TL;DR – Part I: The largest known foreign disinformation network targeting India. Iranian in origin, possibly operated via a front in Pakistan. May have physical presence in India. Garnered hundreds of thousands of social media impressions. Legitimised by the top leaders of mainstream political parties in the opposition.
Edit, December 3rd, 2018: My opinion piece for The Tribune, briefly mentioning this investigation of the Iranian disinformation network targeting India. These articles are my regular outreach and appeal to the public.
Edit, February 15th, 2019: Read the Part II: Ayatollah Khomeini’s ‘soft war’ hits the Indian hinterland. I attribute the influence operation to an arm of the Iranian state and flag a few persons of interest.
TL;DR – Part II: In Part II, I will arrive at certain definitive conclusions on the actors’ intent as well as directly attribute parts of the operation to a soft war/propaganda arm of the Iranian government. This is not an attempt at domestic sabotage but a desperate bid to propagate a counter-narrative — as Iran feels suffocated by the Western media’s discourse, portraying it in a uni-dimensional way.
In August this year, FireEye reported an influence operation — purportedly of Iranian origin (but with a perplexing Russian operational signature) — leveraging a network of inauthentic news websites and social media accounts. In a coordinated move prior to the disclosure, Facebook, Twitter and Google brought down hundreds of fake news accounts and pages linked to it.
In October, Twitter also released a downloadable archive of nine million tweets traceable to the same operators, to encourage the integrity of elections.
Upon further digging by open source intelligence (OSINT) analysts and journalists, it was discovered that the scope of the influence operation extended to many geographies including India. However, its local impact and reach were ascertained to be minimal.
After a fresh assessment of the case, I have reasons to strongly dispute that claim. Not only was the campaign highly successful in engaging and polarising the Indian polity but displayed a sophisticated understanding of behavioural science.
By exploiting the growing sense of alienation among the Indian minorities and weaponising the left-liberal discourse, the threat actors built a propaganda machine that cut across party and ideological lines. It engaged top political leaders and possibly hundreds of thousands of Indian users in the process.
It could very well be the most systematic attempt at foreign interference in India, meeting the thresholds of cyber-enabled information warfare. If left undeterred, such subversive networks could sway a decisive chunk of the populace in the 2019 general elections.
Facing extreme isolation due to sanctions and a hostile media narrative, Iran may be justifying the use of such propaganda machinery to further its own interests. It could, in fact, be the only medium via which Iran exercises its soft-power across its sphere of influence in Eurasia.
On 21st August, 2018, FireEye released a dossier (PDF) on “a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests.” The disinformation campaign endorsed “anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favourable to Iran.”
The manager of the FireEye’s information operations team said that it stumbled upon the network via “a single social media account or a small set of accounts.”
The roughly half-a-dozen or so websites which the dossier shared were chained together by repeating patterns — like using the same email address for the registration of domains or hosting them on a set of recycled IP addresses (the latter probably for frugality).
Such operational security (OPSEC) mistakes like code or infrastructure reuse — bound to happen when the adversarial actors operate at scale or speed — have time and again worked to the defenders’ advantage in exposing elaborate cyber offensive toolchains.
On 17th October, Twitter released two massive archives related to the suspected information operations conducted via its platform in a bid to “enable independent academic research and investigation” — one which was a dataset of 9 million tweets attributed to the Iranian actors.
On 22nd August, Josh Russell — an “Indianapolis dad who hunts Russian trolls” — initiated an intriguing Twitter thread. He discovered that the social news aggregator Reddit.com had escaped the scrutiny of cyber sleuths.
Trolls linked to the Iranian operation were very active there and some methodical Reddit users had flagged many of the suspicious websites way back in March. It seemed that the aggregator silently clamped down on what was, in Russell’s words, “a huge influence operation.”
Russell’s findings lingered in my Evernote since then — as I, too, was overwhelmed by my baby boy, born two months premature.
But the Reddit users had apparently clubbed the Iranian domains with the ones belonging to the Internet Research Agency — the notorious Russian troll factory which influenced the 2016 US presidential elections. It wasn’t an oversight, as Russell later found out. In fact, there was indeed an operational overlap in the tradecraft of the Russian and Iranian actors, a mystery that remains unsolved.
Like any malicious network, the operators had hosted the inauthentic websites on virtual private servers (VPS) — dedicated hosts with unique IP addresses — purchased from cloud/hosting providers. It seems that the Iranians preferred the same companies that were the also mainstay of the Russian IRA, e.g. Hetzner Online GmbH; there was even an overlap in the use of certain VPS that were activated by both the Russian and Iranian setups.
Using the same techniques of pinning down the reuse of infrastructure and other such indicators, Russell unravelled an even larger network of domains and accounts than what FireEye had shared in its report.
In a second thread initiated on 26th August, Russell compiled three Excel sheets: a matrix of Iranian sites clubbed together by the IP addresses they reused/shared, the results of his investigation sorted by domain name, and a detailed list of new Iranian social media accounts linked to the said domains.
