How Iran Spreads Disinformation Around the World

Tehran is quietly feeding propaganda through some 98 websites to 25 countries in what the CEO of an Israeli cybersecurity firm calls 'an unusual effort to create a global shift in the public's consciousness'

One of the sites used to distribute fake news.
ClearSky

Website Nile Net Online promises Egyptians "true news" from its offices in the heart of Cairo's Tahrir Square, "to expand the scope of freedom of expression in the Arab world." 

Its views on America do not chime with those of Egypt's state media, which celebrate Donald Trump's warm relations with Cairo. In one recent article, Nile Net Online derided the American president as a "low-level theater actor" who "turned America into a laughing stock" after he attacked Iran in a speech at the United Nations.

Until recently, Nile Net Online had more than 115,000 page-followers across Facebook, Twitter and Instagram. But its contact telephone numbers, including one listed as 0123456789, don't work. A Facebook map showing its location dropped a pin onto the middle of the street, rather than any building. And regulars at the square, including a newspaper stallholder and a policeman, say they have never heard of the website.

>> Tel-Aviv Times? Iran created fake Hebrew news sites in major 'influence campaign' ■ Iranian hackers tried to impersonate Israeli cybersecurity company

It's one of more than 70 websites found by Reuters which push Iranian propaganda to 15 countries, in an operation that cybersecurity experts, social media firms and journalists are only starting to uncover. The sites found by Reuters are visited by more than half a million people a month, and have been promoted by social media accounts with more than a million followers. ClearSky, an Israeli cybersecurity firm, uncovered some 98 websites operating in 25 different countries and estimates that the large-scale operation has enabled Iran to influence public opinion in several of the countries involved.

"What we are seeing here is an unusual effort by the Iranians to create a global shift in the public's consciousness in order to hide the Iranian regime's true ambitions," ClearSky CEO Boaz Dolev told Haaretz.

The Iranian effort "is intended to work on the psychological level and in certain cases it can even be used to disrupt the activities of different institutions around the world, something that must be recognize in order to know how to defend against it," Dolev added.  

The sites underline how political actors worldwide are increasingly circulating distorted or false information online to influence public opinion. The discoveries follow allegations that Russian disinformation campaigns have swayed voters in the United States and Europe. Advisers to Saudi Arabia's crown prince, and the army in Myanmar, are also among those using social media to distribute propaganda and attack their enemies. Moscow has denied the charges; Riyadh and Yangon have not commented.

Former CIA director John Brennan told Reuters that "countries around the globe" are now using such information warfare tactics.

"The Iranians are sophisticated cyber players," he said of the Iranian campaign. "There are elements of the Iranian intelligence services that are rather capable in terms of operating (online)."

Traced by building on research from cybersecurity firms FireEye and ClearSky, the sites in the campaign have been active at different times since 2012. They look like normal news and media outlets, but only a couple disclose any Iranian ties.

One of the sites used by Iran to distribute fake news.
ClearSky

Reuters could not determine whether the Iranian government is behind the sites; Iranian officials in Tehran and London did not reply to questions.

But all the sites are linked to Iran in one of two ways. Some carry stories, video and cartoons supplied by an online agency called the International Union of Virtual Media (IUVM), which says on its website it is headquartered in Tehran. Some have shared online registration details with IUVM, such as addresses and phone numbers. Twenty-one of the websites do both.

Emails sent to IUVM bounced back and telephone numbers the agency gave in web registration records did not work. Documents available on the main IUVM website say its objectives include "confronting with remarkable arrogance, western governments and Zionism front activities."

Nile Net Online did not respond to questions sent to the email address on its website. Its operators, as well as those of the other websites identified by Reuters, could not be located. Previous owners identified in historical registration records could not be reached. The Egyptian government did not respond to requests for comment.

'Unspoken truth'

Some of the sites in the Iranian operation were first exposed in August by companies including Facebook, Twitter and Google's parent, Alphabet, after FireEye found them. Haaretz reported in September that ClearSky uncovered three Hebrew news sites as Iranian hack schemes. One of them, the Tel Aviv Times, receives 65,000 surfers per month, according to SimilarWeb. 

Social media companies have closed hundreds of accounts that promoted the sites or pushed Iranian messaging. Facebook said last month it had taken down 82 pages, groups and accounts linked to the Iranian campaign; these had gathered more than one million followers in the United States and Britain.

