Crazed acts of Iran’s cyber war machine to counter Resistance’s international campaign
The Iranian regime seems to have lost its bearings after large opposition rallies in numerous world capitals and the five-day gathering in Ashraf 3 attended by over 350 political dignitaries from 47 countries, in addition to an increasing stream of activities by resistance units inside the country.
The events have dealt a lethal blow to the regime in the midst of a comprehensive oil embargo and international sanctions against the regime’s supreme leader, Ali Khamenei, and its foreign minister, Mohammad Javad Zarif.
On August 4, 2019, Ali Rabie, the regime’s government spokesman and a founding member of the Iranian regime’s Ministry of Intelligence and Security (MOIS), complained that the White House’s discourse against the regime has become similar to that of the People’s Mojahedin Organization of Iran (PMOI/MEK).
Khamenei’s mouthpiece, the Kayhan daily, wrote on August 8, the MEK “has penetrated deeply into our homes and its impact is being felt.”
An IRGC brigadier general named Assadollah Nasseh said on state TV on July 28, “We must know that everything that takes place in the world against us is the result of their [PMOI/MEK’s] lobbying effort somewhere, or a price that they have paid… On the issue of missiles, we witness that it was based on the information that they provided to the Americans. Regarding human rights, they make up dossiers and files and provide them to Europeans and they put pressure on us in this way. They use every leverage against us.”
Iranian regime officials are horrified at the specter of what they see as the warm welcome for the PMOI/MEK and Iranian Resistance in social media networks.
IRGC Brigadier General Gholamreza Jalali, who heads the regime’s civil defense forces, told state run ISNA on July 29, 2019, “our new war [with the PMOI/MEK] in cyberspace is more difficult than the Mersad operation.” [Mersad, or Operation Eternal Light, was a major offensive by the Iranian resistance that penetrated 100 miles inside of Iran leading to the liberation of two cities in July 1988 that shook the regime to its foundations.] “Many hateful, insulting and slanderous comments are posted by them [PMOI/MEK] with fake accounts. Their fingerprint is on many of the controversies that we face. Many of the news cycles in cyberspace that are orientated against the state and the revolution are their psychological warfare against us… They [PMOI/MEK] take advantage of some of the weak economic circumstances domestically and incite people to rise up… During last year’s events we saw this same fake news in cyberspace had a significant role in fanning the perception of shortage of basic goods… They try to influence public opinion and perception in society negatively, and to instill despair, disappointment and a sense of failure of the Islamic Republic.”
The deputy commander of IRGC’s Sarollah headquarters said, “Today they [PMOI/MEK] have put all efforts into humiliating the holy system of the Islamic Republic in cyberspace.”
On July 29, 2019, an MOIS operative named Mohammad Javad Hasheminejad complained of the “presence of 1,500 of their [PMOI/MEK] units in three shifts round the clock” in social media networks and their role in “the riots of 2018 in the country,” adding, “we need to know our enemy and know its objectives so we can counter it accordingly.”
A founding member of the IRGC brigadier general Abolghassem Forootan, told the State run Mizan news agency, on August 2, 2019, “This time they want to harm the values of our nation and system through the use of cyberspace and soft power.”
It is evident that the MOIS, IRGC, and Qods Force have embarked on a futile campaign to counter the growing resistance to the regime by using their propaganda and cyberwarfare machine. Their known suppressive tactics employed against the Iranian Resistance has been demonization campaigns, dissemination of false information and news, use of fraudulent emails and accounts, sending threatening emails, injecting virus and worms to hack the computers and email accounts of Iranian Resistance supporters.
1. An English language website created by the Iranian regime called Iran Front Page (IFP) has spread a ridiculous and categorically false claim that it has access to a video clip of a “private meeting of the MEK in Albania.” The two minute long clip of this “private” meeting features the voice of Mr. Mehdi Abrishamchi reviewing the policies of past US administrations in appeasing the clerical regime and has been quickly republished in a network of websites affiliated to the Iranian MOIS. There is nothing new, private, or confidential in this clip. It is not related to Albania either. It is just an out of context part of a public meeting with Iranians after the large gathering of Iranians in Paris on July 1, 2017. Similar commentary has been broadcast on numerous occasions in Simaye Azadi television and websites affiliated to the Iranian Resistance. The lies of the MOIS just go to show the regime’s bankrupt need for such news to lift the morale of its dispirited loyalists. The IFP website, published in English and Arabic, is registered to Mahmoud Asgari in 26 Ali Shariati and Pir-Jamali Street, in Tehran, since June of 2014. The telephone number for this website is +93-2177528888 and the country code of 93 is for Afghanistan.
