A dozen years ago, Treadstone 71 shifted adversary targeting from strictly cyber jihadist activity to include Iran. We tracked movements of the earliest hacking groups following their activities from low-level defacements to re-purposing Stuxnet to become a recognized global power in cyber and influence operations. Treadstone 71 specializes in monitoring Iranian cyber and influence operations, research hacking groups, and regularly post information and intelligence on their activities. Many posts describe the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) cyber activities, organizational structures, internal recruiting methods, educational activities, cyber conferences, information on malware, and threat actors and their capabilities. We continuously seek patterns and trends within those patterns. We examine adversary tendencies in online forums, blogs, and social media sites. In the run-up to the 2020 U.S. presidential election, we focused on social media and looked for possible infiltration that would affect voters. In the run-up to the 2020 U.S. presidential election, we focused on social media and seeking possible influence operations that may affect voters. In July of this year, we came across highly unusual spikes in social media activity that, at first glance, seemed random. A closer look led us in a direction we did not expect. As with many strategic intelligence analysis efforts, collected data is the evidence driving the findings. The findings herein led us down a path we did not expect.


Campaign Core Users

At least four accounts played an essential role in managing the campaign to ensure the hashtag trended in Iran. At least nine other accounts belonging to IRGC Cyber Units were responsible for managing and expanding the campaign in different social environments. (Figure 1 in the report)

The latter, most with high followership, portrayed themselves as “monarchists,” “reformists,” or “regime change advocates” in various social environments while tweeting contents to fit the description, playing a serious role under the given persona in mobilizing and expanding the campaign against the MEK.

A significant feature of these accounts is young women’s personas disguising themselves while attracting and luring unsuspecting users for messaging expansion and potential collaboration.

The RGCU launched the primary campaign on July 17 at 16:59 CEST, immediately after the speech by Maryam Rajavi, starting the process of audience involvement, account mobilization, and hashtag repetition. The coordinated launch helped to create identifiable Twitter trending. The RGCU expanded the campaign by distributing and republishing influential core members’ tweets and content. The republishing triggered thousands of bots and fake accounts with low followership belonging to Basij Cyber Units.

Inside the Report

With the entry of influencers (Figure 3 in the report), the campaign entered the next operations stage. The content and tweets were distributed and republished by those influential IRGC Cyber Units. The narrative between these users reveals their role in promoting the campaign and the purpose of the personas.

Thousands of bots and fake accounts with low followership belonging to Basij Cyber Units widely republished and retweeted tweets published by influencers and retweeted and promoted the posts by other accounts that had used the given hashtag.

This campaign was continued for 60.6 hours by the IRGC Intelligence Cyber Units using thousands of low paid Basij accounts resembling a Dunbar’s Number concentric circles of trust throughout the country (Figure 4 in the report).

Campaign Overview and Analysis Based on Available Data and Research:

  • The IRGC intended to influence and drown out the spread of MEK’s messaging throughout Iran via social media by creating a flood of negative messaging using propaganda.
  • Using tweets, mentions, and retweets, IRGC proxy groups call out to spread the messaging beyond proxies to unsuspecting Twitter users
  • The campaign used a series of bots to create buzz and increase usage.
  • Anonymous communications occurred via @BChatBot and @BiChatBot non-inclusively on Telegram for communication purposes between Cyber Units, to prevent Twitter from realizing an organized campaign and implementation of restrictions on the accounts.
  • The Nejat Society (the brainchild of the Ministry of Intelligence) simultaneously used all its social media accounts, publishing messages with negative connotations about Iranian dissidents creating a negative narrative. (The active participation of Nejat Society affiliated with the MOIS in this campaign clarifies the operation’s nature).
  • The IRGC cyber chain-of-command likely coordinated communication between the various Cyber Units. Social media post content created identifiable patterns, trackable trends, and clear user tendencies.

Treadstone 71 believes the operation violates many Twitter rules related to the “Platform manipulation and spam policy,” the “Impersonation policy,” and the “Synthetic and manipulated media policy.”

Download the full report: https://www.treadstone71.com/index.php/intel-briefs/irgcinfluenceops

Interested in speaking with Treadstone 71 about cyber intelligence and counterintelligence, trends, programs, training, and strategic analysis? Drop us an email at osint@treadstone71.com

By Treadstone 71

@Treadstone71LLC Cognitive Warfare Training, Intelligence and Counterintelligence Tradecraft, Influence Operations, Cyber Operations, OSINT,OPSEC, Darknet, Deepweb, Clandestine Cyber HUMINT, customized training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, Disinformation detection, Analysis as a Service