But the sites uncovered by Reuters have a much wider scope. They have published in 16 different languages, from Azerbaijani to Urdu, targeting Internet users in less-developed countries. That they reached readers in tightly controlled societies such as Egypt, which has blocked hundreds of news websites since 2017, highlights the campaign's reach.

The Iranian sites include:

- Ten outlets targeting readers in Yemen, where Iran and U.S. ally Saudi Arabia have been fighting a proxy conflict since civil war broke out in 2015;

- A media outlet offering daily news and satirical cartoons in Sudan. Reuters could not reach any of its staff;

- A website called Realnie Novosti, or "Real News," for Russian readers. It offers a downloadable mobile phone app but its operator could not be traced.

The news on the sites is not all fake. Authentic stories sit alongside pirated cartoons, as well as speeches from Iran's Supreme Leader Ayatollah Ali Khamenei. The sites clearly support Iran's government and amplify antagonism to countries opposed to Tehran – particularly Israel, Saudi Arabia and the United States. Nile Net's "laughing stock" piece was copied from an Iranian state TV network article published earlier the same day.

The identity or location of the past owners of some of the websites is visible in historical Internet registration records: 17 of 71 sites have in the past listed their locations as Iran or Tehran, or given an Iranian telephone or fax number. But who owns them now is often hidden, and none of the Iranian-linked operators could be reached. One of the Tel Aviv Times’ Facebook pages says that the organization operates from Washington, United States, but its phone number has an Ireland country code. Haaretz tried calling the number, but the line was disconnected.

More than 50 of the sites use American web service providers Cloudflare and OnlineNIC – firms that provide website owners with tools to shield themselves from spam and hackers. Frequently, such services also effectively conceal who owns the sites or where they are hosted. The companies declined to tell Reuters who operates the sites.

Under U.S law, hosting and web services companies are not generally liable for the content of sites they serve, said Eric Goldman, co-director of the High Tech Law Institute at Santa Clara University. Still, since 2014, U.S. sanctions on Iran have banned "the exportation or re-exportation, directly or indirectly, of web-hosting services that are for commercial endeavors or of domain name registration services."

Douglas Kramer, general counsel for Cloudflare, said the services it provides do not include web-hosting services. "We've looked at those various sanctions regimes, we are comfortable that we are not in violation," he told Reuters.

A spokesman for OnlineNIC said none of the sites declared a connection to Iran in their registration details, and the company was in full compliance with U.S. sanctions and trade embargoes.

Another Western dawn

The Kremlin is widely seen as the superpower in modern information warfare. From what is known so far, Russia's influence operation – which Moscow denies – dwarfs Iran's. According to Twitter, nearly 4,000 accounts connected to the Russian campaign posted over 9 million tweets between 2013 and 2018, against over 1 million tweets from fewer than 1,000 accounts believed to originate in Iran.

Even though the Iranian operation is smaller, it has had impact on volatile topics. AWDnews – the site with the focus on "unspoken truth" – ran a false story in 2016 which prompted Pakistan's defense minister to warn on Twitter he had the weapons to nuke Israel. He only found out that the hoax was part of an Iranian operation when contacted by Reuters.

"It was a learning experience," said the deceived politician, 69-year-old Khawaja Asif, who left Pakistan's government earlier this year. "But one can understand that these sorts of things happen, because fake news has become something huge. It's something which anyone is capable of now, which is very dangerous."

Israeli officials did not respond to a request for comment.

In August 2015, an official account for a European department of the World Health Organization (WHO) tweeted an AWDnews story. Annalisa Buoro, secretary for the WHO's European Office for Investment for Health and Development, said the person running the department's Twitter account at the time did not know the website was part of an Iranian campaign.

A fake profile.
ClearSky

She said the tweet had gone out when the account had a relatively small following, limiting the damage, but "on the other hand, I am very concerned ... because as a UN agency we have a huge responsibility."

Jobs for women

FireEye, a U.S. cybersecurity firm, originally named six websites as part of the Iranian influence operation. Reuters examined those sites, and their content led to the Tehran-based International Union of Virtual Media.

IUVM is an array of 11 websites with names such as iuvmpress, iuvmapp and iuvmpixel. Together, they form a library of digital material, including mobile phone apps, items from Iranian state media and pictures, video clips and stories from elsewhere on the web, which support Tehran's policies.

