Summary

On October 8, 2020, Twitter announced the takedown of an operation it attributed to Iran. The actors compromised real accounts to tweet Black Lives Matter content, and additionally created fake accounts with bios stolen from other real accounts on Twitter. The Stanford Internet Observatory analyzed the accounts’ behaviors, tweets and images related to this relatively small operation. The activity observed in this dataset —  compromising Twitter accounts, then leveraging them to disseminate messaging — appears to be a bit of a departure from prior Iran-linked activity. As we will discuss, the effort encompassed in this set contained unrefined messaging and ineffective dissemination. Other Iran-linked malign actors involved in prior influence operations appear to have been far more adept at creating fake social media personas for the purpose of disseminating propaganda. Topically, as SIO has previously noted, verified accounts run by Iranian regime leaders and its state media have previously waded into the Black Lives Matter conversation, posting support for protestors, portraying American police as fascists, and declaring that the US government is guilty of human rights violations and racism.

Key Takeaways

• In total, 104 accounts were utilized in the Iran-linked operation. Of this dataset, 81 accounts were real accounts that had been hacked for the purposes of the operation. The remaining 23 accounts were fake accounts that Twitter assessed were created by the malign actor, and incorporated elements of theft such as bios stolen from real accounts. 

• The compromised accounts were hacked to tweet content about Black Lives Matter, using the hashtag #black_lives_matter. These tweets contained images or memes to advance a pro-BLM narrative. 

• Tweets from the fake accounts were broader in focus, and covered multiple topics. These accounts tweeted in English and Arabic. A subset of English tweets by accounts claiming to be journalists shared news articles that were more critical of Donald Trump but also retweeted the US President’s account. Tweets in Arabic focused on two individuals critical of the Kuwaiti government, alleging they abused or trafficked drugs. 

Tactics, Techniques, and Procedures

There were two distinct tactics observed in the dataset: hacking real accounts, and creating fake personas with stolen biographies. 

The majority of accounts, 81, fell into the first category: account theft. The compromised accounts sent all but two of their tweets on June 3, 2020, that consisted of the hashtag #black_lives_matter and an image, such as an alleged Black Lives Matter protest. The hacked accounts were primarily located in the United States and came from a variety of communities: there were DJs, gamers, and accounts that role-played as vampires and werewolves. We observed tweets, Facebook posts and website updates from accounts that were compromised, some of which noted that they had been hacked, and others stating that they had regained control of their accounts. We do not name these accounts for privacy reasons. 

The second category centered around 23 fake personas created by the malign actor. This subset of accounts followed similar naming conventions: a first name followed by a last name or last initial and a series of numbers. Of the accounts, 22 of 23 were created on one of three dates in January 2020 — January 8, January 11, and January 25 — and each batch had similarities in its location and bio profession. For example, eight accounts created on Jan 25, 2020, had bios claiming to be journalists. The final account, which shared the same naming convention, was created on January 22. Unlike the other accounts, this account’s bio was in Arabic and it tweeted mostly in Arabic. 

Figure 1: Account creation dates (aggregated by month) for all users in the dataset, both hacked and fake. The graph shows a spike in user creations in January 2020, when the adversary created its fake persona accounts. 

The majority of the fake accounts stole their bios from real accounts on Twitter, most of which were from users located in the United Kingdom. The bios from real accounts ranged from those of government officials, to a primary school teacher, to TV presenters and journalists. A majority of the real accounts that bios were stolen from had large followings (the largest had 508,800 followers), though some were relatively small (101 followers). It is unclear why these individuals were selected. 

The most active fake persona, Jennife55580973, and other accounts to a lesser extent, tweeted extensively for accounts to “please follow me back.” This behavior suggests this cluster was in the early phase of network building. The accounts mentioned each other in their tweets, creating a retweet ring of fake journalist personas that we discuss in more detail below.  

Figure 2: The network of interactions (retweets, replies and mentions) initiated by the fake persona accounts (filtered to remove single-instance activity). This graph demonstrates the interconnectedness of the fake account network, while also showing that the accounts branched out to prominent figures such as @realdonaldtrump. 

Themes

#black_lives_matter

The 81 hacked accounts in the dataset were very minimally utilized: they tweeted the hashtag “#black_lives_matter,” along with an image. There were several variants of George Floyd's face edited to include an overlay of Joaquin Phoenix-style Joker makeup, which we have elected not to include. This analogy may have been meant to show support for protesters, or to encourage a more violent revolution as was depicted in the 2019 movie Joker; the purpose was somewhat unclear given the limited text. Other images shared in the tweets suggested a pro-BLM narrative, such as an image of Martin Luther King Jr. with the text, “even viruses know we are all made the same: STOP RACISM”. 

Figure 3: Examples of additional content sent through the compromised accounts. Left: An image of what seems to be a Black Lives Matter protest, with the phrase “I can not breathe,” a slight variant from the more commonly used phrase “I can’t breathe.” Right: An image of Martin Luther King Jr. and “even viruses know we are all made the same,” an anti-racism and pro-Black Lives Matter message. 

A Ring of Fake Journalists

Among the fake accounts created by the Iran-affiliated entity, eight personas claimed to be journalists. The narrative focus of the journalist ring differed based on the language of the tweets. The majority of tweets from this network were in English; a small amount were in Arabic and Urdu. 

English tweets

The tweets in English shared links to articles from CNN, the New York Times and the Wall Street Journal; the text of the tweets was the opening of the article (or copied from the news outlet’s own tweet about the article). The English tweets from this journalist ring were substantively different from the tweets from the “non-journalist” fake accounts, which didn’t share article links or focus primarily on events in the news. 

