Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:50 PM
Connect Directly

US Seizes 27 More IRGC-Controlled Domain Names

The action follows last month's seizure of 92 domain names used by Iran's Islamic Revolutionary Guard Corps to spread disinformation.

The US Department of Justice (DoJ) today reported the seizure of 27 more domain names that Iran's Islamic Revolutionary Guard Corps (IRGC) used to further a global disinformation campaign. Last month, the US seized 92 domain names used by the IRGC to spread influence operations.

Related Content:

Disinformation Now the Top Concern Following Hack-Free Election Day

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

All 27 of these domains violated US sanctions targeting both the IRGC and Iranian government. Four were disguised as legitimate news outlets but were used by the IRGC to target readers in the United States with the goal of influencing US policy and opinion – in violation of the Foreign Agents Registration Act (FARA). The other domains targeted people in other parts of the world.

FARA ascertains a registration, reporting, and disclosure structure for foreign governments, agencies, and other principals so that the US government and its citizens know the source of information and identities of people trying to influence US public opinion, policy, and law. It requires foreign agents submit statements with factual information about their activities and income earned.

The four domain names pretending to be news outlets – rpfront[.]com, ahtribune[.]com, awdnews[.]com, and criticalstudies[.]org – were seized pursuant to FARA, the DoJ reports. All targeted US audiences with pro-Iranian propaganda in an attempt to sway Americans to change US policy related to Iran and the Middle East. The domains targeted US citizens without proper registration and without stating their content was published on behalf of the IRGC and Iran.

A Nov. 3 seizure warrant describes how the 27 domains operated in violation of the International Emergency and Economic Powers Act (IEEPA) and the Iranian Transactions and Sanctions Regulations (ITSR), which prohibit US citizens from offering services to the Iranian government without a license. Seizure documents indicate all 27 domains were registered with US-based domain registrars and used top-level domains owned by US-based registries. 

Neither the IRGC nor the Iranian government obtained a license from the Office of Foreign Assets Control (OFAC) before using the domain names and buying services from US providers.

Officials on Alert for Election Disinformation
The news arrives as federal officials and security experts express concern about the potential of disinformation as votes are counted in the presidential election. While there was no malicious cyber activity detected on Election Day, and foreign interference is lower this year compared to 2016, officials remain on high alert as the vote count continues. In the hours after polls closed, researchers saw an uptick in disinformation spreading across different social media platforms.

Messages arguing for voter fraud and other contentious topics could open the door for foreign actors to jump into the disinformation spread, said Kate Starbird, professor of human centered design and engineering at UW, in a panel by the Election Integrity Partnership (EIP) on Wednesday.

"We do believe that there is a vulnerability to foreign influence here and foreign disinformation … we're not seeing a lot that be influential, but certainly this is going to be a time when we're going to be vulnerable," she said.

When there is a large number of people who voted in one direction whose candidate may not win, the rhetoric coming from that candidate may make those voters susceptible to both foreign and domestic disinformation, Starbird explained.

While Iranian actors were seen sending spoofed emails to American voters in the weeks leading up to Election Day, so far there is no indication they have spread disinformation in the days following the election. Read the full DoJ release for more details on the domain name seizure.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-02
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
PUBLISHED: 2021-03-02
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
PUBLISHED: 2021-03-02
An issue was discovered on LG mobile devices with Android OS 11 software. They mishandle fingerprint recognition because local high beam mode (LHBM) does not function properly during bright illumination. The LG ID is LVE-SMP-210001 (March 2021).
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...
PUBLISHED: 2021-03-02
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing...