November 4, 2025 • 22 mins
🎙️ In this episode, One CA Podcast welcomes Max Lesser from the Foundation for Defense of Democracies (FDD) to unpack the evolving landscape of Iranian online influence. From sock puppet accounts and Telegram coordination to decentralized psyops and hybrid cyber operations, Max offers a sobering look at how Tehran weaponizes digital platforms to shape global narratives, target dissidents, and crowdsource aggression.
We explore FDD’s recent findings on Iranian impersonation networks, domestic propaganda amplification, and the strategic use of misinformation during high-stakes geopolitical moments—including the Gaza war protests and U.S. election cycles. Max also discusses the blurred lines between hacktivism and state-sponsored cyber threats, and how decentralized influence operations allow anyone to become a digital combatant.
🧠 Key Topics
• Iranian disinformation tactics and impersonation campaigns
• Telegram as a coordination tool for influence ops
• Crowdsourced psyops and fake account generation
• Domestic propaganda and opportunistic misinformation
• Hybrid cyber threats targeting U.S. infrastructure
• Influence operations during election cycles
• FDD’s investigative methodology and threat analysis
📌 Links & Resources
• Max Lesser at FDD
• FDD Report: Iranian Network Impersonating Israelis
• USA Today: Iran Targets U.S. Protesters
• FDD: Iranian Group Crowdfunding for Trump’s Assassination
🎧 Listen & Subscribe
Available on Spotify, Apple Podcasts, and wherever strategic minds tune in.
---
One CA is a product of the Civil Affairs Association andbrings in people who are current or former military, diplomats, developmentofficers, and field agents to discuss their experiences on the ground with apartner nation's people and leadership.
We aim to inspire anyone interested in working in the "lastthree feet" of U.S. foreign relations.
To contact the show, email us at CApodcasting@gmail.com, orlook us up on the Civil Affairs Association website atwww.civilaffairsassoc.org
---
Feedspot, the podcast industry ranking system, rated One CAPodcast as one of the top 10 shows on foreign policy. Check it out at:
https://podcast.feedspot.com/foreign_policy_podcasts/
---
Special Thanks to Jarl Flamar for a sample of Medusa,Agfay Live Session. Retrieved from: https://youtu.be/epniyt6IA_E?feature=shared
---#IranianInfluenceOps, #DisinformationCampaigns,
#HybridThreats, #CyberPsyops, #DigitalPropaganda,
#InfoOps, #InfluenceOperations, #SockPuppetAccounts,
#CrowdsourcedDisinfo, #TelegramOps, #CyberThreatIntel,
#AIInfluenceOps, #ElectionInterference, #InauthenticBehavior, #SocialBotnets, #DeepfakeThreats,
#ForeignInfluence, #NarrativeWarfare, #OnlineManipulation, #CyberSovereignty,
Organization,Hashtag
Foundation for Defense of Democracies,#FDD,#FDDCCTI,#CyberInfluenceOps
Atlantic Council – DFRLab,#DFRLab,#IraniansOnSocialMedia,#InfluenceOpsTracker
Stanford Internet Observatory,#SIO,#CoordinatedInauthenticBehavior,#DigitalManipulation
Citizen Lab,#DigitalTransnationalRepression,#IranSurveillance,#CyberRepression
Freedom House,#FreedomOnTheNet,#InternetFreedom,#DigitalAuthoritarianism
Brookings Institution – Middle East Policy,#IranPolicy,#DigitalAuthoritarianism,#CyberStatecraft
Carnegie Endowment – Cyber Policy Initiative,#CyberPolicy,#ForeignInfluenceOps,#DigitalSovereignty
RAND Corporation,#OpenSourceIntel,#SocialMediaAnalysis,#HybridThreats
Indiana University – OSoMe,#BotDetection,#SockPuppetNetworks,#DisinfoTracker
Harvard Belfer Center,#CyberThreats,#ElectionSecurity,#NarrativeWarfare
Access Now,#InternetShutdowns,#DigitalRights,#IranCensorship
The New Global Order,#GeopoliticalInfluence,#HybridWarfareMonitor,#CrowdsourcedThreats
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:02):
Welcome to the Once CA podcast. This is your host, Jack Gaines.
Once CA is a product of the Civil Affairs Association and
brings in people who are currentor former military diplomats,
development officers, and field agents to discuss their
experiences on ground with a partner nation's people and
leadership. Our goal is to inspire anyone
interested in working the last three feet of Foreign Relations.
(00:24):
To contact the show, e-mail us at ca.podcasting@gmail.com or
look us up on the Civil Affairs Association website at
www.civilaffairsassociation.org.I'll have those in the show
notes. Please welcome Max Lesser,
senior analyst on emerging threats at the Foundation for
Defense of Democracies. Today we discuss Iran's use of
(00:46):
influence, information and coercion to achieve foreign
policy goals. Right now, there's some
evolution in America's understanding of how it wants to
deal with foreign line influence.
One of the wonderful things about working at FTD is we can
expose these operations and we can show, but there is this
constant invisible war that's taking place on our devices, on
(01:09):
our social media platforms, thatis for the hearts and minds of
Americans. When we think about influence
operations, information warfare,in particular Iranian
information warfare, which is less of a discussed subject,
people tend to think about Russia and Russian
disinformation, but actually a lot of the techniques, tactics
and procedures that Iran uses against Israel, they will use
(01:33):
those exact same TTPS against American targets.
So you can almost think of Israeli Iran conflict, almost
even like a Canary in the coal mine.
And it preempts a lot of different digital threats that
we see Iran launch against Israel are threats that could
conceivably be launched against the US and U.S. government
officials and U.S. military force in the future.
(01:56):
It's a display of their actions,how they perceive information
warfare and how they apply it. Exactly.
They really understand the Nexusof cyber operations and
influence operations, and there are so many different ways to
slice that pie. But you can think of cyber
operations as some sort of classic computer intrusion or
(02:17):
it's technical in nature. Influence operations are
intended to have a psychologicalor cognitive effect.
And like the Russians, they verydeftly combined cyber operations
with influence operations to create what we call cyber
enabled influence operations. And there's this whole spectrum
of cyber enabled influence operations that we've seen Iran
(02:39):
historically leverage against a wide range of adversaries,
including the United States, Israel, Albania.
Yeah. It makes sense.
All the protests down there, I could see a lot of operatives
going in and trying to shift attitudes and behaviors.
Yep, they love to go after Albania.
But some of these different types of operations that we see
are hack and leaks, which peoplein the US are probably very
(03:02):
familiar with at this point. You steal sensitive data and
then you leak it on the Internet, hacking and defacing
websites, even critical infrastructure like water
facilities, which we'll get intoin a moment.
Doxing, which people might not think of as a cyber enabled
influence operation, but it can be.
And in 2009, a group called the Iranian Cyber Army, which is
(03:24):
actually a hacker group that claimed allegiance to Iran's
supreme leader, hijacked Twitter's DNS records.
They didn't actually sort of compromise Twitter servers, but
they sort of messed with something called DNS, which is
like the phone book of the Internet, and they redirected
visitors to a page that said that this site has been hacked
(03:44):
by the Iranian Cyber Army. So it's a really early example
of a website to face men carriedout by pro Iranian cyber actors.
I would consider that a cyber enabled influence operation.
And that's going back well over a decade.
And then when Iranian overt media and covert media amplified
act Saudi diplomatic cables, andthis happened in 2015, people
(04:07):
might have forgotten about this.It was referred to at the time
as Wiki Saudi leaks. And Iran's role in the actual
intrusion is unclear. There's some evidence that Iran
was involved. Russia might have been involved
in those hacks, but what was very clear was that Iran was
involved in amplifying the material both through their
(04:30):
overt and their covert media channels.
And something that we do focus alot on FDD, we call it the axis
of aggressors and cooperation between Russia, China and Iran
across different domains, be they economic or military.
Cyber is sometimes harder to show because of the opaque
nature of this domain. But we published a short piece
(04:52):
recently on Russian efforts to recruit people from Latin
America to build Iranian drones in Russia.
And there's certainly coordination in terms of drone
production and things like that.And it's harder to prove that
level of coordination in cyberspace because it's so
murky. But that could have definitely
(05:13):
happened here. Russia lures young migrant women
from Latin America to build drones.
That's the article you're talking about.
Yep, and those are Iranian design drones that they're
building. So again it goes that the axis
of aggressors is very on display.
And then 2020 you have Iranian cyber actors doxing US election
(05:33):
officials. They created us a website called
Enemies of the People where theywere calling for violence
against election officials and sharing their personal
information. An interesting point about that
is they used a Russian infrastructure and Russian
e-mail address of obfuscate attribution and lend possible
deniability and mask the fact that the Iranians were launching
that operation. How do Russia feel about that?
(05:56):
Probably like, hey, we get enough trouble with these guys.
I know, right? And then two last examples,
Cyber Avengers, it's an Iranian hack of its front in 2023.
They famously hacked US water facilities.
A lot of times when people thinkabout hacks against critical
infrastructure, they think aboutdisruption and things like that,
which can be intended to cause economic disruption or even
(06:17):
physical harm. But this was a critical
infrastructure attack which was a cyber enabled influence
operation, sending messages saying you have been hacked and
down with Israel and trying to spread the message on their
social media channels that any Israeli technology is going to
be a target of cyber Avengers. Right.
So they did a very calculated attack.
(06:39):
They broke into the water system, but they announced their
attack in order to, one, scare the hell out of the people who
work in that building and give the federal government notice.
Hey, we can do this if you causetrouble but.
Actually by not creating harm. It avoids getting bombed, so
it's a very smart move, very calculated and.
(07:01):
When you think about nation state cyber operations, you
think about things happening in the shadows, and what Iran loves
to do is broadcast it to the world.
Their ability to do something orhow close they are to a nuclear
weapon but not actually get it. Yeah.
And also I think there's a domestic focus as well when they
do this. It's honestly shocking to see
the internal repression and the degree to which they launched
(07:21):
coordinated psychological operations and influence
operations targeting their own people.
