Part 2: Timeline - U.S. Claims of Iran Meddling

By 2020, tensions between the United States and Iran increasingly played out in cyberspace. Both governments acknowledged that cyberattacks were central to their strategies, as outlined in an earlier report by The Iran Primer. The following is a timeline of specific U.S. claims of Iran cyber meddling in the U.S. presidential election.

October 4, 2019: Microsoft
“We’ve recently seen significant cyber activity by a threat group we call Phosphorus, which we believe originates from Iran and is linked to the Iranian government,” said Tom Burt, Microsoft corporate vice president for customer security & trust. In a 30-day period between August and September, Phosphorus made more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 accounts.

“The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran. Four accounts were compromised as a result of these attempts; these four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials…

“Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts… This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering.”

 

July 24, 2020: Office of the Director of National Intelligence
“Iran seeks to undermine U.S. democratic institutions and divide the country in advance of the elections. Iran’s efforts center around online influence, such as spreading disinformation on social media and recirculating anti-U.S. content,” said William Evanina, director of the DNI’s National Counterterrorism and Security Center.

 

August 7, 2020: Office of the Director of National Intelligence
“Many foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer,” said William Evanina, director of the DNI’s National Counterterrorism and Security Center.

“We assess that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections.

“Iran’s efforts along these lines probably will focus on on-line influence, such as spreading disinformation on social media and recirculating anti-U.S. content. Tehran’s motivation to conduct such activities is, in part, driven by a perception that President Trump’s reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.”

 

September 10, 2020:  Microsoft
“Phosphorus is an activity group operating from Iran that MSTIC has tracked extensively for several years. The actor has operated espionage campaigns targeting a wide variety of organizations traditionally tied to geopolitical, economic or human rights interests in the Middle East region,” said Tom Burt, Microsoft Vice President for Customer Security & Trust.

“Microsoft has previously taken legal action against Phosphorus’ infrastructure and its efforts late last year to target a U.S. presidential campaign. Last month, as part of our ongoing efforts to disrupt Phosphorus activity, Microsoft was again given permission by a federal court in Washington D.C. to take control of 25 new internet domains used by the Phosphorus. Microsoft has since taken control of these domains. To date, we have used this method to take control of 155 Phosphorus domains.

“Since our last disclosure, Phosphorus has attempted to access the personal or work accounts of individuals involved directly or indirectly with the U.S. presidential election. Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff.”

 

September 23, 2020: Department of Homeland Security
Russia, China and Iran are all threats to the 2020 U.S. elections through influence campaigns, Acting Homeland Security Secretary Chad Wolf said at a congressional hearing. But, so far, he added, there was no evidence that foreign countries were interfering in U.S. election infrastructure.

 

October 6, 2020: Department of Homeland Security Threat Assessment
“China, Russia, and Iran will try to use cyber capabilities or foreign influence to compromise or disrupt infrastructure related to the 2020 U.S. Presidential election, aggravate social and racial tensions, undermine trust in U.S. authorities, and criticize our elected officials,” the DHS report concluded.

“Iran will continue to promote messages supporting its foreign policy objectives and to use online influence operations to increase societal tensions in the United States. Tehran most likely considers the current U.S. Administration a threat to the regime’s stability. Iran’s critical messaging of the U.S. President almost certainly will continue throughout 2020.”

 

October 15, 2020: Department of State
“We’ve been working to convince the Islamic Republic of Iran that it is going to be very costly to them if they engage in election inference here, Secretary of State Mike Pompeo said. “That foreign element, that international component of this, is what the State Department is deeply focused on.”

 

October 21, 2020: Office of the Director of National Intelligence
“We have identified that two foreign actors, Iran and Russia, have taken specific actions to influence public opinion relating to our elections,” said DNI Director John Ratcliffe. “First, we have confirmed that some voter registration information has been obtained by Iran and separately by Russia. This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos, and undermine your confidence in American democracy.

“To that end, we have already seen Iran sending spoofed emails designed to intimidate voters, insight social unrest and damage President Trump…Iran is distributing other content to include a video that implies that individuals could cast fraudulent ballots, even from overseas. This video, and any claims about such allegedly fraudulent ballots are not true. These actions are desperate attempts by desperate adversaries.”

The following is a screenshot of one of the spoofed emails. 

Proud Boys spoofed email

 

October 22, 2020: Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)
“Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process,” CISA and the FBI warned

“The APT actors are creating fictitious media sites and spoofing legitimate media sites to spread obtained U.S. voter-registration data, anti-American propaganda, and misinformation about voter suppression, voter fraud, and ballot fraud.

“The APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, structured query language (SQL) injections attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.” 

 

October 22, 2020: Department of the Treasury
“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated five Iranian entities for attempting to influence elections in the United States. The Iranian regime has targeted the United States’ electoral process with brazen attempts to sow discord among the voting populace by spreading disinformation online and executing malign influence operations aimed at misleading U.S. voters. Components of the Government of Iran, disguised as news organizations or media outlets, have targeted the United States in order to subvert U.S. democratic processes.

“'The Iranian regime uses false narratives and other misleading content to attempt to influence U.S. elections,' said Secretary Steven T. Mnuchin. 'This Administration is committed to ensuring the integrity of the U.S. election system and will continue to counter efforts from any foreign actor that threatens our electoral processes.'”

“Treasury designated the Islamic Revolutionary Guard Corps (IRGC), the IRGC-Qods Force (IRGC-QF), and Bayan Rasaneh Gostar Institute (Bayan Gostar) pursuant to Executive Order (E.O.) 13848 for having directly or indirectly engaged in, sponsored, concealed, or otherwise been complicit in foreign interference in the 2020 U.S. presidential election. The Iranian Islamic Radio and Television Union (IRTVU) and International Union of Virtual Media (IUVM) were designated pursuant to E.O. 13848 for being owned or controlled by the IRGC-QF. The IRGC, including the IRGC-QF, has been designated under multiple authorities since 2007.

“The Iranian regime’s disinformation efforts have targeted a global audience through a variety of covert media organizations. Disinformation campaigns run by the Iranian regime focus on sowing discord among readers via social media platforms and messaging applications, and frequently involve mischaracterizing information.

“Since at least 2015, Bayan Gostar has served as a front company for IRGC-QF propaganda efforts. In the months leading up to the 2020 U.S. presidential election, Bayan Gostar personnel have planned to influence the election by exploiting social issues within the United States, including the COVID-19 pandemic, and denigrating U.S. political figures. As recently as summer 2020, Bayan Gostar was prepared to execute a series of influence operations directed at the U.S. populace ahead of the presidential election.

Treasury graphic

“IRTVU, a propaganda arm of the IRGC-QF, and IUVM aided Bayan Gostar in efforts to reach U.S. audiences. In addition, IRGC-QF outlets amplified false narratives in English, and posted disparaging propaganda articles and other U.S.-oriented content with the intent to sow discord among U.S. audiences. IUVM also posted conspiracy theories and disinformation related to the COVID-19 pandemic.

“The Treasury Department encourages the American people to confirm information received via social media intelligently by going to multiple trusted sources for news and information, particularly when the source or suspected source of the information is from outside the United States. More guidance specific to the U.S. 2020 election and disinformation campaigns can be found here: https://www.cisa.gov/rumorcontrol

“As a result of today’s designations, all property and interests in property of the persons designated today subject to U.S. jurisdiction are blocked, and U.S persons are generally prohibited from engaging in transactions with them. In addition, foreign financial institutions that knowingly facilitate significant transactions for, or persons that provide material or certain other support to, the persons designated today risk exposure to sanctions that could sever their access to the U.S. financial system or block their property and interests in property under U.S. jurisdiction. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked.”

October 23, 2020: Department of State 
“The United States will not tolerate foreign interference in our elections. The whole of the U.S. government is using all the tools at our disposal to target those who attempt to interfere in our democratic process,” Secretary of State Mike Pompeo warned. Yesterday’s action sanctions five Iranian entities pursuant to Executive Order 13848 for their efforts to spread disinformation and undermine our elections. We are also adding several cyber actors to our terrorist watch list and databases for their known association with the Islamic Revolutionary Guard Corps (IRGC), a U.S.-designated Foreign Terrorist Organization and Specially Designated Global Terrorist, which will effectively prevent those individuals and their families from traveling to the United States.

