Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:50 PM
Connect Directly

US Seizes 27 More IRGC-Controlled Domain Names

The action follows last month's seizure of 92 domain names used by Iran's Islamic Revolutionary Guard Corps to spread disinformation.

The US Department of Justice (DoJ) today reported the seizure of 27 more domain names that Iran's Islamic Revolutionary Guard Corps (IRGC) used to further a global disinformation campaign. Last month, the US seized 92 domain names used by the IRGC to spread influence operations.

Related Content:

Disinformation Now the Top Concern Following Hack-Free Election Day

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

All 27 of these domains violated US sanctions targeting both the IRGC and Iranian government. Four were disguised as legitimate news outlets but were used by the IRGC to target readers in the United States with the goal of influencing US policy and opinion – in violation of the Foreign Agents Registration Act (FARA). The other domains targeted people in other parts of the world.

FARA ascertains a registration, reporting, and disclosure structure for foreign governments, agencies, and other principals so that the US government and its citizens know the source of information and identities of people trying to influence US public opinion, policy, and law. It requires foreign agents submit statements with factual information about their activities and income earned.

The four domain names pretending to be news outlets – rpfront[.]com, ahtribune[.]com, awdnews[.]com, and criticalstudies[.]org – were seized pursuant to FARA, the DoJ reports. All targeted US audiences with pro-Iranian propaganda in an attempt to sway Americans to change US policy related to Iran and the Middle East. The domains targeted US citizens without proper registration and without stating their content was published on behalf of the IRGC and Iran.

A Nov. 3 seizure warrant describes how the 27 domains operated in violation of the International Emergency and Economic Powers Act (IEEPA) and the Iranian Transactions and Sanctions Regulations (ITSR), which prohibit US citizens from offering services to the Iranian government without a license. Seizure documents indicate all 27 domains were registered with US-based domain registrars and used top-level domains owned by US-based registries. 

Neither the IRGC nor the Iranian government obtained a license from the Office of Foreign Assets Control (OFAC) before using the domain names and buying services from US providers.

Officials on Alert for Election Disinformation
The news arrives as federal officials and security experts express concern about the potential of disinformation as votes are counted in the presidential election. While there was no malicious cyber activity detected on Election Day, and foreign interference is lower this year compared to 2016, officials remain on high alert as the vote count continues. In the hours after polls closed, researchers saw an uptick in disinformation spreading across different social media platforms.

Messages arguing for voter fraud and other contentious topics could open the door for foreign actors to jump into the disinformation spread, said Kate Starbird, professor of human centered design and engineering at UW, in a panel by the Election Integrity Partnership (EIP) on Wednesday.

"We do believe that there is a vulnerability to foreign influence here and foreign disinformation … we're not seeing a lot that be influential, but certainly this is going to be a time when we're going to be vulnerable," she said.

When there is a large number of people who voted in one direction whose candidate may not win, the rhetoric coming from that candidate may make those voters susceptible to both foreign and domestic disinformation, Starbird explained.

While Iranian actors were seen sending spoofed emails to American voters in the weeks leading up to Election Day, so far there is no indication they have spread disinformation in the days following the election. Read the full DoJ release for more details on the domain name seizure.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.