Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:50 PM
Connect Directly

US Seizes 27 More IRGC-Controlled Domain Names

The action follows last month's seizure of 92 domain names used by Iran's Islamic Revolutionary Guard Corps to spread disinformation.

The US Department of Justice (DoJ) today reported the seizure of 27 more domain names that Iran's Islamic Revolutionary Guard Corps (IRGC) used to further a global disinformation campaign. Last month, the US seized 92 domain names used by the IRGC to spread influence operations.

Related Content:

Disinformation Now the Top Concern Following Hack-Free Election Day

The Changing Face of Threat Intelligence

New on The Edge: Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

All 27 of these domains violated US sanctions targeting both the IRGC and Iranian government. Four were disguised as legitimate news outlets but were used by the IRGC to target readers in the United States with the goal of influencing US policy and opinion – in violation of the Foreign Agents Registration Act (FARA). The other domains targeted people in other parts of the world.

FARA ascertains a registration, reporting, and disclosure structure for foreign governments, agencies, and other principals so that the US government and its citizens know the source of information and identities of people trying to influence US public opinion, policy, and law. It requires foreign agents submit statements with factual information about their activities and income earned.

The four domain names pretending to be news outlets – rpfront[.]com, ahtribune[.]com, awdnews[.]com, and criticalstudies[.]org – were seized pursuant to FARA, the DoJ reports. All targeted US audiences with pro-Iranian propaganda in an attempt to sway Americans to change US policy related to Iran and the Middle East. The domains targeted US citizens without proper registration and without stating their content was published on behalf of the IRGC and Iran.

A Nov. 3 seizure warrant describes how the 27 domains operated in violation of the International Emergency and Economic Powers Act (IEEPA) and the Iranian Transactions and Sanctions Regulations (ITSR), which prohibit US citizens from offering services to the Iranian government without a license. Seizure documents indicate all 27 domains were registered with US-based domain registrars and used top-level domains owned by US-based registries. 

Neither the IRGC nor the Iranian government obtained a license from the Office of Foreign Assets Control (OFAC) before using the domain names and buying services from US providers.

Officials on Alert for Election Disinformation
The news arrives as federal officials and security experts express concern about the potential of disinformation as votes are counted in the presidential election. While there was no malicious cyber activity detected on Election Day, and foreign interference is lower this year compared to 2016, officials remain on high alert as the vote count continues. In the hours after polls closed, researchers saw an uptick in disinformation spreading across different social media platforms.

Messages arguing for voter fraud and other contentious topics could open the door for foreign actors to jump into the disinformation spread, said Kate Starbird, professor of human centered design and engineering at UW, in a panel by the Election Integrity Partnership (EIP) on Wednesday.

"We do believe that there is a vulnerability to foreign influence here and foreign disinformation … we're not seeing a lot that be influential, but certainly this is going to be a time when we're going to be vulnerable," she said.

When there is a large number of people who voted in one direction whose candidate may not win, the rhetoric coming from that candidate may make those voters susceptible to both foreign and domestic disinformation, Starbird explained.

While Iranian actors were seen sending spoofed emails to American voters in the weeks leading up to Election Day, so far there is no indication they have spread disinformation in the days following the election. Read the full DoJ release for more details on the domain name seizure.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).