Social media users with ties to Iran are shifting their disinformation efforts by imitating real people, including U.S. congressional candidates, according to research published Tuesday.
FireEye’s Threat Intelligence team said it had uncovered Twitter accounts that impersonated Republican congressional candidates in the buildup to the 2018 midterm elections, posting on politics and other topics. In some cases, FireEye suspects the actors were also able to have materials published in U.S. and Israeli media outlets.
In a related announcement Tuesday, Facebook announced a takedown of fake accounts on Facebook and Instagram emanating from Iran that appeared to focus on outreach to policymakers. Facebook said the accounts and linked personas at times imitated legitimate news organizations in the Middle East and at other times purported to be journalists.
Neither company attributed the information operations directly to the Iranian government, though FireEye said the actors appeared to be advocating for Iranian interests while Facebook and Twitter both said the nefarious activity originated in that country.
The Facebook takedown, which covers 51 accounts, 36 Pages, seven groups, as well as three Instagram accounts, began after FireEye alerted Facebook to the inauthentic behavior.
A Twitter spokesperson told CyberScoop Twitter took down a network of 2,800 inauthentic accounts originating from Iran earlier this May.
Social media impersonation
The actors FireEye identified Tuesday masqueraded as Marla Livengood, a congressional candidate in California, starting as early as September of 2018, according to FireEye. Purporting to be Livengood, they posted about the confirmation of Supreme Court nominee Brett Kavanaugh and the murder of journalist Jamal Khashoggi, for example. The actors also claimed to be Jineea Butler, a congressional candidate in New York, who did not immediately respond to request for comment.
Scott Winn, who worked on Livengood’s campaign, told CyberScoop the campaign found out about the impersonation when they received media inquiries on the matter on Tuesday. The campaign and Livengood, who is running for office in 2020 again, did not know about it during the 2018 cycle.
Narratives more broadly pushed by Iranian-linked Twitter accounts included support for the Iran nuclear deal, from which the Trump administration intends to withdraw, as well as opposition to the White Houses’s decision to designate the Iranian Revolutionary Guard Corps a terrorist organization.
Twitter’s investigation of these accounts has not yet concluded, and the company says it will post results to its archive of information operations when it has completed its review.
“FireEye, a private cybersecurity firm, has issued a report and chosen not to share information or insights with Twitter prior to publication which is outside standard, responsible industry norms,” a Twitter spokesperson said in an emailed statement. “Responsible disclosure should include notification and information sharing to protect against informing bad actors. Going public without these elements harms the credibility of the security research community, whose insights we support and appreciate.”
External to Twitter, FireEye said it suspects that at least five actors pushing Iranian-linked narratives were able to have materials, such as letters to the editor, published in both U.S. and Israeli media outlets, for example, including the Los Angeles Times, New York Daily News, and Seattle Times.
“This research demonstrates that the problem of influence and the types of operations used to achieve it extend well beyond any one type of platform or a particular type of medium,” the researchers write.
In other cases, the actors have conducted audio and video interviews on political topics with U.S. and U.K.-based individuals, including “a prominent activist, a radio talk show host, and a former U.S. Government official,” and posted the interviews on social media. They also sought to influence reporters to cover certain topics.
Facebook notices something new
Nathaniel Gleicher, Facebook’s head of cybersecurity policy, told reporters on a call Tuesday the company did not see actors on Facebook trying to run impersonation operations like the kind FireEye found on Twitter.
Instead, the suspicious activity involved reaching out to policymakers, reporters, academics, and Iranian dissidents. And while Facebook has booted Iranian-linked inauthentic behavior from its platform before, this takedown was different from previous ones related to Iran specifically because of this outreach, Gleicher said.
“While this group did have some pages, it doesn’t seem like that was the focus of their operation,” he said. “The focus was way more of this direct engagement. That’s a little bit different and so that in that sense this feels like a different operation.”
The actors on Facebook primarily posted in English and in Arabic but did not appear to target any one country in particular, although some pages focused on the U.S. and the U.K., according to Gleicher.
The activity on Facebook announced today is reminiscent of the behavior of Russians on social media in the buildup to the 2016 elections, Ben Nimmo, a senior fellow at the Atlantic Council’s Digital Forensic Research Lab, told CyberScoop.
“This resembled the Russian troll operation in 2016 in style,” he said in an email.