New: Iranian disinformation trolls have been amplifying fake stories planted by hackers in breached twitter accounts and at least one website, according to reporting by The Daily Beast and Mandiant Threat Intelligence. thedailybeast.com/hackers-plante…
Early this month, something strange happened. Hackers broke into Israel Hayom’s Twitter account and tweeted fake stories about Trump dying of COVID, BLM firing shots outside the Clinton’s house and a Hezbollah submarine israelhayom.com/2020/10/05/isr…
We dug into the accounts amplifying those stories and found they had a long, strange trail of involvement in similar incidents. @LeeFosterIntel and his team at Mandiant had been tracking them, too.
After we shared our findings with Twitter, they suspended 80 accounts and told us that, while they’re still investigating, they found both behavioral and technical evidence indicating that actors in Iran were linked to the suspended accounts
We can’t say yet whether the Iranian trolls amplifying the hacks are linked to the ones carrying out the hacks to plant the fake stories but I have my, err, suspicions.
So what did the Iranian trolls get up to? Oh man. They amplified:

• Tweets from the hacked Twitter account of a Bahraini news outlet to criticize the UAE-Israel normalization deal
• A fake story planted by hackers who broke into at Hidabroot, an Israeli news site/TV channel
Like the Bahraini twitter hack, the content planted by hackers at Hidabroot was intended to criticize the UAE-Israel normalization agreement with fake quotes from Israel’s Interior Minister making fun of Arab leaders
They also do impersonations. Iranian trolls set up a fake account in the name of Zeke Emanuel and pushed racist disinfo story to sow distrust and confusion among Black Americans about the pandemic by claiming that Black and elderly Americans would be treated in FEMA camps.
The real Zeke, who hadn’t yet joined Twitter, found out about it when friends told him they’d seen him on twitter. The incident took place at the same time as a fake account got verified in the name of a WHO exec and spread a similarly racist story thedailybeast.com/pro-iran-troll…
Iranian trolls also impersonated the CEO of a private hospital in Israel. Why, you ask? Well to spread a fake story that the son of Tajikistan’s president had been treated for rectal cancer in Israel.
There’s a lot more to it. Go read the article. Thanks to the team at @Mandiant @FireEye, who are top notch.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Adam Rawnsley

Adam Rawnsley Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @arawnsley

20 Jul
New from me: Racist Disinformation Campaign Impersonates Tammy Duckworth. Handful of accounts have been using a forged letter from Duckworth's office to falsely claim that "black separatists" were responsible for the Bonhomme Richard Navy ship fire.
thedailybeast.com/tammy-duckwort…
The accounts involved impersonated Yoni Chetboun, an Israeli special operations Lt Col who went on to serve in the Knesset, and a nonexistent reporter for France24. They've since been suspended from Twitter.
Dig through those two accounts' histories, you'll see they set up copycat websites to push their stories. The "Kelly Turner" account linked to a fake article about the Bonhomme fire lphinfo/.org, a website meant to resemble a real Israeli weekly hosted at lphinfo.com
Read 16 tweets
6 Jul
Twitter just suspended 16 Twitter accounts that were part of a network of fake personas. Together they spent the last year placing about 90 opeds in +40 different news outlets. Newsmax. Washington Examiner. Jerusalem Post. Real Clear Media. thedailybeast.com/right-wing-med…
Meet The Arab Eye/Persia Now network.
The network had about 17 different personas. Most on Twitter. Some not.
Read 29 tweets
18 May
There's an update to this story about the bogus defense contractor report that claims coronavirus leaked from a Wuhan lab. The Daily Beast obtained a second satellite image, this time from Airbus, showing one of the report's key claims is false. thedailybeast.com/pentagon-contr…
One of the central claims is that there was "absolutely no traffic" by the Wuhan Institute of Virology after the alleged leak from Oct 14-19. This claim is based on mobile device data and the authors claimed there were "roadblocks" put in place to prevent traffic coming near it.
@ArmsControlWonk already did a great job showing that nearby construction was likely the source of that "roadblock" theory and that there was normal traffic around. This Airbus Defence and Space image from Oct 15 shows plenty of traffic (see the callouts in red) running nearby.
Read 9 tweets
9 Apr
Bit of a thread. I started working on this data set a couple months ago. Early accounts I found dated back to 2016 but in February I stumbled onto some of the COVID-19 disinfo that Russian trolls, likely from the Secondary Infektion campaign, were pushing. thedailybeast.com/russian-trolls…
Secondary Infektion (SI) is a pretty specific campaign of disinformation that's suspected to be linked to the Russian government. I'm grateful to @benimmo of @Graphika_NYC for helping me on this as they're some of the smartest people around on this campaign.
Heres the SI-linked COVID-19 story. Someone *cough* created a fake hacktivist group called Anonymous Kazakhstan & pushed messages to Kazakh social media claiming that the group had hacked biologists at the Central Reference Lab in Kazakhstan & found it was the source of the virus
Read 23 tweets
21 Jan
New from me: a profile of Brigadier General Ahmed Foruzandeh, Qods Force general who was in charge of running Iranian operations in Iraq for a time during the U.S. occupation. Based in part on declassified FOIA docs DIA took four years to cough up thedailybeast.com/meet-the-gener…
Foruzandeh was deputy commander and then commander of the Qods Force's Ramazan Corps, an IRGC unit tasked with irregular warfare operations in Iraq dating back to the Iran-Iraq war. Part of their purview: assassination of Iraqis viewed as impediments to Iranian influence in Iraq
Assassinating Iraqis working with the U.S.-led coalition was also part of Ramazan's work. Unit divided operations between bases along the Iran-Iraq border. Foruzandeh started his career in the Fajr command, which ran ops with Shia groups in southern Iraq. Here's one Fajr op.
Read 17 tweets
10 Jan
Talked to a bunch of sharp air defense and mil nerds about the SA-15 and how something like the downing of PS752 could happen. Got a few answers. thedailybeast.com/ukraine-plane-…
One, SA-15 can plug into larger air defense networks but designed to be able to operate independently and some think it might not have been well integrated with Iran's larger network.
Two, this has happened before with Iranian SA-15s. NYT reported on a 2007 incident in which an SA-15 crew near Natanz fired at a civilian airliner and missed. They foolishly believed it was an Israeli airliner trying to look like a commercial jet nytimes.com/2012/10/03/wor…
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!