English tweets from the fake journalist accounts did not seem to center around a single dominant narrative; the accounts tweeted about global political events, COVID-19, President Donald Trump and George Floyd. The articles shared by the fake accounts were usually critical of Trump. For example, one account shared an article from CNN about how the governor of Illinois had labeled President Trump “a miserable failure.” At the same time, the accounts also retweeted a small but notable amount of tweets from sources that tend to be more favorable to Donald Trump, such as Candace Owens, Charlie Kirk and Donald Trump himself. 

The narratives incorporating Black Lives Matter and George Floyd were pro-BLM. For example, one account shared a CNN article and quote from Michelle Obama about the George Floyd protests: 

“Race and racism is a reality that so many of us grow up learning to just deal with. But if we ever hope to move past it, it can’t just be on people of color to deal with it,” former first lady Michelle Obama said while speaking out on George Floyd’s deathhttps://t.co/B3ZVUa0fL3

Another account copied CNN’s tweet that claimed GOP senators had asked the President to take a “far more compassionate approach amid the deep unrest” after George Floyd’s death. 

Arabic tweets

The content in Arabic from the fake journalists were mostly retweets of tweets critical of two individuals: Hani Hussein (هاني حسين), a former Kuwaiti oil minister who resigned in 2013 due to tensions with Parliament, and Abdul Hamid Dashti (عبدالحميد دشتي), a Shiite former Kuwaiti MP who was sentenced in absentia in 2016 and 2017 for remarks and tweets insulting Saudi Arabia and Bahrain. The targeting of these two individuals was not exclusive to the fake journalist accounts — all 23 fake accounts posted tweets in Arabic about the two individuals. The tweets aimed to paint Hussein and Dashti in a negative light. For example, the tweets spread rumors that Hani Hussein was abusing drugs, and referred to Abdul Hamid Dashti as a mercenary and a degenerate thief. Similarly, there was a subset of copypasta tweets — tweets that shared verbatim text — from the fake accounts in this dataset responding to real accounts on Twitter with tweets critical of Dashti, as seen in the tweet below. 

Image

Tweet Reply Translation: “The first residency dealer in Kuwait is the mercenary Abdul Hamid Dashti and his son Talal ‘Al-Nibras.’ This is a letter from the Iranian embassy to the Kuwaiti Ministry of Interior complaining about his trafficking in residences. The funny thing is that this degenerate thief, at the behest of the son of the tanker thief Khalifa, who stole Kuwait during the invasion, looks up to us! https://t.co/wyACCtdkUo”

The image in the tweet is allegedly a letter sent from the Iranian Embassy to the Kuwaiti Ministry of the Interior complaining that Dashti was ‘trafficking’ in government-funded residences, though the tweet did not specify what specifically he was trafficking. Some of these tweets were retweets of politicians in Pakistan and Kuwait, such as Dr. Basel Al-Sabah, Kuwait’s Minister of Health, which tweeted comments such as defending the state’s response to the pandemic in the face of “malicious rumors and propaganda.”  

Given their scattered focus, it is unclear from the content what the adversary’s intended purpose was for the fake accounts. 

Conclusion

Overall, this was a relatively small network in the early stages of its activity that was detected and removed before it had a chance to have a significant impact. Given Iranian-affiliated actors’ prior willingness to overtly leverage #BLM hashtags to denigrate American society and political leaders, it is somewhat surprising to see an Iran-linked adversary doing the work to compromise accounts to simply use them to send out a handful of #black_lives_matter tweets. While the narratives may not have been singularly focused across both the hacked and fake accounts, this operation provides researchers more insight into the different tactics and strategies leveraged to weigh in on political conversations and narratives on Twitter.   

In this post and in the attached report we investigate a U.S. domestic astroturfing operation that Facebook attributed to social media consultancy Rally Forge. The use of marketing agencies and social consultancies to carry out influence operations has become quite common now, worldwide. Hiring an agency may afford the client plausible deniability in the event of discovery. Rally Forge served a range of clients including Turning Point Action and Inclusive Conservation Group. In September 2019 it was implicated in an operation uncovered by the Washington Post, in which teenagers appeared to be posting comments using fake accounts. Twitter and Facebook each took down a subset of the accounts immediately, and Facebook opened an investigation. This report provides an assessment of content taken down as a result of that investigation. 

Key takeaways

• Rally Forge-linked accounts engaged in astroturfing operations on multiple platforms, posting “vox populi” comments about hunting or politics that appeared grassroots but was in fact paid commentary, much of it from people who did not exist.

• The fake accounts were operated over a period of several years, with a period of dormancy that appeared to coincide with the end of the 2018 election cycle. These fake accounts occasionally pivoted in their expressed political beliefs and topical focus. 

• Most of the Rally Forge-linked Page audiences were small, and comments that its personas left did not appear to generate much response. However, several of its Pages did achieve significant reach at their peak.

Examples of content and replies from the hunting-advocacy astroturfing operation carried out by the network.

While there are bright lines when it comes to foreign influence operations, policies are fuzzier when considering U.S.-based actors, particularly as networked activism tactics are used by an increasing variety of domestic political and issue-based advocacy groups. In this case, the vast majority of the content that Facebook attributed to the Rally Forge network consisted of fairly standard political and issue-based advocacy work. However, there was additionally extensive inauthenticity in the form of fake accounts, which attempted to manipulate the public by way of astroturfed comment activity.

The Rally Forge network across Facebook, Instagram, and Twitter. Twitter is the upper left, Instagram lower right, and Facebook the smaller cluster between them. Large nodes are individual actors in the network, and the small nodes surrounding them are “interests”—Pages and accounts that they follow. Accounts are increasingly likely to be “real” as they stray from the center of the clusters and have additional diverse interests. Subcommunities of the 3 major social networks, represented with different color, are inferred by modularity. For example, the two darkest colored clusters on the lower right are of International Conservation Group leadership.