Accessibility links

Breaking News

Report: Iran-Linked Disinformation Effort Had Personal Touch


FILE - Ali AlAhmed poses for a photograph in his office in Washington, Oct. 26, 2018.
FILE - Ali AlAhmed poses for a photograph in his office in Washington, Oct. 26, 2018.

When a young Middle Eastern woman contacted Saudi dissident Ali AlAhmed over Twitter last November, he was immediately suspicious.

AlAhmed's radar was up because he had previously been targeted by hackers posing as a female journalist. But this turned out to be part of a different operation.

The Twitter account, purportedly belonging to an Egyptian writer named Mona A.Rahman, was not an attempt to hack the Washington-based AlAhmed — it was an attempt to enlist him in an ambitious global disinformation effort linked to Tehran, according to the Canadian internet watchdog Citizen Lab.

In a new report obtained by The Associated Press, Citizen Lab describes a sprawling global effort by Iran — a years-old, multilingual campaign aimed at seeding anti-Saudi, anti-Israel and anti-American stories across the internet.

Citizen Lab, which is based at the University of Toronto's Munk School, said it believes "with moderate confidence" that the operation is aligned with Iran. The campaign is another indication of how online disinformation is being tested by countries well beyond Russia, whose interference into the 2016 U.S. presidential election was laid out in vivid detail in special prosecutor Robert Mueller's report .

"What this shows is that more and more parties are entering the disinformation game," said John Scott-Railton, a Citizen Lab researcher, "and they're constantly learning."

Citizen Lab investigated the Iranian activities after the AP, in the course of reporting AlAhmed's previous encounters with hackers, told the Canadian organization about the more recent Twitter encounter.

In London, Iranian Embassy press secretary Mohammad Mohammadi denied that his government had anything to do with digital disinformation, saying that Iran was "the biggest victim" of such campaigns and had called for international regulations to curb them. He referred further questions to Iran's Communications Ministry, whose deputy minister did not immediately return a message Tuesday.

'Endless Mayfly'

Scott-Railton and his colleagues ended up identifying 135 fake articles that were published as part of the campaign, which they dubbed "Endless Mayfly" because, like the short-lived insect, the bogus stories tended to disappear soon after they began to spread.

A.Rahman was trying to get AlAhmed to share an article that claimed that Israel's then-defense minister, Avigdor Lieberman, had been fired for being a Russian spy. It was typical of the stories Citizen Lab found: It had startling news, was hosted on a fake version of a Harvard University website, and had a host of spelling and grammatical mistakes. Articles shared by other fake personas followed a similar pattern. They made inflammatory claims about Israel, Saudi Arabia and the United States presented on lookalike versions of respected news sites.

"Ivanka Trump says its unbelievable that women cannot drive in saudi arabia," said one article posted to a site dressed up to look like Foreign Policy magazine. "Saudi Arabia funds the US Mexico border Wall," said another, hosted on a site imitating The Atlantic.

The campaign seems to have been largely ineffectual — Scott-Railton noted that "most of their stories got almost no organic buzz" — but a couple did break through.

In March 2017, a fake Belgian newspaper article claiming that then-French presidential candidate Emmanuel Macron's campaign was being one-third funded by Saudi money was widely shared in French ultra-nationalist circles, including by Marion Marechal, the granddaughter of French far-right leader Jean-Marie Le Pen. A few months later, another site mimicking a Swiss publication tricked the Reuters news agency and other outlets into publishing a false report that Saudi Arabia had written a letter to FIFA, soccer's governing body, demanding that archrival Qatar be barred from hosting the 2012 World Cup. The report was later withdrawn.

Citizen Lab said it first got wind of the suspected Iranian disinformation campaign when a British web developer debunked one of the fake articles on Reddit two years ago. The developer pointed out that the story — which suggested that British Prime Minister Theresa May was "dancing to the tune" of Saudi Arabia — had been published on a website using the URL "indepnedent," imitating the legitimate British news site, The Independent, and was linked to a network of other suspicious sites, including "bloomberq," a clone of the news agency Bloomberg. A third site, "daylisabah," was a fake version of the Turkish publication Daily Sabah.

"Did we just get an insight into a fake news operation?" the developer asked at the time.

Citizen Lab confirmed his hunch, later connecting the sites to an incident in which another Twitter user, Bina Melamed, tried to persuade Israeli journalists to share the same fake Harvard article that AlAhmed received.

When one of the reporters privately confronted Melamed about why she was pushing nonsense, the answer was unusually straightforward.

"I like challenging and controversial stories," Melamed said. "Sometimes they are fake and sometimes they are not."

Outside experts

Outside experts who reviewed Citizen Lab's report gave a qualified verdict. Experts at FireEye and ClearSky Cyber Security, U.S. and Israeli companies respectively, said they recognized elements of the digital disinformation from their own reporting , but ClearSky researcher Ohad Zaidenberg said he wanted to see more evidence before attributing the social media personas to the same group.

Speaking generally, he said the apparent clumsiness of the online disinformation should not be a reason to dismiss it.

"It gets better each day," he said.

Most of the personas mentioned in Citizen Lab's report — such as A.Rahman and Melamed — have been suspended. Messages left with a handful of surviving accounts — sent via Twitter and Reddit — elicited no response. Emails sent to half a dozen addresses used to register several bogus websites — including bloomberq, daylisabah, foriegnpolicy, theatlatnic and indepnedent — either weren't returned or bounced back as undeliverable.

XS
SM
MD
LG