Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:50 PM
Connect Directly

US Seizes 27 More IRGC-Controlled Domain Names

The action follows last month's seizure of 92 domain names used by Iran's Islamic Revolutionary Guard Corps to spread disinformation.

The US Department of Justice (DoJ) today reported the seizure of 27 more domain names that Iran's Islamic Revolutionary Guard Corps (IRGC) used to further a global disinformation campaign. Last month, the US seized 92 domain names used by the IRGC to spread influence operations.

Related Content:

Disinformation Now the Top Concern Following Hack-Free Election Day

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

All 27 of these domains violated US sanctions targeting both the IRGC and Iranian government. Four were disguised as legitimate news outlets but were used by the IRGC to target readers in the United States with the goal of influencing US policy and opinion – in violation of the Foreign Agents Registration Act (FARA). The other domains targeted people in other parts of the world.

FARA ascertains a registration, reporting, and disclosure structure for foreign governments, agencies, and other principals so that the US government and its citizens know the source of information and identities of people trying to influence US public opinion, policy, and law. It requires foreign agents submit statements with factual information about their activities and income earned.

The four domain names pretending to be news outlets – rpfront[.]com, ahtribune[.]com, awdnews[.]com, and criticalstudies[.]org – were seized pursuant to FARA, the DoJ reports. All targeted US audiences with pro-Iranian propaganda in an attempt to sway Americans to change US policy related to Iran and the Middle East. The domains targeted US citizens without proper registration and without stating their content was published on behalf of the IRGC and Iran.

A Nov. 3 seizure warrant describes how the 27 domains operated in violation of the International Emergency and Economic Powers Act (IEEPA) and the Iranian Transactions and Sanctions Regulations (ITSR), which prohibit US citizens from offering services to the Iranian government without a license. Seizure documents indicate all 27 domains were registered with US-based domain registrars and used top-level domains owned by US-based registries. 

Neither the IRGC nor the Iranian government obtained a license from the Office of Foreign Assets Control (OFAC) before using the domain names and buying services from US providers.

Officials on Alert for Election Disinformation
The news arrives as federal officials and security experts express concern about the potential of disinformation as votes are counted in the presidential election. While there was no malicious cyber activity detected on Election Day, and foreign interference is lower this year compared to 2016, officials remain on high alert as the vote count continues. In the hours after polls closed, researchers saw an uptick in disinformation spreading across different social media platforms.

Messages arguing for voter fraud and other contentious topics could open the door for foreign actors to jump into the disinformation spread, said Kate Starbird, professor of human centered design and engineering at UW, in a panel by the Election Integrity Partnership (EIP) on Wednesday.

"We do believe that there is a vulnerability to foreign influence here and foreign disinformation … we're not seeing a lot that be influential, but certainly this is going to be a time when we're going to be vulnerable," she said.

When there is a large number of people who voted in one direction whose candidate may not win, the rhetoric coming from that candidate may make those voters susceptible to both foreign and domestic disinformation, Starbird explained.

While Iranian actors were seen sending spoofed emails to American voters in the weeks leading up to Election Day, so far there is no indication they have spread disinformation in the days following the election. Read the full DoJ release for more details on the domain name seizure.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s):,,,
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.