Have you seen Iranian agents on the ground that are also
supporting cyber and influence operations?
My colleague is going to be publishing a long piece on
Iranian operations targeting Israel throughout the course of
(07:41):
the conflict with Gaza. And there you see a lot of
Iranian intelligence operatives contracting vulnerable people in
Israel, like drug addicts or homeless people, getting them to
do offline influence operations,tagging buildings and things
like that. And so, yeah, there's an offline
component of it. Or they've actually.
(08:02):
Done multi domain. With physical actors as well.
100% actually. There is a declassified ODNI
report about potential threats to the US elections last year,
and they talked about times whenIran had paid people to go to
protests in the States. So it is something that has
precedent. So who in Iran is actually
(08:24):
responsible for information warfare?
Yeah, please name the Cyber Avengers and send pictures.
Yeah, I know, right. So it's kind of murky when we
think about who in Iran is actually conducting these
operations. The first group I want to
mention, the Islamic Revolutionary Guard Corps,
parallel military force that conducts hybrid warfare on
behalf of the supreme leader of Iran.
(08:45):
And they do a lot of this type of activity, Iranian activity
that is exposed does not get attributed to a specific
organization. But when it does get attributed
to a specific organization in Iran, oftentimes they intersect
with the IRGC. It's a very complex,
multifaceted command structure. The IRGC has an intelligence
organization and then they have a sort of electronic warfare and
(09:06):
cyber defense. And then there's the codes
force, which a lot of people areprobably familiar with.
And these different branches interact with each other in
various ways. There's actually a group called
Intelligence Group 13, which hasbeen written about extensively
by private threat intelligence brand called Domain Tools, and
they sort of facilitate and orchestrate these different
(09:26):
commands and capabilities withinthe IRGC to launch cyber enabled
influence operations. And you can think of Cyber
Avengers, who you just mentionedas it's an activist front and
it's almost like a propaganda outlet that the IRGC can use to
broadcast and externalize their cyber operations.
(09:46):
Do they use them as the form of non attribution so that ever
they do does not go back to the IRGC?
Yeah, possible. Deniability is a huge element,
but the. Product delivery is pretty much
exclusive to The Avengers from the IRGC.
Or do they do direct messaging as well?
Can sort of be murky when it comes to attribution to specific
(10:07):
groups. We know that Cyber Avengers is
linked to Intelligence Group 13 according to domain tools.
But in terms of product delivery, there are many
different ways that Iran disseminates its over and covert
propaganda. But there's also bot Nets on
social media. There's also fake news websites,
FTD, we exposed the network of close to 19 Iranian covert
(10:31):
websites that we're targeting countries across the world.
And then lastly, when somebody could argue that this isn't
information warfare per SE, but I would consider it the Islamic
Republic of Iran broadcasting the IRIB, Iran's over state
media, because I believe that they're over propaganda, is also
a wing of their information warfare.
(10:52):
I'm not sure who would disagree with you on overt public
messaging as a part of information warfare, but yes, it
is. Yeah.
So I totally would consider it that.
And then also they actually playa key role in amplifying covert
operations. So you see this previously
unknown hacktivist group that has like 100 followers on
(11:13):
Telegram talking about some hackof an Israeli company and then
you see within days or sometimeshours the IRIB amplifying this.
At some point I'm going to have to get on with some folks and
talk about how attributable public facing messaging does
that because yes, they do amplify operations that they
(11:33):
want to. Signify.
But they also create content that's then it supports the non
attributable operations. Yeah, this is a perfect shift,
Jack, what you just mentioned, because what we saw during the
12 Day war where a lot of Iranians with maybe loose
affiliation or historical affiliation to the Iranian
(11:54):
government or maybe no apparent affiliation to the Iranian
government contribute to information warfare efforts.
We saw apparent civilians leverage their own skills and
assets to launch wartime psyops.We saw notable tactics including
crowdsourcing participants, Everyday civilians conduct
covert campaigns on social media.
(12:15):
And we also saw Iranian domesticpropaganda, which was intended
to influence Iranians, spread into the global information
ecosystem. It's not just the Iranian
government conducting information warfare, and
moreover, the boundaries in cyberspace don't exist, so even
if Iran does something that is targeting its own people, it can
(12:37):
bleed out and actually gain significant traction in the
Western English speaking social media environment.
Americans not aligned to the government can also respond and.
Then it becomes. More of a skirmish between
populations versus armies versusarmies.
So it drags everybody, the civilian and the military, into
the battle. Yep.
(12:58):
And to your point, NAFO, it's sort of like an organic
grassroots social media effort in support of Ukraine.
This is a domain in which the conflict is not purely between
military organizations or intelligence organizations, it's
also between civilians. So we came across an Iranian
(13:18):
psychological operation that we are FDD exposed on June 20th.
We call it the CAR Online Network, which I know sounds
like a silly name, but that actually is a very important
point about this. What this operation involved was
a Telegram channel called Car Online that historically
published about financial and economic topics.
