Dozens of social media accounts displaying suspicious behavior have been uncovered in a new report that sees pro-Iranian messaging promoted by profiles impersonating real people, as well as journalists and activists who don't seem to exist.
The accounts, which promoted often aggressive messages and hashtags in support of the Iranian government, have also taken on the personas of Republican members of congress and ordinary Americans, according to the latest investigative report from California-based cybersecurity firm FireEye.
The firm describes their findings as a "network of social media accounts" impersonating U.S. political candidates and "leveraging U.S. and Israeli media in support of Iranian interests."
While Iranian influence campaigns carried out from within the country are not new, FireEye's findings dissect yet more individual accounts that have surfaced in various media outlets engaging in "inauthentic behavior … that we assess with low confidence was organized in support of Iranian political interests," the report's authors said.
These profiles were included in a sweep of nearly 3,000 Twitter accounts that were removed by the social media giant, who says they originated in Iran.
Yoel Roth, head of site integrity at Twitter, posted a tweet last week saying that the accounts "employed a range of false personas to target conversations about political and social issues in Iran and globally. Some engaged directly through public replies with politicians, journalists, and others."
FireEye itself stresses the words "low confidence", adding that it has not yet been able to attribute the activity to a geographic location or to Iranian state sponsorship. But the behavior follows patterns that the company investigated last year, illustrated in its August 2018 report that uncovered an extensive network of fake news sites and associated accounts it believes were linked to the Islamic Republic and government cyber actors.
"Narratives promoted by these and other accounts in the network included anti-Saudi, anti-Israeli, and pro-Palestinian themes," the report mentioned. This included support for the 2015 Iran nuclear deal and criticism of the Trump administration's designation of Iran's Islamic Revolutionary Guard Corps (IRGC) as a Foreign Terrorist Organization.
While much of those positions are held by ordinary people, FireEye describes "several limited indicators that the network was operated by Iranian actors." Iran's Foreign Affairs Ministry did not reply to CNBC's request for comment, but the government in Tehran has denied accusations of offensive cyber activity.
Some accounts with American names of individuals claiming to be U.S.-based journalists — one for instance called "@AlexRyanNYC" who falsely claimed to be a Newsday journalist and had appropriated a genuine person's photo — had their under interfaces set to Persian or had posted tweets in Persian years back in their history, the report described. These individuals could not be traced to any other legitimate public profiles or company bios.
Another highlighted account in the FireEye report was a persona called "Mathew Obrien", who also claimed to be a Newsday reporter and had pro-Iranian government 'letters to the editor' published in various local U.S. newspapers in Texas.
The name would appear with slight spelling variations — also spelled Matthew O'Brien and Mathew Obrien — and claimed to be based in several different U.S. cities, while posting tweets in often faulty English, the report claimed. Several of the personas in this network falsely claimed affiliations with U.S. outlets like New York Daily News and the Seattle Times, and would often promote each other's tweets.
Lee Foster, FireEye's senior manager for information operations analysis, says the accounts are still being investigated.
"Some of (the personas) use the same headshot in different forums with different names, some submitted identical letters (to newspapers) but under different names… this leads us to suspect, with low confidence, that they're inauthentic. We do know it's possible that there is some authentic behavior there as well, but collectively, it's all very unusual."
Geographic attribution is hard to attain however, and the clues vary, he says. "You're looking for stronger technical indicators tying it to a geography, to a state, more than simply the behavior."
In previous investigations, FireEye's intelligence analysts have spotted indicators like heavy use of Persian language or Iranian phone numbers used to register accounts. Technical clues, like those found in cases of Russian-led security breaches, include forensic indicators in the malware being used. Persian has also been found in ransomware code targeting systems in different countries including Saudi Arabia, South Korea and the U.S.
Political influence campaigns, lately most associated with Russia but practiced by numerous actors, are on the rise as social media platforms and governments grapple with how to combat them.
Iran has been testing social media, influence campaigns and "temporary disruptive effects, similar to its data deletion attacks against dozens of Saudi governmental and private-sector networks in late 2016 and early 2017," officials from the Office of the Director of National Intelligence (ODNI) told Congress in January.
U.S. social media companies like Facebook and Twitter are increasingly — but tentatively — cooperating with U.S. intelligence on monitoring for misinformation campaigns, ODNI director Dan Coates said at the time, but the debate over the companies' roles in policing and removing online content continues.
—CNBC's Kate Fazzini contributed to this report.