Recently, the Department of Justice made two public announcements about shutting down fake news websites created by Iran's Islamic Revolutionary Guard Corps (IRGC). In the first instance, 92 domains were seized in August 2020. And according to the second announcement, 27 more domains were seized as part of the same effort to spread global disinformation.
The geopolitical issues surrounding such an investigation are not lost on us, but this data is already public (OSINT). It's only a matter of finding out what it tells us.
Some of the data we'll examine includes:
- WHOIS (including history)
- DNS (current + historical)
- Subdomains with their associated hosts, open ports and more
The DoJ and the domains
While we admire the DoJ investigators for finding these deceptive domains, what we didn't like is their first press release. The release said that a list of the 92 domains was available 'here', but was actually nowhere to be found on their website. This left us with only eight seized domains to look at (four in August and four in November).
August seized domains:
newsstand7[.]com usjournal[.]net usjournal[.]us twtoday[.]net
November seized domains:
rpfront[.]com ahtribune[.]com awdnews[.]com criticalstudies[.]org
First analysis of the data
The four domains from August were not that helpful, with limited quantities of extra data found. For example, newsstand7[.]com was protected behind WHOIS privacy and its DNS was protected behind NameCheap and CloudFlare at any given time.
Usjournal[.]net/us gave us a bit more information. Combining the earliest archive.org timestamp and WHOIS data, we found the following (fake) registrant:
The historical WHOIS data points to a "Brendan Walsh", but we found no connection between this name (and other domains registered to it) and other fake news websites.
We encountered the same problems for twtoday[.]net as we did for newsstand7[.]com, without much to go on in terms of WHOIS, DNS history or any other data.
We nearly abandoned this investigation—until we began looking at the data from the November takedowns.
Second analysis – November data
The domain rpfront[.]com provided us with the first insight into how deep and complicated the setup has to be to keep investigators from quickly uncovering domains of misinformation. The historical WHOIS data shows that this fake domain was hiding behind a liberal/progressive type of setup, with WHOIS details pointing to the USA.
We looked at the site from 2017 on the Wayback Machine:
and confirming our suspicions, the site was mostly politically-driven. What stood out for us was the anti-Saudi/UAE rhetoric on this captured page. A bit unusual for a site/group that seemed geared towards the progressive/liberal political situation in the U.S.
A WHOIS lookup also led to our discovery that rpfront[.]us was another registered domain.
The current WHOIS shifted from "realprogressive front" to a user registered in China:
We explored the associated WHOIS name and WHOIS organization, but didn't spot any obvious misinformation domains. A few domains related to "zhang zi yong" did look similar to spam domains we've tracked in the past, like sjhfxh[.]com
It is possible that rpfront[.]com was dropped after July 2020 and taken up by "zhang zi yong", as the DNS history shows mostly US/EU companies until August 2020, when it was changed to "DXTL Tseung Kwan O Service".
The domain ahtribune[.]com offers a lot of valuable data to extract from the OSINT. The historical WHOIS showed the following:
And the historical WHOIS for the domain showed this:
As a side note, the registrar "Realtime Register BV" has a lot of unusual domains in its own records. Out of 37K registrations, we found a lot of domains that looked like they were registered to Iranian users. Although there is nothing wrong with your average (Iranian) user registering a domain for a business or other legitimate use, many of the domains were registered as .com or .net, which is ultimately governed/managed by a U.S. company. And with U.S. sanctions on Iran, that may have complicated matters for this registrar.
Using the available historical WHOIS data, we uncovered ahtribune[.]org as another domain, but registered this time with a registrar in India, "Web Werks India Pvt. Ltd d/b/a ZenRegistry.com".
The DNS history for ahtribune[.]com helped us uncover even more data. We found further associated domains:
Looking up the 2020 WHOIS of the ahtribune .net/.com domains, we find the same or very similar registration details, which were shifted to a Turkish registrar:
Exploring some DNS history helped us find the domain balkanspost[.]com and a pattern similar to that of ahtribune .net/.com, with the registrar being switched to the same Turkish provider as shown above. We were also able to uncover the domain balkanspost[.]net. The archived versions of the website confirm balkanspost[.]com to be another misinformation domain:
(We hope you see the humour in this: The registration of .net/.com might indicate that the IRGC/Iran was trying, simultaneously, to protect its IP and prevent domain-squatting)
Moving on to awdnews[.]com, the trail of breadcrumbs for this domain is substantially larger than that of all the other above domains we've reviewed so far.
The history of awdnews[.]com goes as far back as 2012 and involves (possibly fake) registration details from Dubai to Germany.
