research

SecurityTrails Blog · Dec 17 2020 · by SecurityTrails Team

Iran, the IRGC and Fake News Websites

Reading time: 10 minutes
Listen to this article

Recently, the Department of Justice made two public announcements about shutting down fake news websites created by Iran’s Islamic Revolutionary Guard Corps (IRGC). In the first instance, 92 domains were seized in August 2020. And according to the second announcement, 27 more domains were seized as part of the same effort to spread global disinformation.

That prompted us to take a look—to see what we can discover using OSINT, our powerful and versatile tool SurfaceBrowser™, and archive.org for further analysis.

The geopolitical issues surrounding such an investigation are not lost on us, but this data is already public (OSINT). It’s only a matter of finding out what it tells us.

Some of the data we’ll examine includes:

  • WHOIS (including history)
  • DNS (current + historical)
  • Subdomains with their associated hosts, open ports and more

The DoJ and the domains

While we admire the DoJ investigators for finding these deceptive domains, what we didn’t like is their first press release. The release said that a list of the 92 domains was available ‘here’, but was actually nowhere to be found on their website. This left us with only eight seized domains to look at (four in August and four in November).

August seized domains:

newsstand7[.]com
usjournal[.]net
usjournal[.]us
twtoday[.]net

November seized domains:

rpfront[.]com
ahtribune[.]com
awdnews[.]com
criticalstudies[.]org

First analysis of the data

The four domains from August were not that helpful, with limited quantities of extra data found. For example, newsstand7[.]com was protected behind WHOIS privacy and its DNS was protected behind NameCheap and CloudFlare at any given time.

Usjournal[.]net/us gave us a bit more information. Combining the earliest archive.org timestamp and WHOIS data, we found the following (fake) registrant:

WHOIS registrant

The historical WHOIS data points to a “Brendan Walsh”, but we found no connection between this name (and other domains registered to it) and other fake news websites.

We encountered the same problems for twtoday[.]net as we did for newsstand7[.]com, without much to go on in terms of WHOIS, DNS history or any other data.

We nearly abandoned this investigation—until we began looking at the data from the November takedowns.

Second analysis – November data

The domain rpfront[.]com provided us with the first insight into how deep and complicated the setup has to be to keep investigators from quickly uncovering domains of misinformation. The historical WHOIS data shows that this fake domain was hiding behind a liberal/progressive type of setup, with WHOIS details pointing to the USA.

rpfront[.]com

We looked at the site from 2017 on the Wayback Machine:

rpfront

and confirming our suspicions, the site was mostly politically-driven. What stood out for us was the anti-Saudi/UAE rhetoric on this captured page. A bit unusual for a site/group that seemed geared towards the progressive/liberal political situation in the U.S.

A WHOIS lookup also led to our discovery that rpfront[.]us was another registered domain.

The current WHOIS shifted from “realprogressive front” to a user registered in China:

realprogressive front

We explored the associated WHOIS name and WHOIS organization, but didn’t spot any obvious misinformation domains. A few domains related to “zhang zi yong” did look similar to spam domains we’ve tracked in the past, like sjhfxh[.]com

It is possible that rpfront[.]com was dropped after July 2020 and taken up by “zhang zi yong”, as the DNS history shows mostly US/EU companies until August 2020, when it was changed to “DXTL Tseung Kwan O Service”.

DXTL Tseung Kwan O Service

The domain ahtribune[.]com offers a lot of valuable data to extract from the OSINT. The historical WHOIS showed the following:

ahtribune[.]com

And the historical WHOIS for the domain showed this:

historical WHOIS

As a side note, the registrar “Realtime Register BV” has a lot of unusual domains in its own records. Out of 37K registrations, we found a lot of domains that looked like they were registered to Iranian users. Although there is nothing wrong with your average (Iranian) user registering a domain for a business or other legitimate use, many of the domains were registered as .com or .net, which is ultimately governed/managed by a U.S. company. And with U.S. sanctions on Iran, that may have complicated matters for this registrar.

