Threat actors apparently working out of Iran have been conducting an operation whose goal is to influence the opinions of people in the United States and other countries around the world, FireEye reported on Tuesday.
This campaign, which the cybersecurity firm describes as an “influence operation,” involves a network of “inauthentic” news websites and clusters of social media accounts whose apparent purpose is to “promote political narratives in line with Iranian interests.”
The sites that FireEye calls “inauthentic” make an effort to hide their origins and affiliations, and rely on fake social media personas to promote content. This content is either original, copied from other sources, or taken from other sources and modified.
The campaign, which has been active since at least 2017, focuses on anti-Israel, anti-Saudi, and pro-Palestine topics. The threat actor behind the operation has also distributed stories regarding U.S. policies that are favorable to Iran, including the Joint Comprehensive Plan of Action nuclear deal.
In addition to the United States, the group’s targets include the United Kingdom, Latin America and the Middle East.
FireEye researchers have found several pieces of evidence suggesting that Iran is behind the operation. This includes domains registered with email addresses associated with Iranian organizations, Twitter accounts registered with phone numbers with Iran’s +98 country code, and online personas promoting Iranian holidays.
However, the company says it’s only “moderately confident” that Iran is behind the activity, mainly due to the fact that this is an influence operation, which are meant to be deceptive.
The cybersecurity firm noted that the Iran-linked threat actor tracked as APT35, NewsBeef, Newscaster and Charming Kitten has also leveraged these types of inauthentic news sites and social media personas in its cyber espionage operations, but there is no evidence that this influence campaign has been conducted by APT35.
“The activity we have uncovered is significant and demonstrates that actors beyond Russia continue to engage in online, social media-driven influence operations as a means of shaping political discourse,” said Lee Foster, Manager of Information Operations Analysis at FireEye. “It also illustrates how the threat posed by such influence operations continues to evolve, and how similar influence tactics can be deployed irrespective of the particular political or ideological goals being pursued.”
FireEye is preparing a report containing technical details on the operation. The report will be shared on request.
Related: US Braces for Possible Cyberattacks After Iran Sanctions
Related: Iran-linked Hackers Adopt New Data Exfiltration Methods
Related: Iran-Linked ‘Leafminer’ Espionage Campaign Targets Middle East