“For far too long, the Iranian regime has used its state propaganda machine to lie to the Iranian people and fan the flames of hatred against the United States. Iran has now deployed some of the same propaganda and media infrastructure in an attempt to undermine elections in the United States. The five entities designated – the IRGC, the IRGC-Qods Force (IRGC-QF), Bayan Rasaneh Gostar Institute, Iranian Islamic Radio and Television Union (IRTVU), and International Union of Virtual Media (IUVM) – have engaged directly or indirectly in, sponsored, concealed, or otherwise been complicit in, foreign interference in the 2020 U.S. presidential election, or are owned or controlled by entities engaged in such activity.
Through covert media operations, including targeted disinformation efforts directed at U.S. voters, the Iranian regime has demonstrated its intent is to undermine American elections. Over the past few months, Bayan Gostar, a front company for IRGC-QF propaganda efforts, has actively planned influence operations involving U.S. elections. IRTVU and IUVM appear to be propaganda arms of the Iranian regime that assisted in these efforts.”

“The individuals added to the terrorist watchlist are known members of the IRGC’s cyber operations unit. Those with the technical and educational skills required to carry out malicious cyber acts should take note; we will hold accountable those who join the IRGC and carry out malicious cyber activities. Talented Iranians should use their skills to promote peace and foster prosperity for their families, not assist the Islamic Republic in conducting its oppression at home and spreading terror abroad.

October 27, 2020: Facebook
“Today we removed three separate networks for violating our policy against coordinated inauthentic behavior (CIB). Two of these networks targeted the United States, among other countries, and one network originated in and targeted domestic audiences in Myanmar,” said Nathaniel Gleicher, Head of Security Policy at Facebook, in a statement

“In each case, the people behind this activity coordinated with one another and used fake accounts as a central part of their operations to mislead people about who they are and what they are doing, and that was the basis for our action. When we investigate and remove these operations, we focus on behavior rather than content, no matter who’s behind them, what they post, or whether they’re foreign or domestic.”

2. We also removed 12 Facebook accounts, 6 Pages and 11 Instagram accounts for government interference which is coordinated inauthentic behavior on behalf of a government entity. This small network originated in Iran and focused primarily on the US and Israel.

“We began this investigation based on information from the FBI about this network’s off-platform activity. As a result, last week, we removed a single fake account created in October 2020 that attempted to seed false claims and unsubstantiated election-related threats as part of an influence operation carried out primarily via email. Our teams continued to investigate and found additional dormant accounts and Pages that had been largely inactive since May 2019 and focused primarily on Israel. This operation used fake accounts — some of which had been already detected and removed by our automated system. Some of these accounts tried to contact others, including an Afghanistan-focused media outlet, to spread their information. They focused on Saudi Arabia’s activities in the Middle East and claims about an alleged massacre at Eurovision, an international song contest, hosted by Israel in 2019.

“Although the people behind this activity attempted to conceal their identity and coordination, our investigation found limited links to the CIB network we removed in April 2020 and connections to individuals associated with the Iranian government.

  • Presence on Facebook and Instagram: 12 Facebook accounts, 6 Pages and 11 Instagram accounts.
  • Followers: About 120 accounts followed one or more of these Pages and about 700 people followed one of more of these Instagram accounts.

 

October 30, 2020: Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI)
“CISA and the FBI are aware of an Iranian advanced persistent threat (APT) actor targeting U.S. state websites—to include election websites. CISA and the FBI assess this actor is responsible for the mass dissemination of voter intimidation emails to U.S. citizens and the dissemination of U.S. election-related disinformation in mid-October 2020.”

“Further evaluation by CISA and the FBI has identified the targeting of U.S. state election websites was an intentional effort to influence and interfere with the 2020 U.S. presidential election.”
 

 

Updated