(13:40):
It had a huge following, over 400,000 followers and after the
12 day war started it shifted and it explicitly instructed its
followers to participate in whatit was expressly calling a
psychological operation. So what we saw, it's a crowd
sourcing civilians they host as Israelis.
You can sort of think of it as almost like a command and
(14:02):
control Telegram channel. They gave lists of Hebrew names
and non Hebrew names to use to impersonate Israelis.
They gave lists of threatening phrases, demoralizing phrases,
things like I'm saying this as aZionist, I'm screwed.
And you know, I just heard my children scream tired, God save
us, things like that in Persian.And then they instructed them
(14:25):
how to translate it. They instructed them how to use
ChatGPT specifically. There was a video where they
were showing you how to use ChatGPT and they were cautioning
the participants. Guys, you need to paraphrase
this. Don't copy and paste directly
because then you're going to getdetected by the automated
platforms. So I did a whole lesson and and
guidebook on how to become an operator.
(14:48):
Yep. It was fascinating.
And I have to give credit. I have wonderful interns.
And one of the things I asked them to do is doom scroll on
social media, which a lot of them love to do also because you
know, they're from that generation where that's probably
what they're doing anyways. And one of my wonderful interns
came across this. What was remarkable, when we
look deeper, we saw what they were doing behind the scenes.
(15:08):
So once you crack the code, you're able to track it.
We scraped thousands of accounts.
There's going to be a forthcoming report that takes a
lot of this information and refines it and consolidated it.
And we're still doing our analysis.
But yeah, there are tons of accounts participating in this
and they had the same names and then they would share similar
content. And there was actually a
(15:29):
distinctive hashtag strength which we used to identify this
operation. Even if the content of the
messages would change, they would oftentimes use the same
hashtag stream. And then Carl mine also had a
Twitter account where it was re sharing posts from participants
in the operation. That's a nice proofing.
So you can go, oh look, they're all sharing the things they're
doing. You can play track their
(15:49):
account. So it sounds like they mostly
try to go with the Iranian diaspora.
So for this specific operation, I think it was primarily trying
to recruit Iranians, maybe members of the diaspora.
But there was another network that we discovered across Axe,
Instagram, Tiktok, Telegram and YouTube.
So it's a cross-platform operation spanning many
(16:11):
different platforms. It was called Iran Hayel.
We were able to trace it back toan Iranian national who had a
historical ties to his Span TV. We actually found this man's
resume on a Telegram channel. It was just shared on a Telegram
channel and he worked for Spanish language news channel
that's run by the IRIB. And this was just a less
(16:33):
interesting activity. But it was a Hebrew language
network that was publishing threatening messages to Israelis
and things like that, amplifyingdisinformation coming from
Iranian state news and things like that.
And I just provides another example.
If we think about the sort of tractor typology here, we see
that the first case is sort of unknown, Carmine, it's unclear
(16:56):
who exactly was operating that. This one is somebody who appears
to no longer be working directlyfor the Iranian government.
He operates a sort of commercialvideo creation platform, but he
has that historical affiliation with the IRIB and actually isn't
relevant to our current conversation.
But we identified a man who created a website that was
(17:16):
seeking to crowd fund a bounty for Trump's assassination, and
we exposed that man and everything.
And he also had historical ties to the IRIB.
So this isn't uncommon where we see Iranian nationals who have
historical ties to the IRB engaging in some sort of
patriotic or ideological work, perhaps at the direction of the
Iranian government. It's unclear.
But again, it sort of shows again that decentralized nature
(17:39):
of online activity. The.
Call for assassination? Was that more of Luke, or did it
seem like an actual serious attempt?
I don't know. I mean, did he actually raise
money? Did he have intent to show
capability in the crowdsourcing?Was it more than just a splash?
It's sort of hard to say. That operation happened after
(18:02):
the 12 Day War, but it was clearly in response to the 12
Day War. He wasn't showing money, he
wasn't showing weapons. He wasn't saying I'm right next
to the White House. He wasn't doing.
Anything like that? Yeah.
So the interesting thing about that operation was he claimed to
have raised $40 million. It was sort of sad to see that
some people were pledging their jewelry.
(18:23):
Somebody shared the deed of their farm.
People were pledging different things.
It was somewhat of a crude and childish operation.
He created a video game where you could assassinate Netanyahu
or Trump. I mean, there could be somebody
crazy enough out there, even in America who sees something like
that and decides to act upon it.So it was a serious threat and
we reported it to law enforcement and things like
(18:44):
that. But when we think about that man
who created that website and then after we exposed him, he
admitted to create that website and he also said some very kind
things about me. Oh, I bet he.
Did I know right? But he had historical ties to
IRIB, too. And he said we found one of his
profiles, and he claimed in his own SMA that he had worked there
(19:05):
as well. So again, you're seeing
sometimes where these sort of ideologically oriented
activities in the information environment are carried out by
people who may or may not work for the Iranian government.
