Throughout 2018, Clearsky Cyber Security has uncovered several disinformation campaigns operated by Iran (As can be seen in Ayatollah BBC report). Below, we provide an overview of a large-scale fake news infrastructure promoting Iranian global interests comprised of at least 98 fake media outlets; each with its own websites, social media accounts, and pages that distribute fake news worldwide. Note that a number of fake media outlets also created fraudulent mobile apps.
Read the full report: Global Iranian Disinformation Operation
Abstract
This multi-language infrastructure targets over 28 countries, authorities and geographical areas (such as Latin America and Western Europe).
This infrastructure leverages multiple disinformation and propaganda techniques. Many of the fraudulent websites blatantly copy and steal content from legitimate media outlets around the world, including the US, Latin America, several countries in Europe, as well as Africa, and Asia. Further, we identified modifications of the content to better fit the Iranian agendas. This infrastructure was established by Iranian actors and has been active since at least 2012.
We categorized the websites into 4 groups, each representing different regions: America and Europe, the Middle East and North Africa, Muslim countries in Africa and Asia and Allias of Iran. Note however that most of the websites in each group have the same overarching goals and agendas.
We believe that the infrastructure is operated by an organized group that coordinates various operators such as – editors, writers, graphic designers, web developers, social media specialist and more. Further, many of the content creators are fluent in one or more languages in addition to Persian.
Example of a fake article from the fake media outlet WhatUpic[.]com. Note that part of the original content was stolen from the Independent newspaper including the original links and references.
Conclusions
Iran has successfully operated a massive disinformation and fake news infrastructure uninterruptedly for over half a decade. As a result, Iran reached and influenced hundreds of thousands, and possibly even millions of readers, who were unaware that they are exposed to inauthentic information.
Indicators of compromise
These and other indicators of compromise are available for subscribers of the ClearSky threat intelligence service in MISP event 1180 and at appendix 2 in the full report.