2. In another amateurish and ridiculous act, the MOIS has claimed accessing another sound clip of Mr. Abrishamchi in another internal meeting in Albania and published this claim on a website called Mozahemin.org [meaning Nuisances]. The website published a sound clip of a woman asking a question under a photograph that shows Mr. Abrishamchi in a public meeting in Paris. The woman asks, “In 2013 a message announced that the regime would be overthrown in six months…” The MOIS website then goes on to portray the short out of context sound clip as proof of protests by high ranking members of the PMOI in Albania. But the photo in the article and the woman’s voice (assuming it has not been produced by the MOIS) have no relation to Albania. The question also (a message in 2013) has no relation to any of MR. Abrishamchi’s meetings and speeches in which he has answered compatriots’ questions. Not to mention that the mentioned message of 2013 never existed. The Mozahemin website that is registered in Mashhad has its address as the MOIS offices and projects its own moto onto the PMOI/MEK by writing “wherever there is terrorism, murder, and treason, we are there.” The website introduces itself as “website for people’s nuisance organization of Iran” to parody the MEK and continues that it is “a window onto a student, scientific, and human rights organization that is the result of the efforts of some students all over Iran and essentially from those interested in the field of counter-terrorism.” The meaning of student, science, and human rights in the vulgar world of the clerics of Iran cannot be more than that. The website’s directors are probably the same students that Khamenei talked of on May 22, when he said, “According to reports that I receive, student organizations and associations have in the past year or two done good work in various fields. In national affairs, and international affairs. This is a good presence. A gathering in front of some embassies is good sometimes. Of course it should be restrained, calculated, rational, and to show our moral and spiritual superiority. It is not that scaling the walls [of embassies] is good all the time. Sometimes however it is good.”
3. The MOIS’ inability to counter the MEK was on display in the state run daily Khorasan article on June 3, 2019 entitled “Publication of first document of MEK’s interference in riots of December 2017.” It quotes Khamenei on January 9, 2018, and states that the MEK are the third side of a triangle that created the uprising that they had prepared since months earlier. Then it trumpets victoriously that “We are publishing for the first time parts of a secret internal meeting of the terrorist monafeghin [pejorative for PMOI/MEK] in January 2018 in which Mehdi Abrishamchi, second in command of the group, explicitly revealing the terrorists’ role in the riots of December 2017.” The article adds, “The voice clip of this five hour confidential meeting has been published by a high ranking member of this terrorist group and parts of the transcript are published in Khorasan.” Then it goes on to report on the role of the PMOI/MEK and resistance units in protests in Kazeroun, Ahvaz, and Touysirkan based on the “highly confidential” source. It quotes Mehdi Abrishamchi emphasizing the necessity of activating 1,000 Ashraf bases meaning 1,000 resistance units and enflaming the uprising in the cities. In short, this is the unending nightmare of this regime and the MOIS.
4. Subsequent to the scandal involving the fake Twitter account of the French Consul General in Jerusalem (about which the NCRI Counterterrorism Committee issued a statement), the MOIS put out a fake tweet on behalf of a Toronto Police Official (Donald Belanger). On August 8, the Daily Beast wrote in this regard, “American intelligence officials are monitoring a social media disinformation campaign that attempted to falsely implicate the White House National Security Adviser in a global money laundering and drug trafficking operation. On Monday, a Twitter user claiming to be a high-ranking Canadian law enforcement official posted records supposedly showing a $350,000 wire transfer from a Canadian children’s apparel company to a Swiss bank account owned by National Security Adviser John Bolton’s daughter… Twitter suspended the fake Belanger account and Toronto Police Service spokesman Alex Li confirmed to The Daily Beast that it was ‘a fraudulent’ persona. The real police official the account had impersonated has never had a Twitter account. A U.S. official familiar with the apparent disinformation campaign said intelligence community officials were aware of the effort. And Lee Foster, an information operations intelligence analyst at the cybersecurity firm FireEye, told The Daily Beast that the hoax’s techniques are ‘consistent with what we’ve seen with previous pro-Iranian influence operations.’ Bolton is among the Trump administration’s most aggressive critics of the Iranian regime. The U.S. official, while not commenting on this week’s disinformation campaign specifically, said Bolton has been the target of state-sponsored influence operations designed to weaken his standing in the administration. Though Twitter quickly removed the tweet on Monday and suspended the account, it had already been picked up and covered by a handful of websites with editorial positions sympathetic to the Iranian government. News outlets such as Iran Front Page blared ‘Belanger’s’ claims that a Canadian business had supposedly transferred the funds at issue had been caught smuggling ‘a significant amount of opium” and “has close ties with the Mujahedin Khalq Organization (MKO) terrorist group.’”
