Iranian IO Domains - Sneak Peek
Welcome to Memetic Warfare. We’re in unprecedented territory here as I’m posting a second consecutive post in one day, something that I almost never do and probably won’t do again going forward. However, it’s worth it.
Today’s post is a sneak peek at some long-form research that I’ve been working on at the FDD with Max Lesser. This will only be a small portion of the total report to be published later, but it’ll cover the technical details and background needed.
There’re some (if I humbly say so myself) points worth taking a moment to hang on in the section below. These include:
An OpSec breach in DNS Start of Authority (SOA) records that seem to expose the emails used to register some of the network domains despite the use of WHOIS proxies
The use of at least one suspected fake journalist in one of the domains
The global reach of the operation and its dwell time - since 2020 in the earliest case
So, let’s begin.
Iranian Global Influence Operation Targets 2024 US Elections
Microsoft exposed a network of Iranian influence operation (IO) domains in August 2024 targeting the 2024 U.S. elections. The Foundation for Defense of Democracies (FDD) used the information published by Microsoft as a starting point to find additional domains, finding 19 in total including those identified by Microsoft, and later Open AI. Microsoft assessed niothinker[.]com and savannahtime[.]com to be Iranian IO domains, and both Microsoft and Mandiant assessed evenpolitics[.]com to be an Iranian IO domain. These three domains served as the initial lead for FDD’s investigation. Open AI later attributed two domains, westlandsun[.]com and teorator[.]com to Iran.
Domains in this broader network target specific demographics and regions in the United States, including Muslim Americans in Michigan and African Americans. Other domains target global audiences, including French, Spanish, Arabic, and Azeri-speakers.
These domains share both technical indicators and qualitative features that strengthen the assessment of them being operated by Iran. Content also plays a role: the domains promote content and narratives that align with Iranian national interests, typically writing favorably about Iran and its proxies, including Hamas, Hezbollah, and the Houthis while attacking Iran’s enemies.
The Domains in this Network
Niothinker[.]com: Covers U.S. politics and elections from a left-wing perspective.
Evenpolitics[.]com: Covers U.S. politics and elections from a left-wing perspective.
Afromajority[.]com: Targets African American voters with left-wing content related to the upcoming U.S. presidential elections and other issues concerning African Americans.
Savannahtime[.]com: Covers U.S. politics from a right-wing perspective and criticizes Kamala Harris.
Critiquepolitique[.]com: Covers French and international politics, with a focus on Middle Eastern political conflicts and heavy criticism of Israel.
Almorasiloun[.]com: Arabic language website criticizing Israel and covering Hezbollah.
Al-sarira[.]com: Covers Middle Eastern politics and features several articles on how U.S. presidential candidates and the U.S. election will impact the Middle East.
Notourwar[.]com: Publishes reports on U.S. involvement in foreign conflicts with a negative view of U.S. intervention, claiming the United States is committing war crimes and atrocities; includes a section on the website titled Veterans, suggesting the site targets the veteran community.
Westlandsun[.]com: Targets Muslim American voters in Michigan, covering American politics and the U.S. election from a left-wing perspective.
Ksanews24[.]com: Covers the Arab world in Arabic, criticizing Israel and its actions in Gaza. Targets audiences in Saudi Arabia, with KSA standing for ‘Kingdom of Saudi Arabia’.
Lalinearoja[.]net: Covers world politics and elections in various countries, including U.S. elections. Includes content focusing on divisions among Latino voters in the United States.
Muscat[.]press: Targest Oman. Covers international news in Arabic, focusing on the Middle East and on deaths caused by conflicts.
Peopleofpersia[.]com: English language website with information on Persian historical figures, arts, and culture. Particular focus placed on ethnic groups within Iran.
Francepresse24[.]com: Covers international and French news with a heavy focus on France and occasional critiques of the French government. Francepresse24 may be an attempt to impersonate France 24 news.
Heraldalba[.]com: Targets Scotland with calls for Scottish independence. Covers international news and politics with a focus on UK politics and elections, emphasis on the Israel-Palestinian conflict and support for Palestine.