Tracking usage of IUVM content across the Internet led to sites which have used its material, registration details, or both. For instance, 22 of the sites have shared the same phone number, which does not work and has also been listed for IUVM. At least seven have used the same address, which belongs to a youth hostel in Berlin. Staff at the hostel told Reuters they had never heard of the sites in question. The site operators could not be reached to explain their links with IUVM.

Two sites even posted job advertisements for IUVM, inviting applications from women with "ability to work effectively and knowledge in dealing with social networks and (the) Internet."

Demolished home

One of IUVM's most popular users is a site called Sudan Today, which SimilarWeb data shows receives almost 150,000 unique visitors each month. On Facebook, it tells its 57,000 followers that it operates without political bias. Its 18,000 followers on Twitter have included the Italian Embassy in Sudan, and its work has been cited in a report by the Egyptian Electricity Ministry.

The office address registered for Sudan Today in 2016 covers a whole city district in north Khartoum, according to archived website registration details provided by WhoisAPI Inc and DomainTools LLC. The phone number listed in those records does not work.

Reuters could not trace staff members named on Sudan Today's Facebook page. The five-star Corinthia hotel in central Khartoum, where the site says it hosted an anniversary party last year, told Reuters no such event took place. And an address listed on one of its social media accounts is a demolished home.

Sudan used to be an Iranian ally but has changed sides to align itself with Saudi Arabia, costing Tehran a foothold in the Horn of Africa just as it becomes more isolated by the West. In that environment, Iran sees itself as competing with Israel, Saudi Arabia and the United States for international support, and is taking the fight online, said Ariane Tabatabai, a senior associate and Iran expert at the Center for Strategic and International Studies in Washington, D.C.

Headlines on Sudan Today's homepage include a daily round-up of stories from local newspapers and Ugandan soccer results. It also features reports on bread prices – which doubled in January after Khartoum eliminated subsidies, triggering demonstrations.

Ohad Zaidenberg, senior researcher at Israeli cybersecurity firm ClearSky, said this mixture of content provides the cover for narratives geared at influencing a target audience's attitudes and perceptions.

The site also draws attention to Saudi Arabia's military actions in Yemen. Since Sudanese President Omar al-Bashir ended his allegiance with Iran he has sent troops and jets to join Saudi-led forces in the Yemeni conflict.

One cartoon from IUVM published by Sudan Today in August shows Donald Trump astride a military jet with an overflowing bag of dollar bills tucked under one arm. The jet is draped with traditional Saudi dress and shown dropping bombs on a bloodstained map of Yemen. The map is littered with children's toys and shoes.

Alnagi Albashra, a 28-year-old software developer in Khartoum, said he likes to read articles on Sudan Today in the evenings when waiting for his baby to fall asleep. But he and three other Sudan Today readers reached by Reuters had no idea who was behind the site.

"This is a big problem," he said. "You can't see that they are not in Sudan."

Government officials in Khartoum, the White House, the Italian Embassy and the Egyptian Electricity Ministry did not respond to requests for comment.

Backbone

It is unclear who globally is tasked with responding to online disinformation campaigns like Iran's, or what if any action they should take, said David Conrad, chief technology officer at ICANN, a non-profit which helps manage global web addresses.

Social media accounts can be deleted in bulk by the firms that provide the platforms. But the Iranian campaign's backbone of websites makes it harder to dismantle than social media, because taking down a website often requires the cooperation of law enforcement, Internet service providers and web infrastructure companies.

Efforts by social media companies in the United States and Europe to tackle the campaign have had mixed results.

Shortly after being contacted by Reuters, Twitter suspended the accounts for Nile Net Online and Sudan Today. "Clear attribution is very difficult," a spokeswoman said, but added that the company would continue to update a public database of tweets and accounts linked to state-backed information operations when it had new information.

Google did not respond directly to questions about the websites found by Reuters. The company has said it identified and closed 99 accounts which it says are linked to Iranian state media. "We've invested in robust systems to identify influence operations launched by foreign governments," a spokeswoman said.

Facebook said it was aware of the websites found by Reuters and had removed five more Facebook pages. But a spokesman said that based on Facebook user data, the company was not yet able to link all the websites' accounts to the Iranian activity found earlier. "In the past several months, we have removed hundreds of Pages, Groups, and accounts linked to Iranian actors engaging in coordinated inauthentic behavior. We continue to remove accounts across our services and in all relevant languages," he said.