Analyzing Iranian information operations targeting Pakistan 🇵🇰

Summary

• Using Twitter’s Information Operations Archive, I examined more than 10 million tweets attributed to Iranian information operations and discovered 98 accounts that had reported their locations in Pakistan, but which Twitter believed were “potentially located within Iran.”
• More than half of these accounts self-identified as supporters or members of the ruling political party, the Pakistan Tehreek-e-Insaf (PTI), as well as the Pakistan Muslim League (N) (PMLN). The accounts deployed hashtags for both political parties, but accounts demonstrated a clear preference for Imran Khan and the PTI, particularly prior to the 2018 elections.
• These accounts produced 1.9 million tweets between May 2013 and November 2018, with the vast majority of tweets sent during 2017–2018. Together, the accounts garnered 3.9 million engagements, including retweets and likes. The accounts largely engaged in “false amplification,” re-tweeting other assets within the network or mentioning them repeatedly.
• Some of the most influential accounts’ tweets were embedded in Pakistani and international media articles, often framed as vox populi on issues ranging from police reform to terrorism. The accounts largely tweeted in English and Urdu and demonstrated a keen understanding of Pakistani politics.
• During this analysis, I uncovered 10 additional Facebook and Instagram accounts likely linked to the Iranian campaign. These accounts posed as Pakistani media and disseminated content from sites previously attributed to Iran. I notified Facebook’s security team about the remaining accounts in March 2020 and Facebook removed all accounts after an internal review.
• The Facebook accounts demonstrated low operational security, making no effort to conceal the origins of the administrators who managed the pages, most of which were geo-located to Iran. This is in line with the findings of other researchers, who have noted Iran’s “low premium” in OPSEC.

How did the accounts describe themselves?

The most frequent words in the accounts’ profiles show that they posed as activists, students, photographers, media, and ardent political supporters of Imran Khan and the PTI. Based on the accounts’ Twitter bios and handles, 52 of the accounts posed as PTI supporters and 10 as PMLN, with 36 other accounts not mentioning any political party. One account was particularly brazen and posed as a member of the Provincial Assembly in Punjab. The largest account, @RuhidaPTI, had nearly 110,000 followers and posed as an IT student at the University of Islamabad. Altogether, 21 of the accounts amassed more than 10,000 followers and almost all of those accounts described themselves as PTI supporters.

The accounts tweeted in a variety of languages, but mainly in Urdu (50%) and English (36%), alongside other languages like Hindi, Arabic, Indonesian, and more.

What did the accounts tweet about?

The accounts amplified hashtags during key political events in Pakistan. For example, the accounts sent nearly 200,000 tweets in 2017 using the hashtag, #AdyalaAwaitsNawaz, referring to a statement made by Prime Minister Imran Khan about Adiala jail waiting for Nawaz Sharif’s return to Pakistan. The vast majority of the accounts’ tweets focused on domestic Pakistani issues and only sometimes adopted the geopolitical stance of Iran, sometimes tweeting pro-Palestinian and anti-Israeli content.

The accounts also frequently targeted media, such as Geo News, with the hashtag #NoMoreYellowJournalism. In another instance, they targeted Dawn, using #WhoFedDawn to reference a controversial story they published about a confrontation between government and military officials over action against armed groups in Pakistan.

#AntiNationalDawn Pakistan does not have the honest, sincere, patriotic media it deserves.

@RuhidaPTI: Dawn is proving itself to be India’s next investment after Geo #DawnofTrashournalism @waheedgul @AyishaBaloch @FarhanKVirk

After extracting mentions from the tweets, I found that the accounts largely amplified each other and a few authentic users, namely, Imran Khan, Maryam Sharif, and Masood Khan, a prominent social media activist and chairman of Pak Youth Force.

Hashtag usage primarily focused on attacking the PMLN and Nawaz Sharif, while supporting the PTI and Imran Khan.

The preference for Imran Khan was most evident just prior to the 2018 elections, when some of their most retweeted tweets included:

“Election Day” is not a “Holiday”, to cast vote is our national responsibility. Vote sensibly..to repeat the same mistakes and expecting a different outcome is just madness. Vote for change..Vote for PTI #GE2018 #VoteForChange #NayaPakistan Inshaa’Allah

جاگ جاو پاکستانیو اپنے ملک کی تقدیر بدلو ✌ یہ بچیاں خانیوال اڈہ چھب کلاں کے غریب ہاری نصیر احمد کی بیٹیاں تھیں اور پورے خاندان کے ہمراہ بہاولنگر اور جنوبی پنجاب کی آخری تحصیل فورٹ عباس کے تپتے صحرا میں کھیتی باڑی اور مزدوری کرنے آئیں تھیں۔ 😢 #EidulFitr #voteforchange

Nawaz Shareef Has his bussiness relations with in India and he never take strict action against India . So Dont Vote for him . @asamkhan852 #ٹھپا_لگاؤ_انڈیا_کو_ہراؤ

Some of the most influential accounts also had their tweets cited in both international and domestic media reports on a range of topics. These accounts included “@RuhidaPTI” and “@DuaFatimaPK.”

Automated tweeting

Over 300,000 tweets were sent using an automation application (IFTTT) and some accounts relied only on this method for messaging. In the chart below, I’ve visualized the hourly tweeting frequency of the largest accounts, showing that some accounts engaged in round-the-clock tweeting, whereas others appear to have had some human intervention.

Additional accounts removed by Facebook

While analyzing the Twitter accounts I noted links to other Facebook and Instagram accounts that remained active after official takedowns. The Facebook pages included the accounts of “Sach Times” and several page iterations for “Pak Online News” and one Facebook page called, “PMLNWoman.” The “Pak Online News” pages contained similar iconography and their page managers, like others in this set, were located in Iran and Pakistan. One page, “Sach Times Urdu,” only had administrators located in Iran. These pages primarily distributed off platform content from the sites pakonlinenews[.]com and sachtimes[.]com, which were used to launder Iranian government narratives alongside content copied from another, authentic Pakistani media site. In November 2020, the FBI seized numerous domain names allegedly used by Iran’s Islamic Revolutionary Guard Corps. The site pakonlinenews[.]com now shows the following:

current screenshot of pakonlinenews[.]com

Only two pages, “Pak Online News” and “PMLNWoman,” had very similar temporal patterns that suggested coordination. These pages mainly posted links to pakonlinenews[.]com or directly inserted article text from the site into their post.

The Facebook assets made no effort to conceal the origins of their page administrators, as shown in Facebook’s transparency tool.

Conclusions

Twitter’s archives of information operations continue to provide insight into the range and targets of Iranian information operations. One surprising aspect of the accounts in this set is their detailed insight into Pakistani politics and support for the PTI and Imran Khan (one other cybersecurity researcher looking at Iran’s efforts in Pakistan has suggested the possibility of unwitting participants).

Twitter’s disclosures about information operations also illustrate the importance of transparency. Such data is crucial for the public, policymakers, and researchers to understand and mitigate future operations. This is all the more salient when malign actors are persistent or continue to go undetected despite platform enforcement.