“We created new accounts on Twitter, using the persona of other Twitter influencers who were mainly counter-revolutionary activists. Ours just differed in a single character and was quite similar to the real one. We used the same picture and same name, but everything was fake. Once created, we started our activities. It was a psychological operation and people were in “fire at will” mode. Once one of these accounts tweeted something, others that were supposedly its friends were retweeting the content. Eventually, the real friends of that very influencer ended up reposting the tweets of the fake account.”
These were the words of an Iranian regime official who now oversees the parliamentary bill that is certain to restrict internet users and their access to the flow of information inside Iran. Ruhollah Mo’men Nasab, a former head of the Culture Ministry’s Digital Media Center and the very person who asked the Iranian regime’s judiciary to subpoena Facebook founder Mark Zuckerberg in 2014, was partially admitting to what he called “old information” in an interview on March 28.
Ruhollah Mo'men Nasab, parliamentary special advisor on the so-called "internet users projection bill" and former commander of the cyber army reveals how #Tehran has been using @Twitter for #propaganda.
#Iran #InternetFreedom pic.twitter.com/kHzjtlEFvR— NCRI-FAC (@iran_policy) March 29, 2022
Aside from a few dozen military and security organizations that specialize in terrorizing the Iranian society and the world, the clerical regime is known to have a vast intelligence and counterintelligence complex to monitor, manipulate and dominate cyberspace. The network mainly carries out two types of operations. Most notorious is a cyberspace force that is responsible for hacking and other types of online assaults. Another, lesser-known and less technical force, whose tracking and identification has been less successfully documented, hasn’t been serving Tehran less, if not more.
This branch of the cyber army is an extensive network established with the aim of disseminating and promoting government discourse on the Internet and damaging dissidents and opposition groups, identifying anti-regime users, and supporting regime activities. The special intelligence unit of the Islamic Revolutionary Guard Corps (IRGC-IU) along with the Ministry of Intelligence (MOIS) of the Iranian regime has initiated a very large system with tens of thousands of social media accounts. The word cyber is specifically attributed to fake accounts affiliated with the regime on Twitter, Facebook, Instagram, and the like. Many of these accounts, sometimes identified by ordinary users, pose as “atheists” or “monarchists”, which seem to have an opposing or critical view of the regime, but in practice, and sometimes in more complex ways, toe the lines of the state and serve its objectives.
To date, none of the organizations or institutions in Iran have formally accepted responsibility for the cyber army, but available evidence suggests that both IRGC-IU and the MOIS have a complex, intertwined relationship running it. Among the evidence are scattered references of a number of the regime’s officials who have admitted to the activities of this special force.
In April 2011, Mojtaba Zulnoor, the former deputy representative of the Supreme Leader of Iran at the IRGC, implicitly confirmed the “Iranian Cyber Army” affiliated with the state and bragged that the Islamic Republic had been able to hack enemy sites using the cyber army.
“In cyberspace, the enemy seeks to strike at the country’s infrastructure and subsystems through soft warfare to cripple that society, and it was clear that the enemy had invested heavily in this area, so we had to prepare ourselves to face this aggression,” then-IRGC Commander Mohammad Ali Jafari said in May 2011, adding: “The potential that the IRGC created within itself paved the way for the identification and confrontation of these networks and it was able to control them to a large extent.”
“With a cyber army such as ours, we have bigger conquests ahead of us,” Ahmadinejad’s Minister of Islamic Guidance and Culture Mohammad Hussein Saffar Harandi had said in March 2010. “The internet is a place in which we have a lot of content and expertise to offer. If we can come up with good content production and put in serious effort, then we will own the Internet users.”
In November 2011, Hossein Hamedani, the former commander of the Tehran Provincial Corps, announced the foundation of two cyber warfare centers in Tehran under the supervision of the Revolutionary Guards.
At a ceremony in December 2011, then-IRGC commander Hossein Hamedani said: “More than 90% of the IRGC’s apparatus has been used in the field of soft warfare. And therefore, on December 29, our cyber warfare officers will be trained, hence the budget and facilities have already been allocated.”
On April 13, 2010, in an interview with Radio Farda, a US government-funded Persian language network, an Iranian journalist said his investigation suggests that the cyber army works under the control of the IRGC.
Farvartish Rezvaniyeh said: “The foundations of the cyber army in the IRGC were established in 2005, prior to Mr. Ahmadinejad’s presidency. They identified two or three strong Iranian hacking teams and asked them to cooperate with them. A series of hackers were invited to cooperate. They sent the money and told you to do it. They didn’t know that they were working with the cyber army. Things got more serious after the election. One of the people who had one of the strongest hacking teams in Iran was the son of a senior official in the Ministry of Intelligence.”
The Staff
The cyber army, whether the technical branch or the lesser skilled wing is a troubled kind. Reports of internal cleansing and low morale have frequently been shared by the media as well as social media.
