#TrollTracker: An Iranian Messaging Laundromat
Websites repackaged content from Iran’s state channels and passed them on to users
A cluster of websites known as IUVM (“International Union of Virtual Media”) appears to have been laundering Iranian state messaging by claiming it as their own and passing it on to other users, who reproduce it without showing its ultimate origin, @DFRLab can confirm.
The exposure, reported by Reuters and reviewed by @DFRLab, shows that a network of Iranian inauthentic “news” sites and social media pages taken down last week was part of a larger system, which is still operating.
It is unclear who is behind the system, but the evidence suggests that is linked to the Iranian state. Its purpose appears to be to re-label Iranian state messaging, so that it can passed on to an unsuspecting audience.
A pro-Iran network exposed
On August 21, online research team FireEye published a report exposing a network of apparently independent websites and social media accounts which were linked, by their registration emails and phone numbers, to Iran.
“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye wrote.
Simultaneously, Facebook announced that it had removed over 600 accounts associated with the network, having found them “inauthentic.”
FireEye and Facebook named a number of websites which they linked to the network, including libertyfrontpress.com, institutomanquehue.org, britishleft.com, RPFront.com, and USjournal.net. As of August 28, those websites were still operating. @DFRLab analyzed the first two sites, which had the clearest ties to Iran via email addresses and phone numbers, here.
Subsequent research revealed that all those sites shared content from another cluster of websites, which repackaged Iranian state messaging without attributing it as such.
The IUVM cluster
The cluster called itself the “International Union of Virtual Media,” or IUVM. As of August 28, 2018, it numbered at least ten websites. The “official” page was iuvm.org, which described the group’s goals, including “Confronting with remarkable arrogance, western governments and Zionism front activities to correct the deflection of people movements in world.”
Others included iuvmpress.com, which published apparently original articles from a largely pro-Iranian and anti-Western standpoint; iuvmtv.com, a video channel with pronounced anti-U.S. and anti-Saudi leanings; and iuvmpixel.com, which featured similarly anti-U.S. and anti-Saudi cartoons.
It also included iuvmnews.com, a news aggregator for outlets including Iranian state broadcaster Press TV, Iranian news agency Fars, Russian state broadcaster RT, Venezuelan state broadcaster TeleSur, Syrian pro-regime outlet Al-Masdar, and U.S.-based conspiracy site Veterans Today.
None of the sites gave a contact address other than by email, or explained the group’s financing. The iuvm.org About page described the process of its launch in 2015, but not its location; the Contact page gave the same text.
The group’s statute, downloadable from iuvm.org, said that its headquarters was in Tehran, and that it drew its budget from “individual donations and fundraisings and through other organizations,” without elaborating.
Some of the language in the statute strongly resembled official Iranian regime rhetoric. For example, it repeatedly referred to the fight against “global arrogance” and the “global arrogance states;” this is the exact phrase used by Iran’s Ayatollah Khamenei in a 2009 geopolitical essay on “global arrogance.”
Across the sites, the content was routinely pro-Iranian, pro-Palestinian, anti-American and anti-Israel.
According to online analyst Josh Russell, the IUVM sites were hosted at the same IP address as a website called sayyidali.com, which, in turn, shared infrastructure with other sites in the network exposed by FireEye.
The Tehran location and the geopolitical stance point to this as an Iranian pro-regime operation. The reproduction of Khamenei’s rhetoric, including the key catch-phrase “global arrogance,” suggest it is regime-linked, not merely sympathetic.
The most significant of the pages, in terms of content laundering, was iuvmpress.com. All of the websites identified by FireEye re-posted its content, naming it as their source, on a wide range of issues.
For example, the English-language page of institutomanquehue.org listed IUVMPress as an author.
Website britishleft.com, identified by FireEye as part of the same network, repeatedly attributed its articles to IUVMPress, with the byline “HT IUVMPress” (an online contraction for “hat tip to IUVMPress”).