Using the available historical WHOIS data, we uncovered ahtribune[.]org as another domain, but registered this time with a registrar in India, “Web Werks India Pvt. Ltd d/b/a ZenRegistry.com”.

The DNS history for ahtribune[.]com helped us uncover even more data. We found further associated domains:

ahtribune[.]net
ahtribune[.]ca

Looking up the 2020 WHOIS of the ahtribune .net/.com domains, we find the same or very similar registration details, which were shifted to a Turkish registrar:

Turkish registrar

Exploring some DNS history helped us find the domain balkanspost[.]com and a pattern similar to that of ahtribune .net/.com, with the registrar being switched to the same Turkish provider as shown above. We were also able to uncover the domain balkanspost[.]net. The archived versions of the website confirm balkanspost[.]com to be another misinformation domain:

balkanspost.com

(We hope you see the humour in this: The registration of .net/.com might indicate that the IRGC/Iran was trying, simultaneously, to protect its IP and prevent domain-squatting)

Moving on to awdnews[.]com, the trail of breadcrumbs for this domain is substantially larger than that of all the other above domains we’ve reviewed so far.

The history of awdnews[.]com goes as far back as 2012 and involves (possibly fake) registration details from Dubai to Germany.

Here, we’ll list the important details in an outline format so that it’s easier to follow the trail for awdnews[.]com:

1. WHOIS data 2014:
i. Org: Bayan
ii. Country: Dubai, UAE
iii. Email: info[at]awdnews[.]com
iv. Tel: 975873678
2. WHOIS data 2015:
i. Name: awdnews
ii. Street: Nordufer 28-29
iii. Country: Berlin, Germany
iv. Email: KelvinMiddelkoop[at]hotmail[.]com
v. Tel: 4930362641
3. WHOIS data 2016(same as 2015, except):
i. Email: awdnews2015[at]gmail[.]com
ii. Tel: 4930363641
4. WHOIS data 2017:
i. Name: awdnews
ii. Street: Genslerstrasze
iii. Country: Berlin, Germany
iv. Email: awdnews2015[at]gmail[.]com
v. Tel: 30499414637070

Using the WHOIS in 1) we uncovered a list of 23 domains that look mostly Iranian (with the bulk of them not resembling fake news websites). Examples include:

iranianmedievalhistory[.]com
royalcrown[.]co
parsiantakhfif[.]com

Now this data might not matter as it may turn out that awdnews[.]com was previously owned by someone else, but we do have to factor in two things:

  1. Many Iranians live in the UAE (which is geographically close to Iran)
  2. There is a circular connection with the data, as shown below

The WHOIS history in 2) revealed the following:

fake misinformation website

As it turns out, moslempress[.]com is another fake misinformation website:

balkanspost.com

But it’s the historical WHOIS of moslempress[.]com that shows us how all these domains are tied together, with these details:

5. moslempress[.]com WHOIS data 2014:
   i. Name: Jay Jackson
   ii. Org: Muslimnews
   iii. Country: Dubai, UAE
   iv. Email: eb.erfani[at]gmail[.]com
   v. Tel: 975873678

Look familiar? The WHOIS data from 5) has a lot of overlap with data from 1). This left us with another very valuable breadcrumb. We dug further and found another important domain:

7soz[.]com

The current WHOIS of 7soz[.]com reveals that “Ebrahim Erfani” registered this domain at a Turkish address.

7soz[.]com

But here are the problems:

  1. The org associated to 7soz is called “Persian Domain Provider”
  2. The historical WHOIS for 7soz shows the same “Ebrahim Erfani”, but they had the domain registered in Iran.