Here, we'll list the important details in an outline format so that it's easier to follow the trail for awdnews[.]com:
1. WHOIS data 2014: i. Org: Bayan ii. Country: Dubai, UAE iii. Email: info[at]awdnews[.]com iv. Tel: 975873678 2. WHOIS data 2015: i. Name: awdnews ii. Street: Nordufer 28-29 iii. Country: Berlin, Germany iv. Email: KelvinMiddelkoop[at]hotmail[.]com v. Tel: 4930362641 3. WHOIS data 2016(same as 2015, except): i. Email: awdnews2015[at]gmail[.]com ii. Tel: 4930363641 4. WHOIS data 2017: i. Name: awdnews ii. Street: Genslerstrasze iii. Country: Berlin, Germany iv. Email: awdnews2015[at]gmail[.]com v. Tel: 30499414637070
Using the WHOIS in 1) we uncovered a list of 23 domains that look mostly Iranian (with the bulk of them not resembling fake news websites). Examples include:
iranianmedievalhistory[.]com royalcrown[.]co parsiantakhfif[.]com
Now this data might not matter as it may turn out that awdnews[.]com was previously owned by someone else, but we do have to factor in two things:
- Many Iranians live in the UAE (which is geographically close to Iran)
- There is a circular connection with the data, as shown below
The WHOIS history in 2) revealed the following:
As it turns out, moslempress[.]com is another fake misinformation website:
But it's the historical WHOIS of moslempress[.]com that shows us how all these domains are tied together, with these details:
5. moslempress[.]com WHOIS data 2014: i. Name: Jay Jackson ii. Org: Muslimnews iii. Country: Dubai, UAE iv. Email: eb.erfani[at]gmail[.]com v. Tel: 975873678
Look familiar? The WHOIS data from 5) has a lot of overlap with data from 1). This left us with another very valuable breadcrumb. We dug further and found another important domain:
The current WHOIS of 7soz[.]com reveals that "Ebrahim Erfani" registered this domain at a Turkish address.
But here are the problems:
- The org associated to 7soz is called "Persian Domain Provider"
- The historical WHOIS for 7soz shows the same "Ebrahim Erfani", but they had the domain registered in Iran.
A further 12 domains associated to 7soz[.]com were found:
iuvmpress[.]com middleeastpress[.]org iuvmpress[.]org iuvmapp[.]com iuvmnews[.]com dixine[.]com iuvmpress[.]net jamekurdi[.]net gahvare[.]com tuloohefajr[.]org imamiatarbiat[.]com
The 2014 WHOIS data of 7soz[.]com left us another crumb to follow:
6. Name: William Black i. Street: NY, 5st, 56 ii. NY, NY, USA iii. Email: ebisps[at]yahoo[.]com iv. Tel: 1865732485656
A WHOIS lookup on data from 6) shows the following:
Another discovery was the fake registration belonging to a "Mehdi Asgari" via the domains listed in the picture above.
We were able to find a further link between awdnews and other domains by yet another WHOIS lookup that connected the domains, such as:
awdnews.com moslempress.net moslempress.com moslempress.org
We were also able to verify a link to some of the other domains that most likely belong to the fake registrations as well, including:
whatsupic.com realnienovosti.com islamic-sources[.]com
As for the other domains in the list (of a total of 31), we found no direct connection linking them to the Iran/IRGC domains, but we did find many of these domains linking to each other via details of a person in Thailand; and for the others, a person in the USA.
What caught our attention was islamic-sources[.]com, and it appears as though this website provides books and material related to Shia Islam. Knowing that the Iranians/IRGC like to protect their IP, we looked up islamic-sources[.]org and found "Mehdi Asgari" here as well. The WHOIS history of islamic-sources[.]org helped us find even more OSINT data connecting the misinformation domains and websites promoting Shia Islam:
This trail led us to the domain:
Historical WHOIS helped us link 7sabah[.]com to islamic-sources[.]com. This was further verified by the UAE/German/Turkey pattern used in the domains above.
The same can be said for middleeastpress[.]org. Using techniques similar to the ones used above, we uncovered a few more domains:
middleeastpress[.]com middleeastnewsagency[.]net middleeastnewsagency[.]org
We did not press further regarding middleeastpress[.]com as there appears to be a web linking various Afghan hosting companies to the domain as well. This case would be better suited to its own investigation.
Another interesting factor is how many of the domains rely on U.S. companies for hosting/registrars. An example is shown in the screenshot below, with CloudFlare and Amazon providing services to these linked domains:
We confirmed iuvmpress[.]com to be yet another misinformation website:
At the time of this writing, islamic-sources[.]com is still up and running on CloudFlare and middleeastpress[.]com is running on inMotion Hosting.
The last curiosity we were left with for awdnews[.]com was the redirect to healingcenter[.]org, but we suspect this was merely a blackhat SEO technique to drive traffic from awdnews to healingcenter.
The last domain provided by the DoJ, criticalstudies[.]org also proved quite valuable. We were able to find critical-studies[.]com, which helped us confirm the connection between the 2 domains:
Further WHOIS exploration helped uncover 11 other domains:
A connection between the picture above and historical WHOIS linked us to a hosting company called "AsanHost". We developed two theories behind "AsanHost":
- It's a front being used by the IRGC
- It's a small Iranian hosting company being used by the IRGC for their misinformation
As for the 11 domains mentioned above, some might be false positives; we found no connection between the non-"critical studies" domains and the others, aside from also belonging to Iranians.
We’ve only scratched the surface of how far the fake domain network goes. We did find a few domains that the DoJ investigators may have missed, left or might still be investigating.
What we learned from this investigation is that the IRGC has been active with disinformation for a lot longer than the Trump presidency (when sanctions and pressure on the country amplified). Many data points showed activity as early as 2013.
The one drawback of our OSINT investigation compared to the DoJ’s is that the DoJ can combine other data sources that are not OSINT, and possibly collaborate with U.S. hosting/registrar/CDN/DNS companies to uncover further networks of domains. This is based on the assumption that all of their data pipelines are efficient and searchable, which may not be the case.
OSINT is also about collaboration and in case we missed anything, let us know what you found or can find to let this report grow even larger and be useful to many stakeholders.