Mohammad Hossein Tajik, former commander of the cyber army, was one of the Iranian regime’s elite physics students. Fluent in English, Arabic, and Hebrew, he was recruited through his father, a senior intelligence agent at the age of 17 while two of his older brothers were already working at the MOIS. Tajik was a unique talent in the regime’s intelligence community. He had often talked about his close friendship with IRGC Quds Force’s eliminated commander Qassem Soleimani.
According to Ruhollah Zam, an Iranian, France-based reporter who was abducted by the IRGC-IU in 2020 and later executed in Tehran, Mohammad Hossein Tajik increasingly grew at odds with the regime’s establishment and provided Zam with information.
“MOIS officials are exposed to the dirty work and corruption of government officials,” Zam had quoted Tajik in his interview with VOA. “You are faced with a series of dissatisfied, unbalanced, and very stressed human beings. They are subjected to a lot of this kind of information, and the perception that comes from outside this ministry is wrong.”
Tajik was warned by his father to quit, or he would face bitter consequences. He was arrested, tortured, and forced to confess to spying for foreign agencies, and eventually, he was killed on July 5, 2016, at his home in eastern Tehran.
According to Al Arabiya, Tajik was responsible for the ‘Cyber Brigades’, “comprising school students with the aim of taking part in cyber warfare launched against the Islamic Republic. This would be in parallel to the ‘Joint Cyber Army’ of the Iranian Intelligence whose main task is to focus on monitoring online hostilities. Commander of students’ Basij militias, Ali Sabir Hamani said that the ‘virtual cyber committee’ created by the Basij will train students on how “to effectively engage on social media,” according to Fars news agency.”
The Cause
One of the main objectives of Tehran’s intelligence services is to deceive and manipulate its target audience, both inside and outside the country. Lacking legitimacy at home, the clerical regime has concluded that the only way to intimidate the population and the world into backing away from regime change is to try to instill the notion that there is no alternative to the theocracy.
According to multiple investigations and studies, one of the main targets of the cyber army has been the main opposition Mujahedin-e-Khalq (MEK/PMOI) and the National Council of Resistance of Iran (NCRI). For years, the regime has been trying to besmirch, defame and produce propaganda against the group that has posed the greatest danger to its survival. Even though the MEK has been able to strike the most serious strategic, military, intelligence, political and ideological blows to the regime, the theocracy’s propaganda apparatus and cyber army continue to claim that the movement lacks domestic support.
But years before the cyber army even existed, some officials had other reservations. The New York Times reporter Neil MacFarquhar wrote in 1996:
”The brains of the young are very impressionable, so the Mujahedeen Khalq might be able to brainwash people to join them, or they might be able to influence an election,” said a senior government official familiar with the Internet project.”
Decades later, that fear lives on in Tehran.
The Daneshjoo (Students) News Agency published an article on June 12, 2021, with the title ‘The Greatest Danger, In The Shadows of Westernism’: “This wave [of energy] is not directed towards factories and the leap of production, but towards the dangerous and complex structure and organization of the hypocrites [MEK], and it is not clear if it can be stopped with any sort of action. Neither with the police, nor with the broad campaign of raising awareness by the state media about the true nature of the hypocrites [the MEK] and their eclectic views, nor with the overseas efforts of the Ministry of Intelligence by using the elements of defectors of the hypocrites [the MEK] to feed the media and the internet about the nature of the hypocrites [the MEK].”
A state-run website called ‘Rahyafteha’, published an article on May 29, 2021, that read: “This is why a large number of young people, from all walks of life, from workers to honorable elite students, are deceived by the group of hypocrites [the MEK] and are attracted to it… Therefore, we must warn against this sinister idea of eclecticism [the MEK] everywhere. We must warn our youth not to fall into the trap of the hypocrites [the MEK]. We have to keep these words of the leader in mind: You all have to pay attention to the fact that they are working on our youth… and beware of the enemy’s recruitment of our young society”.
The Operation
On social media, the cyber army generates multiple accounts that support each other to maximize propaganda circulation.
The fake accounts regularly pose as anti-regime figures, such as Maryam Rajavi, Massoud Rajavi … or even media outlets like the BBC and Iran International.
On November 4, 2019, for example, the regime posted fake stories about the MEK. It used a fake Twitter account of Alexis Kohler, Secretary-General of the office of French President Emmanuel Macron in Elysée, claiming that “The Secretary-General of the French Presidency has announced that the People’s Mojahedin (PMOI/MEK) will soon be driven from France.”
The incident was also hastily covered and promoted by publications and mouthpieces of Tehran in the United States.
The day after, the Elysee Palace denied this statement, adding that this Twitter account did not belong to Alexis Kohler and that the senior official did not even have a Twitter account.
Fake account made by the MOIS in the name of Alexis Kohler, Secretary-General of the office of French President Emmanuel Macron in Elysée.
Replying to the Agence France Press, the French government dismissed the statement and said that Alexis Kohler does not possess any Twitter account.