They do have historical ties. So maybe we go into some summary
comments. What I would say is this, I
think Americans should be mindful we've come to understand
(19:28):
that the oceans on either side of our country do not protect us
from cyber attacks. I mean, look at the compromise
of the Colonial Pipeline that was American critical
infrastructure disrupted by a cyber threat actor that led to
serious consequences for our country.
What I think sometimes Americanshave a hard time understanding
(19:51):
is that that same dynamic is also carried out in what you
might call the information ecosystem, whatever you want to
call it. And it's more than just trying
to shape the outcomes of elections.
There's a lot of focus in the USon election interference and
foreign influence. But there are many other threats
that can be carried out in Iran in particular, has been very
(20:13):
audacious. Let's look at what happened
during the 12 Day War. I mean, you had crowd sourced
influence operations. You had SMS campaigns trying to
get people to leave shelters. You had what appears to be
everyday Iranians participating in information warfare.
You had Iranian domestic propaganda bleeding out into the
(20:36):
global information environment. There was actually a paper by a
sum stack called UDA Shift, and they talked about how this is
sort of the ungoverned battle space.
And I think that's a great thought to close with because it
is the ungoverned battle space. And I don't know if it's ever
possible for it to be governed. But what I hope we learn, it can
(20:57):
very much be warfare. They can be meant to intimidate,
harass, even cause physical harm, destruction.
We think about CAR online calling for people to motivate
Yemenis to strike Saudi Aramco. Was that effective?
No. But it could be operations like
that could be in the future. So it's much more than just
(21:19):
about election interference. There are all these other
potential consequences. And yeah, I think information
warfare is certainly something that the United States should
take seriously. And our oceans, unfortunately,
do not protect us from these sorts of attacks.
Thanks for listening. If you get a chance, please like
and subscribe and rate the show on your favorite podcast
platform. Also, if you're interested in
(21:40):
coming on the show or hosting anepisode, e-mail us at
ca.podcasting@gmail.com. I'll have the e-mail and CA
Association website in the show notes.
And now, most importantly, to those currently out in the
field, working with a partner nation's people or leadership to
forward US relations, thank you all for what you're doing.
This is Jack, your host. Stay tuned for more great
(22:03):
episodes one CA podcast.
Welcome to the Once CA podcast. This is your host, Jack Gaines.
Once CA is a product of the Civil Affairs Association and
brings in people who are currentor former military diplomats,
development officers, and field agents to discuss their
experiences on ground with a partner nation's people and
leadership. Our goal is to inspire anyone
interested in working the last three feet of Foreign Relations.
(00:24):
To contact the show, e-mail us at ca.podcasting@gmail.com or
look us up on the Civil Affairs Association website at
www.civilaffairsassociation.org.I'll have those in the show
notes. Please welcome Max Lesser,
senior analyst on emerging threats at the Foundation for
Defense of Democracies. Today we discuss Iran's use of
(00:46):
influence, information and coercion to achieve foreign
policy goals. Right now, there's some
evolution in America's understanding of how it wants to
deal with foreign line influence.
One of the wonderful things about working at FTD is we can
expose these operations and we can show, but there is this
constant invisible war that's taking place on our devices, on
(01:09):
our social media platforms, thatis for the hearts and minds of
Americans. When we think about influence
operations, information warfare,in particular Iranian
information warfare, which is less of a discussed subject,
people tend to think about Russia and Russian
disinformation, but actually a lot of the techniques, tactics
and procedures that Iran uses against Israel, they will use
(01:33):
those exact same TTPS against American targets.
So you can almost think of Israeli Iran conflict, almost
even like a Canary in the coal mine.
And it preempts a lot of different digital threats that
we see Iran launch against Israel are threats that could
conceivably be launched against the US and U.S. government
officials and U.S. military force in the future.
(01:56):
It's a display of their actions,how they perceive information
warfare and how they apply it. Exactly.
They really understand the Nexusof cyber operations and
influence operations, and there are so many different ways to
slice that pie. But you can think of cyber
operations as some sort of classic computer intrusion or
(02:17):
it's technical in nature. Influence operations are
intended to have a psychologicalor cognitive effect.
And like the Russians, they verydeftly combined cyber operations
with influence operations to create what we call cyber
enabled influence operations. And there's this whole spectrum
of cyber enabled influence operations that we've seen Iran
(02:39):
historically leverage against a wide range of adversaries,
including the United States, Israel, Albania.
Yeah. It makes sense.
All the protests down there, I could see a lot of operatives
going in and trying to shift attitudes and behaviors.
Yep, they love to go after Albania.
But some of these different types of operations that we see
are hack and leaks, which peoplein the US are probably very
(03:02):
familiar with at this point. You steal sensitive data and
then you leak it on the Internet, hacking and defacing
websites, even critical infrastructure like water
facilities, which we'll get intoin a moment.
Doxing, which people might not think of as a cyber enabled
influence operation, but it can be.
And in 2009, a group called the Iranian Cyber Army, which is
(03:24):
actually a hacker group that claimed allegiance to Iran's
supreme leader, hijacked Twitter's DNS records.
