How Pro-Iran Hackers Spoofed FP and the News Media
Fake news articles and tweets sought to cast Saudi Arabia and other rivals of Tehran in a bad light.
At first glance, the article appears to be a genuine contribution to this magazine, Foreign Policy.
Published in June 2017, it claims to report that former CIA Director Michael Hayden had criticized the expulsion of the Muslim Brotherhood and Hamas from Qatar under Saudi pressure, and that Hayden said the United States should not let an inexperienced princeling—Saudi Crown Prince Mohammed bin Salman—upset security arrangements in the Middle East.
But that article was a forgery, an impersonation created by an Iran-linked disinformation network aimed at discrediting Tehran’s rivals in an information operation that began in 2016 and continues to this day. During that sprawling, groundbreaking operation, Iran-linked operatives created more than 100 fake articles across dozens of different domains, many of which impersonated legitimate news outlets, pushing made-up stories that attacked Saudi Arabia, Israel, and Iran, according to a report released Tuesday by Citizen Lab, a research organization.
To promote their articles, the operation even relied on fake Twitter personas who communicated with journalists and researchers online and sent links to the faked pages. Citizen Lab identified 11 such personas. One of them, “Mona A. Rahman,” was highly active on Twitter, described herself as a “political analyst & writer,” and appeared to be an anti-Saudi activist.
The fake Foreign Policy article and the dozens of others that impersonated real news sites no longer exist online. Their creators have scrubbed their fake news network from the web, and what remains can only be viewed on archived pages online, such as this one, displaying the fabricated Foreign Policy article. Visually, the site replicated ours, but the article is riddled with grammatical errors.
The disinformation network documented in Tuesday’s report represents a major advance in understanding how countries besides Russia, the focus of so much scrutiny in Washington for its meddling in the 2016 election, are using propaganda and disinformation to spread their preferred narratives online.
“If you put this operation together with all the other Iranian operations we’ve already seen, Iran emerges as at least as significant a disinformation player as Russia, and it doesn’t look like they’re going away,” said Ben Nimmo, a senior fellow at the Atlantic Council’s Digital Forensic Research Lab who studies disinformation.
While “early Iranian operations were relatively crude, and used social media to steer users towards websites which regurgitated regime content,” he said, those operations are now growing increasingly sophisticated as the operatives behind them experiment with new methodologies for spreading pro-Iran messages.
The authors of Tuesday’s report caution that they cannot definitively attribute the campaign to hackers working on behalf of Iran and conclude “with moderate confidence that Iran or an Iran-aligned actor” is orchestrating the campaign. The identities of the individuals operating the network could not be identified, but the messages they spread online consistently lined up with Iranian interests and propaganda.
The pro-Iran campaign breaks new ground by using a tactic that Citizen Lab’s researchers are calling “ephemeral disinformation.” Its operators would create fake news pages and sites, post fake articles, and then delete the pages once the articles began to get pickup on social media. The tactic appears aimed at injecting false narratives into the information ecosystem and then deleting the underlying evidence of the fake news infrastructure behind the claim.
In a nod to this ephemeral online presence, Citizen Lab dubbed the campaign “Endless Mayfly,” in a reference to the insect with a 24-hour lifespan.
By appearing and then disappearing online, “Endless Mayfly’s operators appear to be banking on social media users’ short attention spans and our inclination to trust headlines associated with what appear to be credible sources, rather than dig deeper to verify facts from the ground up ourselves,” Citizen Lab director Ronald Deibert wrote in an analysis of the campaign.
In total, Citizen Lab identified some 72 fake news domains, which relied on a familiar tactic of cybercriminals to impersonate their targets: typosquatting. The four fake Foreign Policy articles created by Endless Mayfly resided on two intentionally misspelled domains: foreignpoilcy[.]com and foriegnpolicy[.]net. (The operators also used a technique known as punycode, which allows for the registration of international domain names, to create lookalike sites.)
The other fabricated Foreign Policy articles provide a snapshot of the campaign’s preferred messages, all of which tend to malign Saudi Arabia’s reputation: A claim that the U.S. president’s daughter Ivanka Trump found it unbelievable that women can’t drive in Saudi Arabia, a piece about the release of documents purportedly revealing Saudi Arabia’s support of the Islamic State, and a claim that Riyadh canceled an arms deal with Turkey because of the latter’s ties to Qatar.
Given the ephemeral nature of the campaign, it is difficult to assess whether it succeeded or not, but it did notch notable victories. In 2017, hackers linked to the Endless Mayfly campaign created a site posing as the Swiss version of the Local, a European news site with outlets in several countries, and posted a fake article to their site claiming that six Arab countries had demanded that Qatar be blocked from hosting the 2022 World Cup.
Reuters and a handful of other international outlets picked up the article, and Reuters was subsequently forced to withdraw the story.
In another notable success for the campaign, French far-right sites picked up a fabricated report purporting to come from Le Soir, a French-language Belgian newspaper, claiming that Saudi Arabia was providing financing for Emmanuel Macron’s presidential campaign. Marion Maréchal-Le Pen, a member of Parliament for the far-right National Front party and the niece of party leader Marine Le Pen, even promoted the link on Twitter.
While some of the campaign’s faked news stories were easy to spot, others were more difficult and blended truth and fiction to create a more believable fake. A fabricated German government page claimed to relate a quote from Chancellor Angela Merkel that would have made major news if it were true: “Germany will be the first country which will prefer its interests and national security to Saudi Arabia’s bribes.” That quote was invented, but another on the same page, attributed to then-Vice Chancellor Sigmar Gabriel, was accurate.
By 2017, the faked pages were seeing only modest success, and the operation shifted its disinformation operations toward self-publishing platforms such as Medium and BuzzFeed Community.
After being published, many of these fraudulent articles were amplified by a republishing network, a large part of which was shut down in August 2018 when Facebook, Google, and Twitter said they had shut down a collection of sites working in concert to spread Iranian propaganda.
While that shutdown appears to have undermined the ability of the operation to spread its fake news pages, parts of the republishing network remains active, the Citizen Lab report found.
Despite public exposure and expulsion from several major technology platforms, researchers believe the disinformation operation remains alive and well.
“We continue to see new assets created to support this activity, suggesting that the actors responsible remain undeterred by public exposure or by platform’s shutdowns of their accounts,” said Lee Foster, an information operations analyst at the security firm FireEye. “They continue to seek to influence audiences within the U.S. and elsewhere on positions favorable to Iranian interests.”