⚠️ Les tweets du compte @Alexis_Kohler_ ont été interprétés comme exprimant la position de l'Elysée, par son secrétaire général.
Interrogé par l'AFP, l'Elysée dément : "Il ne s'agit pas de (son) compte Twitter. Il n'a d'ailleurs pas de compte Twitter" ⚠️#AFP— AFP Factuel 🔎 (@AfpFactuel) November 5, 2019
The fake account was consequently suspended by Twitter.
False hashtags are also a commonly used tool by the Iranian regime’s cyber army. Using this method, the line between two words is repeated twice in a row, showing a longer line that is not easily recognizable if the viewer is not careful enough. Another trick is to add a letter to the hashtag or any changes that make it different from the original hashtag.
In light of an event that is organized by the Iranian Resistance and supporters of the MEK or the NCRI want to raise awareness on the occasion, fake accounts affiliated with the regime’s cyber army start posting supportive messages but use the fake hashtag. This way, the cyber army tries to prevent a hashtag that promotes the goals of the Iranian opposition to rank high on global trends and reach its target audience.
In its study, ‘How the IRGC Uses Cyberwarfare To Preserve the Theocracy’, the NCRI office in Washington provided evidence about how Tehran has been using its cyber army to overflow the internet with misinformation, paving the way to cracking down on popular uprisings.
On page 27 of the study, a screenshot is displayed from an Instagram post from (samira.66887722) that shows how the user claims to be a local in four different Iranian cities while rejecting reports that protests have been taking place in Iran.
The message reads: “I’m from Bandar Abbas. Dude, there’s nothing going on here. Everything is calm here. Why are you posting lies?” And the same post is repeated verbatim claiming to be from Gorgan (northern Iran), Shiraz (south-central Iran), and Najafabad (central Iran).
On December 10, 2020, Treadstone 71, LLC, a California-based cyber intelligence and counterintelligence company, released details of an Iranian intelligence-backed influence operation. The release read:
“The Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) joint operation targeted Iranian dissident groups using a timely and coordinated campaign of disinformation. The IRGC Cyber Units triggered core team members with military precision aimed at the National Council of Resistance of Iran (NCRI) annual online conference,” said Jeff Bardin, Chief Intelligence Officer at Treadstone 71.
“The IRGC, MOIS, and low-level Basij Cyber Units flooded Twitter with nearly one hundred twelve thousand tweets over sixty hours using hashtags and content intent on controlling the social media narrative.”
US Report on Iran Regime’s Terrorism Reminds Tehran’s Increasing Threats – NCRI https://t.co/Ux7VEwlZH5
— Treadstone 71 (@Treadstone71LLC) December 19, 2021
The Fate
Information is power, and the regime has sought to dominate the narrative for its own survival. But perhaps reflective of the regime’s own diminishing fate in light of the multiple socio-economic crises and the rising power of the organized resistance, some of the regime’s insiders indicate that Tehran’s cyber army is worn out.
On March 15, in a column for the state-run website Etemad Online, Mohammad Mohajeri, a political activist that is often introduced by state media as a hardliner, criticized a fiscal parliamentary bill that was supposed to be spent on the “Explanatory Jihad”, writing: “Unfortunately, those in charge of such budgets command a “cyber army” and turn our decent, religious, and revolutionary youth into extremists, liars, accusers, and slanderers. In their posts that are published on the internet – Twitter, and Instagram – as well as some domestic platforms, these people practically do not adhere to any religious or moral behavior, rather they create a toxic environment.”
“Surprisingly, their actions are carried out under the direct supervision of their commanders. And most of the time, they are overvalued by being disgraced while they are actually of no value at all,” Mohajeri added. “Rumors that have been circulating in recent years that the payment of large sums to members of the cyber army is astonishing. But they have failed to achieve the goal they have set for themselves.”
Abbas Abdi, a state-affiliated journalist that is widely considered “a moderate voice” by some Western think tanks, wrote in an article published on the state-run website Dideban on March 2: “Some people receive money and perform projects to defend some policies based on their contracts. This includes the cyber army and the press army. They do not necessarily believe what they say or what they write about, and some are not even able to analyze, describe, or defend what the contractor has accepted. So in some cases, they remain silent until the order comes from above, or they try to get away with ridicule and deviant arguments in the meantime.”
“This is why many people regret doing such things in the past and change their attitude,” Abdi added, explaining the mental state of the people who are hired to post lies on the internet. “But those who take money to comment or tweet, cannot deal with their conscience when faced with this problem.”
Warning that such a campaign will eventually backfire, Abdi concluded: “The next negative effect is on the misguidance of the employer himself, who ends up thinking that with this propaganda and falsification of statistics and dissemination through the cyber division, the truth is on their side. It is like a painkiller that does not kill the infection, but it nullifies its effects and causes misinterpretation. I hope they take this situation seriously and do not take any further steps in the direction whose end is well-known.”