FireEye security researchers have uncovered a network of fake social media accounts that engage in inauthentic behavior and misrepresentation, likely in support of Iranian political interests.
Comprised of fake American personas and accounts impersonating real American individuals, including candidates that ran for House of Representatives seats last year, the network might be related to accounts exposed last year.
Most of the accounts were created between April 2018 and March 2019 and used profile pictures taken from various online sources, including photos of real individuals on social media. Most of the accounts in this network appear to have been suspended on or around the evening of May 9, 2019, FireEye says.
Some of the personas posed as activists, correspondents, or free journalists, and some of these so called journalists claimed to belong to specific news organizations, yet the researchers couldn’t identify individuals belonging to those news organizations with those names.
The accounts promoted anti-Saudi, anti-Israeli, and pro-Palestinian themes. They expressed support for the Iran nuclear deal, opposition to the Trump administration’s designation of Iran’s Islamic Revolutionary Guard Corps (IRGC) as a Foreign Terrorist Organization, and condemnation of U.S. President Trump’s veto of a resolution passed by Congress to end U.S. involvement in the Yemen conflict.
The security researchers also found on these accounts messages seemingly contradictory to their otherwise pro-Iran stances. One account posted tweets almost entirely in line with Iranian political interests, but also messages directed at U.S. President Trump, calling attacks on Iran, and other accounts in the network echoed these.
“It is possible that these accounts were seeking to build an audience with views antipathetic to Iran that could then later be targeted with pro-Iranian messaging,” the security researchers note.
FireEye also found “several limited indicators that the network was operated by Iranian actors.” These include older tweets in Persian and of a personal nature (which could suggest that the account was compromised from another individual or repurposed by the same actor), along with the use of Persian as the interface language for one account (most of the accounts had their languages set to English).
Some of the observed Twitter accounts impersonated Republican political candidates that ran for House of Representatives seats in the 2018 U.S. congressional midterms. They appropriated the candidates’ photos and, in some cases, even plagiarized tweets from the real individuals’ accounts, but their general activity was similar to that of other accounts in the network.
Some of the personas would also submit letters, guest columns, and blog posts to legitimate print and online media outlets in the U.S. and Israel, to promote Iranian interests. Many of the materials were mostly published in small, local U.S. news outlets, but also appeared on several larger outlets, the security researchers suspect.
Personas involved in this behavior include John Turner (published on The Times of Israel and U.S.-based site Natural News Blogs), Ed Sullivan (Galveston County, Texas-based The Daily News, the New York Daily News, and the Los Angeles Times), Mathew Obrien (Galveston County’s The Daily News and the Athens, Texas-based Athens Daily Review), Jeremy Watte (The Baytown Sun and the Seattle Times), and Isabelle Kingsly (The Baytown Sun and the Newport News Virginia local paper The Daily Press).
“Personas in the network also engaged in other media-related activity, including criticism and solicitation of mainstream media coverage, and conducting remote video and audio interviews with real U.S. and UK-based individuals while presenting themselves as journalists. One of those latter personas presented as working for a mainstream news outlet,” FireEye reports.
Accounts in the network posted tweets either calling on mainstream media outlets to cover topics aligned with Iranian interests or criticizing them for insufficient coverage of those topics.
“If [the network] is of Iranian origin or supported by Iranian state actors, it would demonstrate that Iranian influence tactics extend well beyond the use of inauthentic news sites and fake social media personas, to also include the impersonation of real individuals on social media and the leveraging of legitimate Western news outlets to disseminate favorable messaging,” FireEye, which continues the investigation into these accounts, concludes.
Source: infosec island