Israelboycottvoice[.]com: Includes both English and Azeri-language content urging readers to boycott Israel.
Teorator[.]com: Covers current U.S. politics, catering to far-right audiences and amplifying conspiratorial perspectives that devalue the legitimacy of public institutions.
Thebritishtribune[.]com: Covers British affairs, catering to anti-Brexit and anti-Conservative party readers.
Click-news[.]net: Arabic-language news outlet, seemingly defunct since January 2024. Reports on Middle Eastern society, economy, sports, and politics.
How FDD Identified this Network
FDD identified the domains in this network by investigating the three Iranian IO domains that Microsoft disclosed in its August report. These three domains – niothinker[.]com, evenpolitics[.]com, and savannahtime[.]com – are all currently hosted by the same server, which is located at 146.70.118[.]226 and operated by M247 hosting, a dedicated hosting server provider and reseller using servers provided by Mono VM.
This host is interesting, as the number of domains and mail servers hosted would indicate that it’s a shared web host server and thus the domains hosted on it are presumably not tied. However, the domains identified by Microsoft were all hosted (and still are) on the same host, so the server was worth combing through for passive DNS records to see current and past domains hosted on the same server.
Domain Analysis
Most domains in this network are currently hosted on a server located at the IP address 146.70.118[.]226 (as of 8.22.2024). This server currently hosts 15 of the 19 domains in the Iranian network. Two of the three domains not currently on this host, heraldalba[.]com and francepresse24[.]com, have been moved to Cloudflare but were previously hosted on the same server. The third domain not hosted on this server, israelboycottvoice[.]com, was never hosted on this server, but historically shared another host with other domains in this network.
In addition to 146.70.118[.]226, many of the domains in this network share additional past hosting servers, visualized in the chart below. These five servers all host other domains that appear unrelated to each other, unrelated to the network discussed in this paper, and unrelated to Iran. This suggests that multiple unrelated clients use this shared hosting infrastructure. At the same time, 17 domains share at least 2 current or historical hosts, 14 domains share at least 3, 9 domains share at least 4, and 2 domains share at least 5.
5 out of the 7 shared hosts are rented out by the same company, M247. Three hosts are also in the same Autonomous System (AS), meaning they fall into the same IP range. At least 4 hosts have hostnames referencing a separate company called MonoVM. The exact relationship between M247 and MonoVM is not clear; it appears that M247 serves as a colocation and hosting provider that resells access to MonoVM servers. MonoVM accepts crypto payment for hosting, and additionally provides hosting and server rental services in Russia and other countries. MonoVM includes specific services for hosting WordPress domains.
One host associated with this network, 146.70.118[.]226, is self-signed, meaning that its SSL certificate has not been provided by any certified provider. This is commonly a sign of a suspicious domain or host.
The email addresses of the creators of several of these domains appear in the DNS Start of Authority (SOA) records associated with these domains, and in two cases emails also appear within historical WHOIS records. Several patterns across registrant email addresses suggest they may have been created in coordination. All email addresses are Gmail addresses. All email addresses also have no other affiliated accounts beyond Google accounts, as per checks in OSINT Industries, breached data aggregators, and other sources. All except one email address also have similar naming conventions, using a full name combined with a year.
Looking at the first SOA record for Niothinker[.]com in Silentpush exposes the email address jasoncrenninger@gmail[.]com. Similarly, the first SOA record for Westlandsun[.]com exposes adrien.sweet73@gmail[.]com, and the first SOA record for Francepresse24[.]com exposes grosvenor24presse@gmail[.]com.
The historical WHOIS records for Afromajority[.]com exposes that it was registered by one travis.boswell1995@gmail[.]com. This email does not appear in the domain’s SOA records. A single email address amalyasin1994@gmail[.]com is listed in both the SOA record and historical WHOIS record for almorasiloun[.]com.
