Twitter said it had removed about 2,800 accounts originating in Iran at the beginning of May, but it did not tie the accounts to the country’s government. Its disclosure came at the same time as a report from the cybersecurity firm FireEye that identified a “network of English-language social media accounts” on the site that often posted on “anti-Saudi, anti-Israeli and pro-Palestinian themes.”
FireEye did not directly attribute the activity to either Iranian state leaders or malicious actors operating within the country. But it noted that some of the tweets supported the Iranian nuclear deal, which President Trump withdrew from a year ago, while opposing some of the White House’s policies in the Middle East.
Two of those accounts also impersonated Republicans who ran for Congress — Marla Livengood, who lost her bid to represent California’s 9th Congressional District, and Jineea Butler, who was defeated in her attempt to win a seat representing New York’s 9th Congressional District. The accounts used photos of the candidates and even mimicked some of the Republicans’ authentic tweets. The fake accounts commented on mainstream political subjects, such as the confirmation of Brett Kavanaugh to the Supreme Court, but sometimes pivoted to issues that pertained to Iranian interests.
Twitter confirmed that the spoofed accounts, along with others identified by FireEye, had been suspended.
Scott Winn, a Livengood campaign consultant, said neither Twtitter nor FireEye had told Livengood about the discovery. He wondered why anyone would use Livegood’s account to tweet anti-Israel content, suggesting such stands would be detrimental to anyone running in the 9th or the neighboring 10th, where Livengood plans to run in 2020.
Butler could not be reached for comment.
Facebook, meanwhile, announced Tuesday that it had removed 51 accounts, along with 36 pages, seven groups and three accounts on Instagram, that violated its prohibition against “coordinated inauthentic behavior.” Much like Twitter, Facebook said the activity “originated in Iran,” but did not go further in attributing it. Facebook said the accounts purported to be based in the United States and Europe and sought to impersonate journalists or others in trying to contact users on the site.
The new disclosures offer the latest illustration about the disinformation threat emanating from Iran. In 2018, FireEye identified a campaign which it tied more closely tied to the Iranian government that sought to amplify the reach of its state-run media outlets. Another report from Citizen Lab released this year uncovered a pro-Iranian propaganda operation that sought to mimic real news websites — all in a bid to attack Iran’s foes.
This time, Lee Foster, a senior manager for information operations analysis at FireEye, said the activity on Twitter in particular “demonstrates the use of additional tactics and techniques in the information space.” The theft of real-world identities — along with attempts to reach specific, highly influential individuals online — represented a more sophisticated operation than the campaign FireEye identified last year, Foster said.
FireEye also said it had identified a number of instances in which fake accounts on Twitter may have been linked to letters to the editor that ran in major newspapers around the world. One disabled account on Twitter, for example, shared a similar name and photo with a now-defunct blog on the website of the Times of Israel. In other cases, FireEye pointed to examples of identically worded letters that appeared in two different newspapers in Texas under two different names — both of which are akin to accounts that Twitter removed.
The Post could not independently verify if the letters are inauthentic. FireEye later clarified that it does not "know the letter writers are fake" but is "making an assessment that the personas are potentially inauthentic." Editorial managers at each of the newspapers did not immediately respond to requests for comment.
For its part, Twitter sharply criticized FireEye on Tuesday, charging the firm “had issued a report and chosen not to share information or insights with Twitter prior to its publication, which is outside standard responsible industry norms.” The company said it is still investigating the disinformation campaign.
Ellen Nakashima contributed.