US Seizes Almost 100 Domain Names Used by the Revolutionary Guards

On October 8, 2020 the United States Department of Justice announced it had seized 92 Internet domain names being used by the Islamic Revolutionary Guard Corps to spread dissemination. In a statement, it claimed the IRGC had used these addresses to engage in an illegal global disinformation campaign disseminating fake news and information worldwide.

According to the US Attorney’s Office, documents show the domains were sharing content dressed to look like legitimate news items, but which were actually part of a project by the Revolutionary Guards aiming of influencing US domestic and foreign policy

John C. Demers, assistant Attorney General for national security, said: “We will continue to use all our tools to stop the Iranian government from misusing U.S. companies and social media to spread propaganda covertly... Fake news organizations have become a new outlet for disinformation spread by authoritarian countries as they continue to try to undermine our democracy.  Today’s actions show that we can use a variety of laws to vindicate the value of transparency.” 

The US authorities have not yet released a full list of the 92 fake news websites, but revealed that four of them – newsstand7.com, usjournal.net, usjournal.us and twtoday.net – had been seized pursuant to the Foreign Agents Registration Act (FARA) because they were targeting US citizens with pro-Islamic Republic propaganda while masquerading as independent news outlets. FARA requires foreign agents to register in the United States and to state, conspicuously, if they are being run on behalf of a foreign government. These websites had not done so and were producing fake content specifically aimed at Americans. The other 88, the Department of Justice said, targeted audiences in Western Europe, the Middle East and southeast Asia.

The FBI’s Special Agent in Charge for the case said the investigation had stemmed from intelligence received from Google and was carried out in partnership with Google, Facebook and Twitter.

The domains being used by the Iranian government were registered in the US and owned by United States-based companies. Even though the Islamic Republic of Iran and several other countries are subject to US sanctions, in special circumstances or for humanitarian reasons they may – with permission from the US Office of Foreign Assets Control – temporarily be able to access certain services in the US under the International Economic Emergency Economic Act (IEEPA). In this case, though, no such application had been made.

This is not the first time Iranian government-linked websites have been shut down in the US. In 2019, Microsoft filed a lawsuit in a Washington federal court authorizing the seizure of 99 domains being used by hackers affiliated with the Islamic Republic to target people with cyberattacks. In the following months, Microsoft also discovered and confiscated another 25 domains.

A group of pro-Islamic Republic hackers called Phosphorous – which encompasses the cyber-outfits Advanced Persistent Threat (APT) 35, Charming Kitten and Ajax – had created a set of subdomains that looked, outwardly, very similar to the domains of reputable companies. The websites outlook-verify.net, yahoo-verify.net, verification-live.com and myaccount-services.net, amongst others, had incorporated the names and brands of Yahoo, Outlook, and Microsoft to deceive victims into handing over personal information. According to Microsoft, hackers linked to the IRGC had used some of these domains to launch cyberattacks during the 2018 US midterm elections.