They didn't actually sort of compromise Twitter servers, but
they sort of messed with something called DNS, which is
like the phone book of the Internet, and they redirected
visitors to a page that said that this site has been hacked
(03:44):
by the Iranian Cyber Army. So it's a really early example
of a website to face men carriedout by pro Iranian cyber actors.
I would consider that a cyber enabled influence operation.
And that's going back well over a decade.
And then when Iranian overt media and covert media amplified
act Saudi diplomatic cables, andthis happened in 2015, people
(04:07):
might have forgotten about this.It was referred to at the time
as Wiki Saudi leaks. And Iran's role in the actual
intrusion is unclear. There's some evidence that Iran
was involved. Russia might have been involved
in those hacks, but what was very clear was that Iran was
involved in amplifying the material both through their
(04:30):
overt and their covert media channels.
And something that we do focus alot on FDD, we call it the axis
of aggressors and cooperation between Russia, China and Iran
across different domains, be they economic or military.
Cyber is sometimes harder to show because of the opaque
nature of this domain. But we published a short piece
(04:52):
recently on Russian efforts to recruit people from Latin
America to build Iranian drones in Russia.
And there's certainly coordination in terms of drone
production and things like that.And it's harder to prove that
level of coordination in cyberspace because it's so
murky. But that could have definitely
(05:13):
happened here. Russia lures young migrant women
from Latin America to build drones.
That's the article you're talking about.
Yep, and those are Iranian design drones that they're
building. So again it goes that the axis
of aggressors is very on display.
And then 2020 you have Iranian cyber actors doxing US election
(05:33):
officials. They created us a website called
Enemies of the People where theywere calling for violence
against election officials and sharing their personal
information. An interesting point about that
is they used a Russian infrastructure and Russian
e-mail address of obfuscate attribution and lend possible
deniability and mask the fact that the Iranians were launching
that operation. How do Russia feel about that?
(05:56):
Probably like, hey, we get enough trouble with these guys.
I know, right? And then two last examples,
Cyber Avengers, it's an Iranian hack of its front in 2023.
They famously hacked US water facilities.
A lot of times when people thinkabout hacks against critical
infrastructure, they think aboutdisruption and things like that,
which can be intended to cause economic disruption or even
(06:17):
physical harm. But this was a critical
infrastructure attack which was a cyber enabled influence
operation, sending messages saying you have been hacked and
down with Israel and trying to spread the message on their
social media channels that any Israeli technology is going to
be a target of cyber Avengers. Right.
So they did a very calculated attack.
(06:39):
They broke into the water system, but they announced their
attack in order to, one, scare the hell out of the people who
work in that building and give the federal government notice.
Hey, we can do this if you causetrouble but.
Actually by not creating harm. It avoids getting bombed, so
it's a very smart move, very calculated and.
(07:01):
When you think about nation state cyber operations, you
think about things happening in the shadows, and what Iran loves
to do is broadcast it to the world.
Their ability to do something orhow close they are to a nuclear
weapon but not actually get it. Yeah.
And also I think there's a domestic focus as well when they
do this. It's honestly shocking to see
the internal repression and the degree to which they launched
(07:21):
coordinated psychological operations and influence
operations targeting their own people.
Have you seen Iranian agents on the ground that are also
supporting cyber and influence operations?
My colleague is going to be publishing a long piece on
Iranian operations targeting Israel throughout the course of
(07:41):
the conflict with Gaza. And there you see a lot of
Iranian intelligence operatives contracting vulnerable people in
Israel, like drug addicts or homeless people, getting them to
do offline influence operations,tagging buildings and things
like that. And so, yeah, there's an offline
component of it. Or they've actually.
(08:02):
Done multi domain. With physical actors as well.
100% actually. There is a declassified ODNI
report about potential threats to the US elections last year,
and they talked about times whenIran had paid people to go to
protests in the States. So it is something that has
precedent. So who in Iran is actually
(08:24):
responsible for information warfare?
Yeah, please name the Cyber Avengers and send pictures.
Yeah, I know, right. So it's kind of murky when we
think about who in Iran is actually conducting these
operations. The first group I want to
mention, the Islamic Revolutionary Guard Corps,
parallel military force that conducts hybrid warfare on
behalf of the supreme leader of Iran.
(08:45):
And they do a lot of this type of activity, Iranian activity
that is exposed does not get attributed to a specific
organization. But when it does get attributed
to a specific organization in Iran, oftentimes they intersect
with the IRGC. It's a very complex,
multifaceted command structure. The IRGC has an intelligence
organization and then they have a sort of electronic warfare and
(09:06):
cyber defense. And then there's the codes
force, which a lot of people areprobably familiar with.
And these different branches interact with each other in
various ways. There's actually a group called
Intelligence Group 13, which hasbeen written about extensively
by private threat intelligence brand called Domain Tools, and
they sort of facilitate and orchestrate these different
(09:26):
commands and capabilities withinthe IRGC to launch cyber enabled
influence operations. And you can think of Cyber
Avengers, who you just mentionedas it's an activist front and
it's almost like a propaganda outlet that the IRGC can use to
broadcast and externalize their cyber operations.
(09:46):
Do they use them as the form of non attribution so that ever
they do does not go back to the IRGC?
