London, 27 August – Tech giant Google announced on Thursday that it had uncovered a “state-sponsored phishing attack” connected to the Islamic Republic of Iran Broadcasting (IRIB), which is the first time that the company found a direct link between the state-run media outlet and misinformation attacks from Iran.
A blog post from Google stated that a number of YouTube channels, blogs and Google+ accounts linked to the IRIB that had disguised their relationship whilst sharing English-language political content in the US had been “identified and terminated”.
Kent Walker, Senior Vice President of Global Affairs at Google wrote in the post that there were three important pieces of evidence that made the company confident that the attack was being carried out by the IRIB:
1) The technical data of these accounts are coming from the official IRIB IP address space
2) The domain ownership information is “strongly linked” to IRIB account information
3) The account metadata and subscriber information is associated with the IRIB, “indicating common ownership and control”
In total, Google found 39 YouTube channels (with 13,466 total US views on relevant videos), six blogs on Blogger and 13 Google+ accounts.
Walker said that the company had been working with cybersecurity firm FireEye on the “influence operation”, after FireEye identified “some suspicious Google accounts”, which Google was quick to delete.
The FireEye analysis reads: “Broadly speaking, the intent behind this activity appears to be to promote Iranian political interests, including anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as to promote support for specific US policies favourable to Iran, such as the US-Iran nuclear deal (JCPOA).”
FireEye’s full 20-page report on the IRIB attack can be found here.
This announcement comes just days after Facebook revealed that it had removed 652 pages, groups and accounts linked to Iran for “coordinated inauthentic behaviour”, such as the sharing of anti-Trump political material in the US and pro-Iranian posts elsewhere in the world.
In a statement on Tuesday, Facebook cyber security policy head Nathanial Gleicher said: “We’ve removed 652 pages, groups and accounts for coordinated inauthentic behaviour that originated in Iran and targeted people across multiple internet services in the Middle East, Latin America, UK and US.”
The fake social media personas found in the US-focused activity reflected an “American liberal identity” with “anti-Trump messaging”, which promoted the Iranian nuclear deal.
Twitter also announced on Tuesday that it had suspended 284 accounts linked to Iran for “coordinated manipulation”.