months, we have removed hundreds of Pages, Groups, and accounts linked to Iranian actors engaging in coordinated inauthentic behavior. We continue to remove accounts across our services and in all relevant languages,” he said.
Accounts linked to the Iranian sites remain active online, especially in languages other than English. On Nov. 30, 16 of the Iranian sites were still posting daily updates on Facebook, Twitter, Instagram or YouTube — including Sudan Today and Nile Net Online. Between them, the social media accounts had more than 700,000 followers.