Yeah, possible. Deniability is a huge element,
but the. Product delivery is pretty much
exclusive to The Avengers from the IRGC.
Or do they do direct messaging as well?
Can sort of be murky when it comes to attribution to specific
(10:07):
groups. We know that Cyber Avengers is
linked to Intelligence Group 13 according to domain tools.
But in terms of product delivery, there are many
different ways that Iran disseminates its over and covert
propaganda. But there's also bot Nets on
social media. There's also fake news websites,
FTD, we exposed the network of close to 19 Iranian covert
(10:31):
websites that we're targeting countries across the world.
And then lastly, when somebody could argue that this isn't
information warfare per SE, but I would consider it the Islamic
Republic of Iran broadcasting the IRIB, Iran's over state
media, because I believe that they're over propaganda, is also
a wing of their information warfare.
(10:52):
I'm not sure who would disagree with you on overt public
messaging as a part of information warfare, but yes, it
is. Yeah.
So I totally would consider it that.
And then also they actually playa key role in amplifying covert
operations. So you see this previously
unknown hacktivist group that has like 100 followers on
(11:13):
Telegram talking about some hackof an Israeli company and then
you see within days or sometimeshours the IRIB amplifying this.
At some point I'm going to have to get on with some folks and
talk about how attributable public facing messaging does
that because yes, they do amplify operations that they
(11:33):
want to. Signify.
But they also create content that's then it supports the non
attributable operations. Yeah, this is a perfect shift,
Jack, what you just mentioned, because what we saw during the
12 Day war where a lot of Iranians with maybe loose
affiliation or historical affiliation to the Iranian
(11:54):
government or maybe no apparent affiliation to the Iranian
government contribute to information warfare efforts.
We saw apparent civilians leverage their own skills and
assets to launch wartime psyops.We saw notable tactics including
crowdsourcing participants, Everyday civilians conduct
covert campaigns on social media.
(12:15):
And we also saw Iranian domesticpropaganda, which was intended
to influence Iranians, spread into the global information
ecosystem. It's not just the Iranian
government conducting information warfare, and
moreover, the boundaries in cyberspace don't exist, so even
if Iran does something that is targeting its own people, it can
(12:37):
bleed out and actually gain significant traction in the
Western English speaking social media environment.
Americans not aligned to the government can also respond and.
Then it becomes. More of a skirmish between
populations versus armies versusarmies.
So it drags everybody, the civilian and the military, into
the battle. Yep.
(12:58):
And to your point, NAFO, it's sort of like an organic
grassroots social media effort in support of Ukraine.
This is a domain in which the conflict is not purely between
military organizations or intelligence organizations, it's
also between civilians. So we came across an Iranian
(13:18):
psychological operation that we are FDD exposed on June 20th.
We call it the CAR Online Network, which I know sounds
like a silly name, but that actually is a very important
point about this. What this operation involved was
a Telegram channel called Car Online that historically
published about financial and economic topics.
(13:40):
It had a huge following, over 400,000 followers and after the
12 day war started it shifted and it explicitly instructed its
followers to participate in whatit was expressly calling a
psychological operation. So what we saw, it's a crowd
sourcing civilians they host as Israelis.
You can sort of think of it as almost like a command and
(14:02):
control Telegram channel. They gave lists of Hebrew names
and non Hebrew names to use to impersonate Israelis.
They gave lists of threatening phrases, demoralizing phrases,
things like I'm saying this as aZionist, I'm screwed.
And you know, I just heard my children scream tired, God save
us, things like that in Persian.And then they instructed them
(14:25):
how to translate it. They instructed them how to use
ChatGPT specifically. There was a video where they
were showing you how to use ChatGPT and they were cautioning
the participants. Guys, you need to paraphrase
this. Don't copy and paste directly
because then you're going to getdetected by the automated
platforms. So I did a whole lesson and and
guidebook on how to become an operator.
(14:48):
Yep. It was fascinating.
And I have to give credit. I have wonderful interns.
And one of the things I asked them to do is doom scroll on
social media, which a lot of them love to do also because you
know, they're from that generation where that's probably
what they're doing anyways. And one of my wonderful interns
came across this. What was remarkable, when we
look deeper, we saw what they were doing behind the scenes.
(15:08):
So once you crack the code, you're able to track it.
We scraped thousands of accounts.
There's going to be a forthcoming report that takes a
lot of this information and refines it and consolidated it.
And we're still doing our analysis.
But yeah, there are tons of accounts participating in this
and they had the same names and then they would share similar
content. And there was actually a
(15:29):
distinctive hashtag strength which we used to identify this
operation. Even if the content of the
messages would change, they would oftentimes use the same
hashtag stream. And then Carl mine also had a
Twitter account where it was re sharing posts from participants
in the operation. That's a nice proofing.
So you can go, oh look, they're all sharing the things they're
doing. You can play track their
(15:49):
account. So it sounds like they mostly
try to go with the Iranian diaspora.
So for this specific operation, I think it was primarily trying
to recruit Iranians, maybe members of the diaspora.
