Treadstone 71, a cyber security monitor with special focus on the Iranian regime, has published an analysis of disinformation activities and social media manipulation related to an annual gathering of Iranian expatriates and dissident activists. The report notes that this analysis was motivated by Treadstone’s recognition of a spike in coordinated Twitter activity featuring hashtags that disparaged the organizers of the event, and its keynote speaker.
“The primary hashtag… targeted Maryam Rajavi,” the report noted in a section that established the context of the resulting study. “Maryam Rajavi is the president-elect of the National Council of Resistance of Iran (NCRI), an umbrella organization of Iranian opposition groups dedicated to the Iranian government’s overthrow.”
The sudden emergence of that hashtag on July 17, 2020 raised questions among Treadstone researchers, which led the company to the discovery of a wealth of other activity surrounding the Free Iran 2020 Global Summit. The largely virtual event featured hundreds of political supporters of the NCRI, including European members of parliament and American government officials, who delivered speeches via Zoom over the course of three days.
As a symbol of the expanding influence of a pro-democracy Iranian Resistance movement, the event was a prime target for cyber activity affiliated with Iran’s clerical regime. In both January 2018 and November 2019, that regime faced nationwide anti-government uprisings encompassing between 100 and 200 localities and featuring slogans that evoked an explicit call for regime change. Those developments sparked massive crackdowns on dissent inside the Iran, and according to the NCRI, such crackdowns frequently go hand-in-hand with increased activity connected to perennial disinformation campaign targeted the coalition and its main constituent group, the People’s Mojahedin Organization of Iran (PMOI-MEK).
The recent Treadstone report supports this claim while also highlighting some of the key tactics that regime authorities use in an effort to spread their disinformation. The company’s analysis determined that the July upsurge in coordinated social media activity was the product of a sudden glut of false accounts and Twitter bots. Specifically, Treadstone calculated that of all the accounts that tweeted negative talking points about the Iranian Resistance during July’s event, 46 percent of them were fake.
#IRGC #MOIS #Basij joint influence operation – Anonymous communications occurred via @BChatBot and @BiChatBot non-inclusively on Telegram for communication purposes between Cyber Units @ABC @NBCNews @CBSNLive @FoxNews @BBCBreaking @ABCNewsLive @cnnbrk https://t.co/Kcdn4dUBhz
— Treadstone 71 (@Treadstone71LLC) December 10, 2020
The total number of such accounts was determined to be 11,294, and their misleading nature was confirmed in the immediate aftermath of the summit, when thousands of the either suddenly went dormant, deleted most of the content they had posted, or disappeared altogether. Treadstone also noted that Twitter’s own periodic review of allegedly false accounts led to 35 percent of core members in the disinformation campaign being removed from the platform, for reasons unrelated to the cybersecurity firm’s investigation.
But now that that investigation has gone public, it arguably makes the case for more widespread removal of Iranian state-affiliated content, including entire accounts and multiple-account networks that seemingly exist for the sole purpose of promoting regime talking points and demonizing the leadership of a pro-democracy opposition group. Treadstone even connected its analysis of Twitter activity to broader concerns about a disinformation campaign that has been taking place for many years, across many platforms.
One section of the company’s report is dedicated to the Nejat Society, which claims to be a non-governmental organization but was evidently founded by the Iranian Ministry of Intelligence and receives funding from the Iranian government. Nejat maintains an active presence on Twitter and participated in the campaign surrounding the NCRI’s July summit, but Treadstone specified that it has a much broader presence besides. “The Nejat Society represents an Iranian government-funded and run series of social media accounts and websites intent on delivering a positive view of the Iranian regime while portraying anything to the contrary as negative and evil.”
The NCRI has long sought to bring international attention to the reality of an underlying operation in which the Nejat Society is only one of several networks of agents. The Treadstone report corroborated this point, as well, noting that multiple, simultaneous angles of attack make the regime’s cyber operations look disjointed, when in fact they constitute a “highly coordinated disinformation campaign.”
The report further specifies that that coordination has increased over the past decade, and will likely continue to do so unless actions are undertaken by foreign governments and technology companies to address the associated threats. Treadstone pointed to the IRGC’s paramilitary force Basij, and Basij Cyber Council as the organizing force behind efforts to interfere with the Free Iran Global Summit, and it explained that the Council began its overarching mission in 2010 after recruiting an initial team of 1,500 hackers and social media influence operatives.
Treadstone added that the number of these operatives has grown steadily ever since, as has the level of sophistication in their operations. As one example of that sophistication, Treadstone pointed to the strict hierarchical command structure for the disinformation campaign. “At least four Revolutionary Guard Cyber Unit (RGCU) Twitter users played an essential role in managing the campaign to ensure the hashtag trending in Iran,” the report said. “At least nine other accounts belonging to IRGC Cyber Units helped manage and expand the campaign in different social environments.”
This account of far-reaching coordination and delegation is reminiscent of other cyber security firms’ observations of rising levels of expertise among Iranian hackers. Reports to that effect have noted an increase in salient threats of cyber espionage and cyber terrorism against Western targets. Insofar as these warnings highlight the Islamic Republic’s capability to infiltrate networks far beyond its own borders, they also underscore the danger of anti-opposition talking points gaining traction on American and European social media.
This is certainly a key goal of the Basij Cyber Council and RGCU, but as Treadstone emphasized, it is only one of many. The report observed activity related to the NCRI event over a period of more than 60 hours, and it concluded that the intentions behind that level of activity likely included presenting malicious content to the general public, burying oppositional content under state propaganda within Iran’s social media landscape, sowing chaos, controlling the narrative, and promoting divisions within the Iranian Resistance movement as well as between that movement and other critics of the Iranian regime.
In service of this last goal, Treadstone observes, the accounts contributing to the disinformation campaign often presented themselves in the guise of monarchists, communists, members of leftist opposition groups, and general proponents of regime change in Iran. These claimed affiliations represent only one of several ways in which disinformation agents misrepresented their own identities in order to manipulate readers. Some accounts have been found to change their overall identity over time, even switching genders in order to better serve a narrative. But assumed political identities have the particular effect of conveying the message that both supporters and opponents of the Iranian regime are similarly at odds with the primary opposition, as represented by the NCRI, the MEK, and Maryam Rajavi.
This narrative was seriously undermined during Iran’s January 2018 uprising, as the regime’s Supreme Leader Ali Khamenei attributed the rapid spread and provocative messaging of that movement to the MEK’s previously unacknowledged domestic popularity and social influence. Nevertheless, the Treadstone report helps to prove that regime authorities are devoting considerable resources to their effort to rehabilitate that narrative and discourage both domestic and international support for the democratic Resistance during this time of almost unprecedented conflict between the regime and its people.
In the year since the 2019 uprising, various Iranian officials have publicly warned of the looming threat of additional popular uprisings. Widespread public demonstrations have presumably been held back to some extent by Iran’s coronavirus outbreak, which is by far the worst in the Middle East, but the government’s mismanagement of that crisis has also given people more incentive to organize against the regime. As the previous two uprisings helped to demonstrate, the MEK is the likeliest conduit for that organizing, and so the regime is certain to remain fixated on demonizing and discrediting it.