1. A couple things that stick out about @FireEye's announcement regarding the discovery of an Iranian “influence operation” across websites, Facebook, and Twitter. This doesn't look like an Internet Research Agency type operation.
fireeye.com/blog/threat-re…
fireeye.com/blog/threat-re…
2. Let’s start with one of the primary websites identified as part of the network. Instituto Manquehue. You can check it out here: institutomanquehue.org
3. It is a weird site that is clearly trying to look legitimate. But it doesn’t seem inherently “fake.” The institute appears to have been around since 2014 offering a leftist vision for Latin American journalism free from the “foreign influences of West and East.”
4. There is a lot of content there. Some of it obviously cribbed from elsewhere. But the site seems actively managed. There is a pro-Iran, anti-Saudi slant to the coverage of the Middle East--something FireEye points to. But overall content strikes me as in the style of Alternet.
5. What is most interesting, however, is that there is a physical institute in Santiago, Chile of the same name. The signage matches the “Instituto Manquehue of Estudios Estratégicos” veribage on the website and includes a little Facebook logo which is sort of useless now…
6. It would be extreme for an “influence operation” to go so far as to create a physical site in Latin America... and the physical site has existed since Oct. 2014. That is when the street view photo was taken.
7. Iran has been politically active in Latin America, overtly and covertly, especially between 2005-2013. But this institute seems innocuous. Here is a video slideshow of the institute’s first “graduating class” dated to 2013:
8. So the institute is more than a website and can be shown to exist four years ago, well before “social media-driven influence operations” became a major concern for the voting public. The question is how far back does the Iran link go?
9. Well, FireEye’s network map indicates that institutomanquehue.org shares a “registrant email address” with gahvare.com, which shares one with yemenshia.com (defunct), which shares one with libertyfrontpress.com.
10. Gahvare.com was registered by an organization called “Persian Domain Provider” on 27/8/2014. The person and email associated with Persian Domain Provider is Kaveh Khaleghi (kavehkhalegi@hotmail.com). The Turkish address appears made-up.
11. As an (amazing) aside, Persian Domain Provider was mentioned in a July 2017 flame war between some Russians debating about Syria on a gun forum. Someone pointed out that the source a poster was using was "fake news" and pulled up the WHOIS record.
thegunman-bg.com/forum/viewtopi…
thegunman-bg.com/forum/viewtopi…
12. So what is the connection between institutomanquehue.org and gahvare.com? Well the registrar name for Persian Domain Provider on the gahvare.com record is given as “Stituto Manquehue,” with the typo, which is just weird.
13. This is the case for 4 other domains registered in 2014. But the other 4 (defunct) domains do *not* have Persian Domain Provider as the org. Of these one was registered by “Arab Domain Provider,” which has registered 28 domains. Most seem to be active Arabic news sites.
14. Notably, Arab Domain Provider took over aletthadnews-iq.com from “Stituto Manquehue” in 2016. Until then the name server for aletthadnews-iq.com was atenahost.ir in Iran. The name server isn't Iranian for institutomanquehue.org or gahvare.com.
15. FireEye claim a connection through the registrant and “advertisements for website designers in Tehran" but don't give names. @craigtimberg/@lizzadwoskin cite Facebook on connections as far back as 2011 and links to Press TV.
washingtonpost.com/technology/201…
washingtonpost.com/technology/201…
16. Press TV and the date 2011 sticks out to me. There are a couple of things to consider. Press TV is Iran’s English-language state media. It is does not conduct proper journalism. It peddles a political line. In that way, it is similar to Russia’s RT.
17. Press TV was established in 2007. It tried very hard to gain traction among Western viewers. Case in point: Labour Leader Jeremy Corbyn appeared on Press TV five times between 2009 and 2012 and was paid £20k to do so (come on dude):
businessinsider.com/jeremy-corbyn-…
businessinsider.com/jeremy-corbyn-…
18. Press TV's approach was to find left-leaning, sympathetic voices who weren’t Iranian to make the network’s coverage seem legitimate. Again, parallels to RT’s early days. Going back to institutomanquehue.org, you find a lot of Press TV content:
google.com/search?q=press…
google.com/search?q=press…
19. Likewise, libertyfrontpress.com sources Middle East news from iuvm.net, which in turn posts Press TV content. iuvmnews.com was registered in 2014 by Persian Domain Provider, closing the loop.
20. Basically, using open sources, you can verify FireEye’s claims. But it is worth looking at the assertion that Iranian actors “continue to engage in and experiment” with influence operations in light of the information gathered here. The interconnections here are confusing.
21. Part of the reason is that it is all very sloppy i.e. using the name for one site on the registration record for another. It doesn’t reflect a deliberate attempt to hide the connections. Plus, if you want to hide WHOIS info, you can pay for that service.
22. Let’s go back to the dates. Persian Domain Provider registered the sites between 2014-2016. If this is the person referred to by FireEye, then their primary period of activity is well before Russia’s Internet Research Agency operation changed how we think about social media.
23. Basically, I think FireEye/Facebook/Twitter has stumbled upon the past amateurish efforts of Press TV and its affiliates to create influential news platforms on the basis of ad hoc web development, leftist sympathizers, and social media tools (including--recently--bots).
24. This is very different from an army of trolls assembled by an intelligence agency. Even FireEye seems to acknowledge the limits of the influence effort. If you know what Press TV is, it is a lot less threatening. Not the "election meddling" the Trump admin has bandied.
25. What is the kicker here? The support for the #JCPOA. The nuclear deal is not exactly well regarded by the "malign actors" Iran’s military and intelligence establishment. It’s unlikely they would spend one iota of energy trying to sing its graces on the internet.
26. tl;dr #Iran is pumping out fake news as it has for years and years. Social media makes that easier. But we should be careful about jumping to conclusions about Russian-levels of intention and resources.
27. Also, Facebook/Twitter's bold move to ban the relevant accounts is in one way commendable--at least they acted fast. But by my reading its hard to see how places like RT (as state news organs) or Alternet/Breitbart (as veering-towards-fake news) would retain their platform.
28. It is pretty clear that the label "Iran" made it politically easy to decide to ban the accounts, whereas Alex Jones gets a pass. But if we are measuring harms... is anyone reading Instituto Manquehue?
29. As a final point, it would behoove security firms like @FireEye to incorporate a bit of qualitative analysis. If they can't evaluate the information contextually, they aren't really able to weigh the security vs. speech risks accurately. The network is just part of the story.