When taken together, the shared internet infrastructure and other features of the domains provide evidence that they are related to each other. These indicators include the following:
Shared historical web hosting servers across all domains
Common naming conventions in registrant emails across multiple domains
Same Wordpress software across most domains and same Wordpress theme across many domains
Anonymous staff writers on most domains and inauthentic authors on several domains
Weather widgets hardcoded for location across several domains
Broken links to social media accounts
Solicitation for content and news tips from readers across several domains
It is important to note that previously attributed Iranian IO domains share several of these indicators with those newly identified by FDD. This strengthens FDD’s assessment that they are also Iranian IO domains, especially when considered alongside FDD’s content analysis which will be provided in a future report.
All of the domains in this network use Wordpress. 13 of the domains use Elementor, an Israeli Wordpress development software. Many use the same Wordpress theme, with 8 using the theme ‘Hello Elementor’.
15 of the domains publish articles under the ‘staff’ or ‘publishers’ of the given domain, with no personal attribution given to authors. Several domains also utilize inauthentic identities for authors, although these comprise a small minority of domains. Attributing articles to the “staff” represents a common tactic used to obscure the ownership of a given domain.
In addition to staff authors, several domains attribute articles to seemingly inauthentic authors. Israelboycottvoice[.]com features one author, Keith D. Foster, with no image or other identifying information in the domain’s English-language version, whereas it uses a similarly inauthentic identity with an Azeri name for its Azeri version. Critiquepolitique[.]com features two apparently inauthentic authors, Francoise Riviere and Remy Legaros, both with no other information or attribution.
Many of the domains have Gravatar accounts affiliated with them. Gravatar is an integrated service in Wordpress, and whenever one creates an account in Wordpress, an affiliated Gravatar account is created alongside it. The Gravatar User ID is created from a hash of the registration email of the Wordpress account. These accounts are overwhelmingly left empty in the network, but on Teorator[.]com, one account affiliated with the suspected inauthentic author “MJ Lansford” exists with a fake username. This serves as further evidence that the account created in this case is inauthentic.
Several of the identified domains have boilerplate links to social media accounts that do not exist. These link sets are often included by default in Wordpress themes. Leaving them in with broken or nonexistent links is an oversight in the production quality of the given domain.
Two of the domains, westlandsun[.]com and ksanews24[.]com, have weather widgets hardcoded to specific locations. These weather widgets show the weather in Michigan and Riyadh, Saudi Arabia, respectively, to all visitors regardless of the visitor’s location. Typical weather widgets show weather based upon the IP address of the visitor of the site.
Several of the network domains solicit content and tips from readers. This is a common IO tactic used to provide a veneer of authenticity while simultaneously soliciting content for articles and gathering visitors’ information for future exploitation.
Content Analysis
The content of the domains in this network strongly indicate that the domains are Iranian IO domains, especially when considered alongside the technical indicators outlined above. The content of these domains often aligns with Iranian national interests, positively framing Iran and its proxies while condemning the United States, Israel, France, and the UK. One domain notably includes an article that refers to “Iran’s Geopolitical Supremacy” in the title of one of its articles. Certain domains also cover niche topics, such support for Scottish independence, which Iran has promoted in its influence operations in the past.
FDD will provide fuller content analysis in a future report, but below are several examples of notable domains in this network.
Afromajority[.]com
Afromajority[.]com targets African American voters with content that is often anti-Trump, pro-Harris, and supportive of the Black Lives Matter (BLM) movement. Much of the domain’s content directly addresses the 2024 U.S. elections. In addition to election-related content, the domain addresses broader issues affecting the African American community, likely to strengthen the appearance of authenticity and increase engagement from the intended audience. The bylines are not attributed to specific authors, but rather to the “Afromajority Staff.”
Much of the domain’s content frames Iran in a positive light. Sometimes, this pro-Iranian stance is more subtle. For example, one article titled “The 2024 U.S. Presidential Election: Navigating a Nation Divided,” only mentions Iran once, alleging that “The high turnout rates In other contexts [sic.], such as the recent Iranian presidential election, serve as a stark contrast to the persistent problem of low voter turnout in the U.S., particularly among minority communities.”
