Sign up to save your podcasts
Or
Share Iran, the IRGC and Fake News Websites
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Iran, the IRGC and Fake News Websites
Note: The audio version doesn't include code or domain names. Those parts of the post can be seen in the text version.
Recently, the Department of Justice made two public announcements about shutting down fake news websites created by Iran's Islamic Revolutionary Guard Corps (IRGC). In the first instance, 92 domains were seized in August 2020. And according to the second announcement, 27 more domains were seized as part of the same effort to spread global disinformation.
That prompted us to take a look—to see what we can discover using Osint, our powerful and versatile tool Surfacebrowser, and archive.org for further analysis.
The geopolitical issues surrounding such an investigation are not lost on us, but this data is already public (Osint). It's only a matter of finding out what it tells us.
Some of the data we'll examine includes:
Whois (including history).
DNS (current + historical).
Subdomains with their associated hosts, open ports and more.
The DoJ and the domains
While we admire the DoJ investigators for finding these deceptive domains, what we didn't like is their first press release. The release said that a list of the 92 domains was available 'here', but was actually nowhere to be found on their website. This left us with only eight seized domains to look at (four in August and four in November).
August seized domains:
November seized domains:
First analysis of the data
The four domains from August were not that helpful, with limited quantities of extra data found. For example, newsstand7 dot com was protected behind Whois privacy and its DNS was protected behind NameCheap and CloudFlare at any given time.
Usjournal dot net, US gave us a bit more information. Combining the earliest archive.org timestamp and Whois data, we found the following (fake) registrant:
The historical Whois data points to a "Brendan Walsh", but we found no connection between this name (and other domains registered to it) and other fake news websites.
We encountered the same problems for twtoday dot net as we did for newsstand7 dot com, without much to go on in terms of Whois, DNS history or any other data.
We nearly abandoned this investigation—until we began looking at the data from the November takedowns.
Second analysis – November data
The domain rpfront dot com provided us with the first insight into how deep and complicated the setup has to be to keep investigators from quickly uncovering domains of misinformation. The historical Whois data shows that this fake domain was hiding behind a liberal, progressive type of setup, with Whois details pointing to the USA.
We looked at the site from 2017 on the Wayback Machine, and confirming our suspicions, the site was mostly politically-driven. What stood out for us was the anti-Saudi, UAE rhetoric on this captured page. A bit unusual for a site, group that seemed geared towards the progressive, liberal political situation in the U.S.
A Whois lookup also led to our discovery that rpfront.us was another registered domain.
The current Whois shifted from "realprogressive front" to a user registered in China:
We explored the associated Whois name and Whois organization, but didn't spot any obvious misinformation domains. A few domains related to "zhang zi yong" did look similar to spam domains we've tracked in the past, like sjhfxh dot com
It is possible that rpfront dot com was dropped after July 2020 and taken up by "zhang zi yong", as the DNS history shows mostly US, EU companies until August 2020, when it was changed to "DXTL Tseung Kwan O Service".
The domain A H tribune dot com offers a lot of valuable data to extract from the Osint. The historical Whois showed the following:
And the historical Whois for the domain showed this:
As a side note, the registrar "Realtime Register BV" has a lot of unusual domains in its own records. Out of 37K registrations, we found a lot of domains that looked like they were registered to Iranian users. Al...
View all episodes
By SecurityTrailsNote: The audio version doesn't include code or domain names. Those parts of the post can be seen in the text version.
Recently, the Department of Justice made two public announcements about shutting down fake news websites created by Iran's Islamic Revolutionary Guard Corps (IRGC). In the first instance, 92 domains were seized in August 2020. And according to the second announcement, 27 more domains were seized as part of the same effort to spread global disinformation.
That prompted us to take a look—to see what we can discover using Osint, our powerful and versatile tool Surfacebrowser, and archive.org for further analysis.
The geopolitical issues surrounding such an investigation are not lost on us, but this data is already public (Osint). It's only a matter of finding out what it tells us.
Some of the data we'll examine includes:
Whois (including history).
DNS (current + historical).
Subdomains with their associated hosts, open ports and more.
The DoJ and the domains
While we admire the DoJ investigators for finding these deceptive domains, what we didn't like is their first press release. The release said that a list of the 92 domains was available 'here', but was actually nowhere to be found on their website. This left us with only eight seized domains to look at (four in August and four in November).
August seized domains:
November seized domains:
First analysis of the data
The four domains from August were not that helpful, with limited quantities of extra data found. For example, newsstand7 dot com was protected behind Whois privacy and its DNS was protected behind NameCheap and CloudFlare at any given time.
Usjournal dot net, US gave us a bit more information. Combining the earliest archive.org timestamp and Whois data, we found the following (fake) registrant:
The historical Whois data points to a "Brendan Walsh", but we found no connection between this name (and other domains registered to it) and other fake news websites.
We encountered the same problems for twtoday dot net as we did for newsstand7 dot com, without much to go on in terms of Whois, DNS history or any other data.
We nearly abandoned this investigation—until we began looking at the data from the November takedowns.
Second analysis – November data
The domain rpfront dot com provided us with the first insight into how deep and complicated the setup has to be to keep investigators from quickly uncovering domains of misinformation. The historical Whois data shows that this fake domain was hiding behind a liberal, progressive type of setup, with Whois details pointing to the USA.
We looked at the site from 2017 on the Wayback Machine, and confirming our suspicions, the site was mostly politically-driven. What stood out for us was the anti-Saudi, UAE rhetoric on this captured page. A bit unusual for a site, group that seemed geared towards the progressive, liberal political situation in the U.S.
A Whois lookup also led to our discovery that rpfront.us was another registered domain.
The current Whois shifted from "realprogressive front" to a user registered in China:
We explored the associated Whois name and Whois organization, but didn't spot any obvious misinformation domains. A few domains related to "zhang zi yong" did look similar to spam domains we've tracked in the past, like sjhfxh dot com
It is possible that rpfront dot com was dropped after July 2020 and taken up by "zhang zi yong", as the DNS history shows mostly US, EU companies until August 2020, when it was changed to "DXTL Tseung Kwan O Service".
The domain A H tribune dot com offers a lot of valuable data to extract from the Osint. The historical Whois showed the following:
And the historical Whois for the domain showed this:
As a side note, the registrar "Realtime Register BV" has a lot of unusual domains in its own records. Out of 37K registrations, we found a lot of domains that looked like they were registered to Iranian users. Al...