Google banned 58 Iranian-based accounts suspected in a 'politically motivated phishing' operation
Account IPs led back to Iran's propaganda outlet IRIBBy Cal Jeffrey
Why it matters: Seemingly following Facebook and Twitter's lead, Google has purged several accounts with links to Iran on its various platforms. However, the search giant says that this is just the latest in a series of deletions that has been going on for at least a year.
Following hot on the heels of Facebook's banning of 652 accounts and Twitter's 284 yesterday, Google announced today that it has removed 58 accounts from YouTube, Blogger, and Google+. It says that all of the records were tied to Iran and that they seemed to be running "state-sponsored misinformation campaigns." Of the 58 deleted accounts, 39 were English-speaking YouTube channels, 13 were Google+ profiles, and six were Blogger pages.
According to Google's Vice President of Global Affairs Kent Walker, the nixed accounts appeared to be engaged in "politically motivated phishing." They also all appeared to be connected to the Islamic Republic of Iran Broadcasting (IRIB), a state-owned media monopoly that acts as Iran's propaganda arm. Ownership was determined through analysis of IP addresses connected to the accounts, which all led back to IRIB.
Google, Facebook, and others are concerned that the IRIB and other foreign interests are using their platforms as a way to spread disinformation and influence US elections. According to Walker, this interference by IRIB began as early as January 2017.
We can't go into all the technical details without giving away information that would be helpful to others seeking to abuse our platforms, but we have observed the following:
- Technical data associated with these actors is strongly linked to the official IRIB IP address space.
- Domain ownership information about these actors is strongly linked to IRIB account information.
- Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control.
These facts, taken together with other technical signals and analysis, indicate that this effort was carried out as part of the overall operations of the IRIB organization, since at least January 2017. This finding is consistent with internet activity we've warned about in recent years from Iran.
The company says that their investigations into these matters are not limited to the IRIB and are ongoing. It points to another recent purge of accounts associated with the Internet Research Agency (IRA), also known as Glavset.
The IRA is a Russian-based, state-sponsored disinformation outlet operating out of Saint Petersburg. Since last year, Google has removed 42 YouTube channels and one blog that were linked to Glavset. It began deleting this accounts last year.
"We continue to actively monitor our systems, take prompt action, share intelligence, and remain vigilant about these and other threats," Walker said in closing.