Other articles more explicitly praise the Iranian regime. For example, one article titled “Black America’s Unbreakable Bond with the Palestinian Struggle” extensively quotes comments attributed to Iranian supreme Leader Ali Khamenei that express solidarity with U.S. students protesting Israel on college campuses. The article describes Khamenei’s alleged statements in an extremely positive, almost saccharine light, for example, writing that “Khamenei’s message is a profound act of empathy, an embrace of the shared struggle for justice animating the current wave of mobilizations from the youth vanguard.” Ironically, the article also claims that “While [Khamenei’s] words will undoubtedly raise hackles among the usual detractors quick to denounce any Iran-related rhetoric as propagandistic warmongering, they possess a kernel of revolutionary truth that cannot be so easily dismissed.”
One article, “Black Lives Matter: Shaping the 2024 Presidential Election and Beyond,” includes a prompt at the beginning including the phrase “meta-description,” suggesting that the content may have been partially crafted or optimized using AI tools. Other evidence of AI-generated text includes blatant factual errors, such as an article from July 31, 2024 which refers to deceased Iranian president Ebrahim Raisi as Iran’s “newly-inaugurated president.”
Al-Sarira[.]com
Al-sarira[.]com is an English-language, Middle East-focused outlet with an editorial line that is distinctly anti-Israel and anti-Saudi. The latest elections in Iran have their own dedicated section on the website. The website also has articles that positively frame Iranian proxies, including Hezbollah, Hamas and the Houthis. The website has a sleek, modern design, but some of its content is notably outdated. For example, a featured interview on the homepage dated June 28, 2024, discusses Iran's “upcoming” presidential election. Many articles feature grammar mistakes.
The website's “About Us” page adopts a conspiratorial tone, stating, “We believe there is a secret behind any news. Our world, along with us, is formed by the unknowns. Our goal is to find the keys.” Articles are mostly attributed to "Sarira Staff," with some additional authors contributing on occasion. At least one author on the domain, Jeric Azar, has been confirmed to be inauthentic using a stolen profile picture on Twitter from news domains:
Al-Sarira has an accompanying Twitter account with only 8 followers.
The upcoming U.S. elections are a topic covered by the outlet as well. One article covered the anti-Israel protesters protesting Kamala Harris during the Democratic National Convention. Another article from March 2024 covered the pro-Palestine “Uncommitted” Movement.
Recent articles on Al-sarira[.]com portray Saudi Arabia in a negative light. Some articles are overtly critical, such as "Saudi Arabia hangs one person every two days; new report reveals.” Others are less direct but still emphasize perceived weaknesses within the kingdom, like "Saudi oil sale plummets curtailing the kingdom’s bid for economic overhaul" and "Foreign investment in Saudi Arabia at lowest levels since 2021.” The site's content occasionally features stilted English, with awkward phrases like "Iran and Hezbollah’s coming-soon drones and missiles" and "to give an example of how much careless and abundant has been Israel’s." This suggests that the domain’s operators lack English-language fluency.
One notable article titled “Israel Can Never Defeat Hamas; US Officials Say,” alleges that senior U.S. national security officials have publicly acknowledged that Hamas cannot be defeated. It cites a quote from General Joseph L. Votel (CENTCOM), although the context and authenticity of the quote is unclear. The article features inflammatory subheadings, such as "Bibi still believes in war!" and "The war has only made Israel less safe!"
Another article titled "Yemen Military Ready to Strike Saudi Arabia; ‘Just try it!’" focuses on a recent Houthi video threatening Saudi Arabia. The video, reportedly featuring Abdul-Malik al-Houthi, warns Saudi Arabia against further aggression, stating, "America is trying to entangle you, and if you want that, just try it." The article does acknowledge some Yemeni responsibility in the conflict, noting that "Both sides have committed war crimes, and the result is one of the greatest humanitarian disasters ever."
There’s going to be more coming soon in the full report.