A further 12 domains associated to 7soz[.]com were found:

iuvmpress[.]com
middleeastpress[.]org
iuvmpress[.]org
iuvmapp[.]com
iuvmnews[.]com
dixine[.]com
iuvmpress[.]net
jamekurdi[.]net
gahvare[.]com
tuloohefajr[.]org
imamiatarbiat[.]com

The 2014 WHOIS data of 7soz[.]com left us another crumb to follow:

6. Name: William Black
   i. Street: NY, 5st, 56
   ii. NY, NY, USA
   iii. Email: ebisps[at]yahoo[.]com
   iv. Tel: 1865732485656

A WHOIS lookup on data from 6) shows the following:

William Black

Another discovery was the fake registration belonging to a “Mehdi Asgari” via the domains listed in the picture above.

We were able to find a further link between awdnews and other domains by yet another WHOIS lookup that connected the domains, such as:

awdnews.com
moslempress.net
moslempress.com
moslempress.org

We were also able to verify a link to some of the other domains that most likely belong to the fake registrations as well, including:

whatsupic.com
realnienovosti.com
islamic-sources[.]com

As for the other domains in the list (of a total of 31), we found no direct connection linking them to the Iran/IRGC domains, but we did find many of these domains linking to each other via details of a person in Thailand; and for the others, a person in the USA.

What caught our attention was islamic-sources[.]com, and it appears as though this website provides books and material related to Shia Islam. Knowing that the Iranians/IRGC like to protect their IP, we looked up islamic-sources[.]org and found “Mehdi Asgari” here as well. The WHOIS history of islamic-sources[.]org helped us find even more OSINT data connecting the misinformation domains and websites promoting Shia Islam:

islamic-sources[.]com

This trail led us to the domain:

7sabah[.]com

Historical WHOIS helped us link 7sabah[.]com to islamic-sources[.]com. This was further verified by the UAE/German/Turkey pattern used in the domains above.

The same can be said for middleeastpress[.]org. Using techniques similar to the ones used above, we uncovered a few more domains:

middleeastpress[.]com
middleeastnewsagency[.]net
middleeastnewsagency[.]org

We did not press further regarding middleeastpress[.]com as there appears to be a web linking various Afghan hosting companies to the domain as well. This case would be better suited to its own investigation.

Another interesting factor is how many of the domains rely on U.S. companies for hosting/registrars. An example is shown in the screenshot below, with CloudFlare and Amazon providing services to these linked domains:

CloudFlare and Amazon providing services

We confirmed iuvmpress[.]com to be yet another misinformation website:

iuvmpress.com

At the time of this writing, islamic-sources[.]com is still up and running on CloudFlare and middleeastpress[.]com is running on inMotion Hosting.

The last curiosity we were left with for awdnews[.]com was the redirect to healingcenter[.]org, but we suspect this was merely a blackhat SEO technique to drive traffic from awdnews to healingcenter.

The last domain provided by the DoJ, criticalstudies[.]org also proved quite valuable. We were able to find critical-studies[.]com, which helped us confirm the connection between the 2 domains:

criticalstudies[.]org

Further WHOIS exploration helped uncover 11 other domains:

WHOIS exploration

A connection between the picture above and historical WHOIS linked us to a hosting company called “AsanHost”. We developed two theories behind “AsanHost”:

  1. It’s a front being used by the IRGC
  2. It’s a small Iranian hosting company being used by the IRGC for their misinformation

As for the 11 domains mentioned above, some might be false positives; we found no connection between the non-“critical studies” domains and the others, aside from also belonging to Iranians.

Conclusions

We’ve only scratched the surface of how far the fake domain network goes. We did find a few domains that the DoJ investigators may have missed, left or might still be investigating.

What we learned from this investigation is that the IRGC has been active with disinformation for a lot longer than the Trump presidency (when sanctions and pressure on the country amplified). Many data points showed activity as early as 2013.

The one drawback of our OSINT investigation compared to the DoJ’s is that the DoJ can combine other data sources that are not OSINT, and possibly collaborate with U.S. hosting/registrar/CDN/DNS companies to uncover further networks of domains. This is based on the assumption that all of their data pipelines are efficient and searchable, which may not be the case.

OSINT is also about collaboration and in case we missed anything, let us know what you found or can find to let this report grow even larger and be useful to many stakeholders.