Facebook on Tuesday dismantled an expansive, covert Iranian influence operation aimed at American, British, Latin American, and Middle Eastern audiences. Posing as independent news and civil society organizations, state-sponsored actors created hundreds of fake Facebook pages and Twitter accounts, which were also suspended on Tuesday, and Iranian state media created dozens of counterfeit YouTube channels.
The operation, dating back to as early as 2011, tricked hundreds of thousands of people into following bogus accounts. Deploying the expertise in social engineering they have developed through their many spear phishing campaigns, Iranian cyber operators manipulated Americans and others into possibly sharing content and attending real-world events hosted by fake personas. The influence campaign is one of the first reported cases of Iranian operatives exploiting U.S. social media to target audiences outside Iran, according to cybersecurity firm FireEye which tipped off the tech giants to the suspicious activity.
The exposure of this multi-year cyber campaign should dispel the myth that Tehran put a tight leash on its hackers during and after negotiating the nuclear deal known as the Joint Comprehensive Plan of Action (JCPOA). Yet even the Trump administration has downplayed the Iranian cyber threat, despite pulling out of the JCPOA in response to Iranian provocations ranging from missile launches to ongoing support for terrorists.
Iran’s covert action on Facebook is the second major cyber campaign that has come to light this year. In March, the Department of Justice indicted hackers working for Iran’s Islamic Revolutionary Guard Corps for a massive cyber espionage and data exfiltration campaign that targeted 144 U.S.-based universities, 30 American companies, as well as multiple federal agencies. The case is “one of the largest state-sponsored hacking campaigns” the Department has ever prosecuted, according to U.S. Attorney Geoffrey S. Berman, and revealed that Iran’s malicious cyber operations ran concurrent with the negotiations that led to the JCPOA.
Nonetheless, a senior U.S. intelligence official testified this month to “Iran’s recent restraint from conducting cyber attacks against the U.S. or Western allies.” In a variation on this theme, WIRED magazine published an article which observed that “since the 2015 nuclear deal, Iran has largely restricted its hacking to its own neighborhood.” Iranian hackers are believed to be responsible for last summer’s attempted cyber sabotage at a Saudi petrochemical plant, but allegedly restrained themselves from using destructive cyber attacks against American targets. This take on the argument is not exactly comforting—had the Saudi operation been successful, the malware could have triggered explosions.
Security experts also attribute to Iranian hackers the widespread Shamoon 2 virus from 2016 and 2017 which wiped data and destroyed computers at Saudi companies and government agencies. Shamoon 2 was the next generation of the 2012 attack on Saudi Aramco, the massive oil producer, which forced the company to revert to faxes and typewriters to manage supplies and communicate with its customers around the world. FireEye’s analysis of the Shamoon 2 virus concluded that the group responsible also attacked U.S. aerospace organizations.
Iran began developing its cyber capabilities in earnest following its own experience with the Stuxnet virus in 2010 – a sophisticated and precisely targeted cyber operation reportedly orchestrated by the United States and Israel to destroy centrifuges that could be used to develop Iranian atomic weapons. Tehran’s hackers are adept students and may be sharing their skills and tools with their North Korean counterparts. The newly discovered Iranian social media operation is the latest evolution in Iran’s cyber capabilities.
Facebook stated that the Iranian campaign appears to have no connections to similar Russian misinformation offensives nor was it specifically targeting U.S. elections. However, the timing suggests that the mullahs in Tehran have internalized the lessons from Russia’s influence operations aimed at stoking divisions in the American people and undermining faith in democratic institutions.
Iran’s covert social media campaign began focusing in earnest on U.S. and UK audiences only last year, according to Facebook’s statement, after Russia’s operations in the United States and Europe came to light. In his regime’s ongoing battle with the “Great Satan,” Iranian Supreme Leader Ali Khamenei’s greatest fear is that his people’s desire for human rights and freedom will delegitimize and ultimately overthrow his autocratic and theocratic regime. By turning Americans against each other and against their own system of government, Tehran hopes to corrode the pull these ideals have on the Iranian people.
Iran already engages in so many types of malign activity that it is hard to keep track, but the U.S government needs to raise its level of concern about cyber threats. In a policy address on Iran in May, Secretary of State Mike PompeoMike PompeoSunday shows preview: Coronavirus dominates as country struggles with delta variant Christie, Pompeo named co-chairs of GOP redistricting group America needs a new strategy for Pacific Island Countries MORE laid out 12 conditions for Iran to be accepted as a member in good standing in the international community. For good reason, abandoning the regime’s nuclear ambitions and support for terrorism topped the list. Only the twelfth item referred briefly to cyber threats, but only in the context of Iran’s hostility towards its neighbors, not the U.S.
The U.S. government should clarify that if the Islamic Republic wants to rejoin the international community and develop commercial ties around the world, the regime must cease all cyber attacks against U.S. private companies and all attempts to manipulate the American people with covert, cyber influence operations.
Annie Fixler is the senior project manager of the Cyber-Enabled Economic Warfare project at the Foundation for Defense of Democracies and a policy analyst at FDD’s Center on Sanctions and Illicit Finance. She can be found on Twitter @afixler.