But there was another network that we discovered across Axe,
Instagram, Tiktok, Telegram and YouTube.
So it's a cross-platform operation spanning many
(16:11):
different platforms. It was called Iran Hayel.
We were able to trace it back toan Iranian national who had a
historical ties to his Span TV. We actually found this man's
resume on a Telegram channel. It was just shared on a Telegram
channel and he worked for Spanish language news channel
that's run by the IRIB. And this was just a less
(16:33):
interesting activity. But it was a Hebrew language
network that was publishing threatening messages to Israelis
and things like that, amplifyingdisinformation coming from
Iranian state news and things like that.
And I just provides another example.
If we think about the sort of tractor typology here, we see
that the first case is sort of unknown, Carmine, it's unclear
(16:56):
who exactly was operating that. This one is somebody who appears
to no longer be working directlyfor the Iranian government.
He operates a sort of commercialvideo creation platform, but he
has that historical affiliation with the IRIB and actually isn't
relevant to our current conversation.
But we identified a man who created a website that was
(17:16):
seeking to crowd fund a bounty for Trump's assassination, and
we exposed that man and everything.
And he also had historical ties to the IRIB.
So this isn't uncommon where we see Iranian nationals who have
historical ties to the IRB engaging in some sort of
patriotic or ideological work, perhaps at the direction of the
Iranian government. It's unclear.
But again, it sort of shows again that decentralized nature
(17:39):
of online activity. The.
Call for assassination? Was that more of Luke, or did it
seem like an actual serious attempt?
I don't know. I mean, did he actually raise
money? Did he have intent to show
capability in the crowdsourcing?Was it more than just a splash?
It's sort of hard to say. That operation happened after
(18:02):
the 12 Day War, but it was clearly in response to the 12
Day War. He wasn't showing money, he
wasn't showing weapons. He wasn't saying I'm right next
to the White House. He wasn't doing.
Anything like that? Yeah.
So the interesting thing about that operation was he claimed to
have raised $40 million. It was sort of sad to see that
some people were pledging their jewelry.
(18:23):
Somebody shared the deed of their farm.
People were pledging different things.
It was somewhat of a crude and childish operation.
He created a video game where you could assassinate Netanyahu
or Trump. I mean, there could be somebody
crazy enough out there, even in America who sees something like
that and decides to act upon it.So it was a serious threat and
we reported it to law enforcement and things like
(18:44):
that. But when we think about that man
who created that website and then after we exposed him, he
admitted to create that website and he also said some very kind
things about me. Oh, I bet he.
Did I know right? But he had historical ties to
IRIB, too. And he said we found one of his
profiles, and he claimed in his own SMA that he had worked there
(19:05):
as well. So again, you're seeing
sometimes where these sort of ideologically oriented
activities in the information environment are carried out by
people who may or may not work for the Iranian government.
They do have historical ties. So maybe we go into some summary
comments. What I would say is this, I
think Americans should be mindful we've come to understand
(19:28):
that the oceans on either side of our country do not protect us
from cyber attacks. I mean, look at the compromise
of the Colonial Pipeline that was American critical
infrastructure disrupted by a cyber threat actor that led to
serious consequences for our country.
What I think sometimes Americanshave a hard time understanding
(19:51):
is that that same dynamic is also carried out in what you
might call the information ecosystem, whatever you want to
call it. And it's more than just trying
to shape the outcomes of elections.
There's a lot of focus in the USon election interference and
foreign influence. But there are many other threats
that can be carried out in Iran in particular, has been very
(20:13):
audacious. Let's look at what happened
during the 12 Day War. I mean, you had crowd sourced
influence operations. You had SMS campaigns trying to
get people to leave shelters. You had what appears to be
everyday Iranians participating in information warfare.
You had Iranian domestic propaganda bleeding out into the
(20:36):
global information environment. There was actually a paper by a
sum stack called UDA Shift, and they talked about how this is
sort of the ungoverned battle space.
And I think that's a great thought to close with because it
is the ungoverned battle space. And I don't know if it's ever
possible for it to be governed. But what I hope we learn, it can
(20:57):
very much be warfare. They can be meant to intimidate,
harass, even cause physical harm, destruction.
We think about CAR online calling for people to motivate
Yemenis to strike Saudi Aramco. Was that effective?
No. But it could be operations like
that could be in the future. So it's much more than just
(21:19):
about election interference. There are all these other
potential consequences. And yeah, I think information
warfare is certainly something that the United States should
take seriously. And our oceans, unfortunately,
do not protect us from these sorts of attacks.
Thanks for listening. If you get a chance, please like
and subscribe and rate the show on your favorite podcast
platform. Also, if you're interested in
(21:40):
coming on the show or hosting anepisode, e-mail us at
ca.podcasting@gmail.com. I'll have the e-mail and CA
Association website in the show notes.
And now, most importantly, to those currently out in the
field, working with a partner nation's people or leadership to
forward US relations, thank you all for what you're doing.
This is Jack, your host. Stay tuned for more great
(22:03):
episodes one CA podcast.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.