How Iran spreads disinformation around the world

There are more than 70 websites found by Reuters that push Iranian propaganda to 15 countries.
Friday 14/12/2018
Dark designs. A 2017 file picture shows Stuart Davis, a director at one of FireEye’s subsidiaries, standing in front of a map of Iran as he speaks to journalists in Dubai. (AP)
Dark designs. A 2017 file picture shows Stuart Davis, a director at one of FireEye’s subsidiaries, standing in front of a map of Iran as he speaks to journalists in Dubai. (AP)

LONDON - Website Nile Net Online promises Egyptians “true news” from its offices in the heart of Cairo’s Tahrir Square, “to expand the scope of freedom of expression in the Arab world.”

Its views on the United States do not chime with those of Egypt’s state media, which celebrate US President Donald Trump’s warm relations with Cairo. In a recent article, Nile Net Online derided the US president as a “low-level theatre actor” who “turned America into a laughing stock” after he attacked Iran in a speech at the United Nations.

Until recently, Nile Net Online had more than 115,000 followers across Facebook, Twitter and Instagram. However, its contact telephone numbers, including one listed as 0123456789, don’t work. A Facebook map showing its location dropped a pin into the middle of the street, rather than a building. Regulars at the square, including a newspaper stallholder and a policeman, say they have never heard of the website.

The reason: Nile Net Online is part of an influence operation in Tehran.

It is one of more than 70 websites found by Reuters that push Iranian propaganda to 15 countries, in an operation that cybersecurity experts, social media firms and journalists are only starting to uncover. The sites found by Reuters are visited by more than 500,000 people a month and have been promoted by social media accounts with more than 1 million followers.

“The Iranians are sophisticated cyber-players,” former CIA Director John Brennan said. “There are elements of the Iranian intelligence services that are rather capable in terms of operating (online).”

Traced by building on research from cybersecurity firms FireEye and ClearSky, the sites in the campaign have been active at different times since 2012. They look like normal news and media outlets but only a couple disclose any Iranian ties.

Reuters could not determine whether the Iranian government was behind the sites; Iranian officials in Tehran and London did not reply to questions.

However, all the sites are linked to Iran in one of two ways. Some carry stories, video and cartoons supplied by an online agency called the International Union of Virtual Media (IUVM), which says on its website it has headquarters in Tehran. Some shared online registration details with IUVM, such as addresses and phone numbers. Twenty-one of the websites do both.

E-mail sent to IUVM bounced back and telephone numbers the agency gave in web registration records did not work. Documents available on the main IUVM website say its objectives include “confronting with remarkable arrogance Western governments and Zionism front activities.”

Nile Net Online did not respond to questions sent to the e-mail address on its website. Its operators, as well as those of the other websites identified by Reuters, could not be located. Previous owners identified in historical registration records could not be reached. The Egyptian government did not respond to requests for comment.

Some of the sites in the Iranian operation were exposed in August by social media companies, which closed hundreds of accounts that promoted the sites or pushed Iranian messaging. Facebook said in October it had taken down 82 pages, groups and accounts linked to the Iranian campaign; these had gathered more than 1 million followers in the United States and Britain.

The sites uncovered by Reuters have a much wider scope. They published in 16 languages, from Azerbaijani to Urdu, targeting internet users in less-developed countries. That they reached readers in tightly controlled societies such as Egypt, which has blocked hundreds of news websites since 2017, highlights the campaign’s reach.

The Iranian sites include:

* A news site called Another Western Dawn, which says its focus is on “unspoken truth.” It fooled the Pakistani defence minister into issuing a nuclear threat against Israel;

* Ten outlets targeting readers in Yemen, where Iran and US ally Saudi Arabia have been fighting a proxy conflict since civil war broke out in 2015;

* A media outlet offering daily news and satirical cartoons in Sudan. Reuters could not reach any of its staff;

* A website called Realnie Novosti — “Real News” — for Russian readers. It offers a downloadable mobile phone app but its operator could not be traced.

The news on the sites is not all fake. Authentic stories sit alongside pirated cartoons, as well as speeches from Iranian Supreme Leader Ayatollah Ali Khamenei. The sites support Iran’s government and amplify antagonism to countries opposed to Tehran.

Some of the sites are slapdash. The self-styled, misspelled “Yemen Press Agecny” carries a running update of Saudi “crimes against Yemenis during the past 24 hours.” E-mail sent to the agency’s listed contact, Arafat Shoroh, bounced back. The agency’s address and phone number led to a hotel in the Yemeni capital, Sana’a, whose staff said they had never heard of Shoroh.

The identity or location of the previous owners of some of the websites is visible in historical internet registration records: 17 of 71 sites have in the past listed their locations as Iran or Tehran, or given an Iranian telephone or fax number but who owns them now is often hidden and none of the Iranian-linked operators could be reached.

While Iran’s cyber operation is smaller than that of Russia, seen as the superpower in modern information warfare,, it has had an effect on volatile topics. AWDnews, the site with the focus on “unspoken truth,” ran a false story in 2016 that prompted Pakistan’s defence minister to warn on Twitter he had the weapons to nuke Israel. He only found out that the hoax was part of an Iranian operation when contacted by Reuters.

AWDnews publishes in English, French, Spanish and German and, data from web analytics company SimilarWeb indicate, receives approximately 12,000 unique visitors a month. Among others who shared stories from AWDnews and the other websites identified by Reuters were politicians in Britain, Jordan, India and the Netherlands; an official account for a European department of the World Health Organisation (WHO); human-rights activists; an Indian music composer and a Japanese rap star.

Another of IUVM’s most popular users is a site called Sudan Today, which SimilarWeb data show receives almost 150,000 unique visitors each month. On Facebook, it tells its 57,000 followers that it operates without political bias.

The office address registered for Sudan Today in 2016 covers a whole city district in northern Khartoum, according to archived website registration details provided by WhoisAPI Inc and DomainTools LLC. The phone number listed in those records does not work and Reuters was unable to trace staff members named on Sudan Today’s Facebook page.

Headlines on Sudan Today’s homepage include a daily round-up of stories from local newspapers and Ugandan soccer results. It also features reports on bread prices, which doubled in January after Khartoum eliminated subsidies, triggering demonstrations.

Ohad Zaidenberg, senior researcher at Israeli cybersecurity firm ClearSky, said this mixture of content provides the cover for narratives geared at influencing a target audience’s attitudes and perceptions.

The site also draws attention to Saudi Arabia’s military actions in Yemen. Since Sudanese President Omar al-Bashir ended his allegiance with Iran he has sent troops and jets to join Saudi-led forces in the Yemeni conflict.

Alnagi Albashra, a 28-year-old software developer in Khartoum, said he often reads Sudan Today him and three others contacted by Reuters had no idea who was behind the site.

“This is a big problem,” he said. “You can’t see that they are not in Sudan.”

It is unclear who globally is tasked with responding to online disinformation campaigns like Iran’s or what if any action they should take, said David Conrad, chief technology officer at ICANN, a non-profit which helps manage global web addresses.

Social media accounts can be deleted in bulk by the firms that provide the platforms but the Iranian campaign’s backbone of websites makes it harder to dismantle than social media, because taking down a website often requires the cooperation of law enforcement, internet service providers and web infrastructure companies.

Efforts by social media companies in the United States and Europe to tackle the campaign have had mixed results.

Accounts linked to the Iranian sites remain active online, especially in languages other than English. On November 30, 16 of the Iranian sites were still posting daily updates on Facebook, Twitter, Instagram or YouTube — including Sudan Today and Nile Net Online. Between them, the social media accounts had more than 700,000 followers.