5. In July 2019, the MOIS began sending messages to supporters of the Iranian Resistance by way of fake email accounts, such as [email protected], and [email protected],. Using these emails, which carry the names of well-known persons, or are similar but fake email accounts, the Iranian regime attempted to disseminate false and misleading information among Iranians and supporters of the Resistance.
6. In late July, the regime’s cyber army used a fake telegram account, @SetareganZamini, to contact several Iranians and Resistance’s sympathizers, asking them for financial support for Resistance units inside Iran.
7. Also in July, it used the name and email of a PMOI supporter Zahra Asl Rousta ([email protected]) to send a message with a pdf file that contained a series of questions, asking the recipients to respond. The pdf file carried a virus and was designed to hack and steal the data stored in the recipient computers.
8. In April and May, a person with the fake name of Arezoo, introduced herself as an official of the PMOI who was dealing with issues related to PMOI supporters. She contacted many of them to tell them that because she was busy with successive demonstrations, another individual, Homa, will replace her. The MOIS agent introducing herself as Homa would pose different questions to obtain information about the Iranian Resistance. For example she would write, “I want to know whether you know anyone in Iran who you can introduce and with whom I can speak? Let us know about anyone, anywhere, who you think could be in touch with us or give us any news or carry out even a small task. I would be very grateful.”
9. In April 2019, by using a fake email, [email protected], the regime sent a pdf file, named “a visual report on the residents of Ashraf in Albania.” The file contained a virus which would infect any computer that would click on it.
10. In April 2019, the regime’s cyber operative used a fake email account, carrying the name of a Resistance official, to send urgent messages and warn that some emails have been hacked. One such message said, “Hi, I would like to inform you that email of …. has been hacked. If he/she sends you an email, don’t click on it because it is a virus and will infect your computer and cellphone. Please let all friends know.” A short while later, he/she would send messages urging the recipients to contact a specific email. By claiming to have lost their phone numbers, he was trying to connect people to MOIS email accounts and obtain information.
11. In April 2019, a cyber-operative used [email protected] to show that the regime had infiltrated the ranks of the PMOI. To this end, he copied a text, entitled “alert number 10,” previously sent to PMOI supporters, and wrote, “The collection of these issues in recent days speaks to the presence of infiltrators among the ranks of PMOI supporters and the PMOI itself, which only adds to the need for awareness about those around us and about drawing lines and being vigilant.” The same text contained a series of false reports about regime emails or suspicious phone numbers used to contact PMOI supporters asking for donations. These were designed to gain the trust of the recipients. It goes without saying that PMOI supporters never use such methods to provide donations.
12. In another example, the regime used the telegram account of a detained person to contact his brother abroad and invite him to go to Iran. After some follow up, this individual realized that his brother had been arrested and that his telegram account had been used.
13. A regime cyber operative used the fake email account [email protected] (similar to Hambastegi Meli email account) to spread false information and slanders against the PMOI and the Resistance. The correct email account is [email protected]
14. MOIS operatives used two email accounts, [email protected] and [email protected] to send messages to Iranians and PMOI supporters. Posing as dissidents, they would ask a series of questions and then repeat some of the regime’s anti-PMOI propaganda and allegations.
15. The regime’s cyber operatives also used a fake Skype account, ISSA, similar to one used by a Resistance member, to obtain information from PMOI supporters.
16. Another tactic used by the MOIS was to send threatening messages to PMOI supporters active on telegram. One such message by “didban fazaye majazi” reads, “Dear telegram user, you have joined the telegram group nationwide uprising, which belongs to the PMOI. So far your membership appears to be out of ignorance. If you continue to be a member, it would be perceived as deliberate membership and would have legal repercussions for you.”
17. In the past few months, the regime’s intelligence agents have used the phone number 33937502075 to contact Resistance’s supporters in France and obtain their Facebook and email accounts.
18. Recently, the MOIS used an email account similar to the one used by a US journalist, and copied his picture and information, to ask for an interview with a PMOI supporter. It sent a dangerous virus to hack his computer, but failed.
The NCRI’s Committee on Security and Counterterrorism calls on all compatriots and PMOI supporters to expose the regime’s pathetic ploys and neutralize their cyber plots. It urges them to refrain from responding to suspicious and unknown emails and contacts including in Telegram, Skype, Whatsapp, etc., and share suspicious cases with the NCRI representative offices or PMOI chapters in different countries.
The National Council of Resistance of Iran
Committee on Security and Counterterrorism
August 14, 2019