Website libertyfrontpress.com, which FireEye found to have been registered to an email address linked to Iran, regularly published IUVMPress bylines.
While IUVM presented its content as original, it was, in fact, more often taken from other sources. On a few occasions, the copies were overt and attributed, either by text or using the logo, as in these reports from Reuters and Al Jazeera.
Most copies were not attributed. The most frequent source of such stories, reproduced almost verbatim and without attribution, was Iranian state English-language broadcaster Press TV. In many cases, the IUVMPress variant lacked the Press TV lede, or relocated it.
This copying was rapid and systematic. According to Google searches for articles posted on August 24, iuvmpress.com regularly re-posted Press TV content within two hours of its publication.
Sometimes, the articles were published in the same hour.
Some articles reproduced articles and official announcements from Khamenei’s website.
One article reproduced a video from the Ayatollah’s site, using the same headline and video, without further commentary. The only difference was that iuvmpress.com added a still above the video.
Not all the content came from official channels. This article, for example, replicated one on website rpfront.com, another site identified by FireEye as part of the network. The iuvmpress.com headline appeared to be a shortened version of the rpfront.com one, with different capitalization, suggesting that this was not an automated share.
This article reproduced one on the website usjournal.net, again identified by FireEye as part of the network. The headline was different, indicating that this was not an automated share. In both cases, the iuvmpress.com version came some days after the original; a Google search did not turn up earlier results, indicating rpfront.com and usjournal.net as the points of origin.
The iuvmpress.com website served as an intermediary between these different sites. For example, on August 20, it reproduced a message to pilgrims from Ayatollah Khamenei’s official wesbite. The same day, website britishleft.com copied the post and attributed it to “IUVMPRESS.”
On another occasion, iuvmpress.com took the story on Saudi Arabia banning pilgrims (cited above) from usjournal.net. Once more, britishleft.com ran the story, but attributed to IUVMPress.
The origin of the articles was not always obvious. For example, on May 7, 2017, iuvmpress.com ran an article concerning Britain’s alleged inability to control the Islamic State terrorist group. The same text appeared on the Fars news wire the following day, and was repeated verbatim by institutomanquehue.org on May 10, which attributed it to “IUVM Press.” However, the IUVM version lacked the lede, suggesting that it had been taken from an earlier original; the Manquehue version did not.
Also on May 7, website alwaght.com ran the same story, with the original lede. This suggests that alwaght.com was the source, and that iuvmpress.com amplified it, or that both drew on an original which is no longer extant.
As a final example, on August 5, 2017, libertyfrontpress.com posted what appeared to be an original article reporting a speech by Ayatollah Khamenei, in which he urged the West to view Iran as a stabilizing factor in the Middle East. It was repeated by iuvmpress.com on August 6, and also by two sites which regularly shared iuvmpress.com content, nthnews.net and awdnews.com.
The vector of transmission between these sites is unclear.
The cluster of sites under the IUVM brand, and especially IUVMPress.com, sit at the center of a network of sites which routinely post content favorable to the Iranian regime. Some are state outlets, such as Press TV and the Ayatollah’s website. Others have no ostensible link to the Iranian state.
iuvmpress.com itself appears to serve as a clearing house for pro-regime content. On some occasions, it served as a source to which other sites could refer. On others, it amplified content from other pro-regime sources, often without attribution.
Repeatedly, it re-posted content from Iranian state outlets, without attribution; on some occasions, that content was then picked up by tertiary sources, which attributed it to iuvmpress.com.
The websites under the IUVM brand therefore appear to be another part of the messaging complex which FireEye first exposed. The identity of their operators is not clear; however, given their content, use of language and emphasis on Iranian state messaging, they should definitely be regarded as a pro-regime network, and may well be regime-linked.
Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).
@DFRLab is a non-partisan team dedicated to exposing disinformation in all its forms. Follow along for more from the #DigitalSherlocks.