The 70 or so odd portals divulged a ‘planet-scale’ disinformation effort that was unprecedented: spanning many nationalities, ethnicities, languages, geographies and topical contexts squarely lying in Iran’s sphere of influence, i.e. Eurasia. It even targeted very narrow sectarian interests with dedicated portals disseminating crafted news in Dari, Kurdish and Russian.
The analysts at FireEye believed that most of the websites were registered in and around 2014 but were only put to use in 2016. And according to Russell, the site hindkhabar.com, propagating content in Hindi, topped them all in terms of size and scale. My investigation began there.
I am not the first to focus on the domestic angle. News agency Reuters and journalist Aria Thaker should be given the credit for narrowing down on some India-related accounts and posts.
The 4100 tweets from 17 handles indicate that “the content got very few retweets, likes, and replies,” wrote Thaker on 2nd November. But she also cautioned that the “Iranian influence campaigns have already shown great capacity for improvement in their operations.”
It is also the point of departure from where I differ with Thaker’s analysis. Au contraire, I believe that the Iranians were already running a well-oiled propaganda machine in Hindi, possibly garnering hundreds of thousands of impressions — a fact that seems to have escaped her attention. One of the plausible reasons could be that she used social media metrics as the initial benchmark rather than the portals which are the raw dissemination engines.
To investigate a nexus so expansive, OSINT experts like Russell often rely on cloud-based automation and scripting to undertake data scraping, correlation, analysis and visualisation. Most people nowadays prefer to go wide than deep, but some experts like him develop the uncanny ability to do both. I am no data scientist, so I relied on my instincts as a threat intelligence analyst developed during my time with the government.
Vocabulary matters a lot in information operations, so the foreign readers must know that “HindKhabar” is a sort of portmanteau of “Hind,” a Persian word for the region now known as the Indian subcontinent, and “Khabar,” another Persian word for news. Since the subcontinent was a part of the Mughal empire for 235 years — whose rulers had a mixed Central Asian, Persian and Indian heritage — its peoples are accustomed to the lexicon.
The email address is made of two suggestive words “Yuva” and “Soch,” taken together they roughly mean the outlook/thoughts of the youth — a demography which the operation may be micro-targeting.
Hindkhabar.in (note down the variation of top-level domains like .IN and .COM mentioned in the post) was active since 2016 but was likely abandoned by its operators in 2018.
As per RiskIQ’s PassiveTotal — a passive DNS (the domain-name-to-IP-address conversion system) intelligence platform — the whois entry of the domain was last updated on 27th October, 2018, to remove the email address. It was possibly an evasive step after the nexus got widely exposed. Whois is the public information which is voluntarily added by the party registering the website.
Hindkhabar.in was a well-oiled propaganda machine having a total of 35 subdomains (e.g. elastic.hindkhabar.in) — hinting at a complex framework to consume, process, alter and regurgitate large amounts of third-party news.
At its peak, it spouted around 18,000-20,000 fake news artefacts, a figure derived from its clone hindkhabar.com that is still live.
Another personal identifier associated with the said domain is an individual named Arhaan Naqvi (a likely pseudonym) with the email address [email protected]. The gentleman has numerous accounts with the handle ‘menaqvi‘.
The posts on the website are very nuanced, amplifying certain messages meant to capture the attention of two broad formations: alienated Muslim youth who are politically disengaged from the right-wing party in power; and oppositional voices catering to different ideologies and interest groups but are stymied by the decisive mandate won by the incumbent Bharatiya Janata Party (BJP).
It must be noted that Muslims account 14.2% of the country’s population and the last census in 2011 put their numbers at 172 million. And also, the BJP installed India’s full-majority government after a gap of almost 30 years. So, the ideological battle-lines are distinctly drawn and exploitable. The website peddled soft-Islamism and left-liberal agendas.
Now comes my point of departure from the previously done analyses. I think it was inherently misleading to assess the engagement of the network and the social media accounts associated with it merely on the basis of retweets, likes or replies.
There were three other Indian-sounding websites in the Russo-Iranian nexus — namely, bollywoodnonstop.com, investmoneyinindia.com and samachartoday.com — but none could boast of the reach which hindkhabar.in had.
Cyber threat intelligence analysts are most accustomed to study offensive toolchains than its individual components. Hindkhabar.in, too, was a mere cog in the dissemination wheel but a substantial one at that.
Firstly, it amplified messages by circulating them via certain similar-sounding Facebook pages with massive following. Many of the posts from hindkhabar.in were shared on “I am With Barkha Dutt” having 697,519 likes, “I am With Kanhaiya Kumar” having 437,175 likes, and “I am with Ravish Kumar” with whopping 1,506,243 likes. The content on these pages seem to have gained a lot of traction among the unsuspecting Muslim youth.
Barkha Dutt and Ravish Kumar are veteran journalists known for their strong anti-establishment views. Kanhaiya Kumar is a firebrand student leader from the Jawaharlal Nehru University — widely thought to be the crucible of leftist politics in India.
Merely these three pages were enough to orchestrate the legitimisation of content from hindkhabar.in, after which the inherent virality of social media perpetuated its sharing over numerous other accounts: like “With Congress” (982,066 likes), “Aam Aadmi Party Rajasthan” (367,199 likes), “बुरा न मानो मोदी है” (65,564 likes), and “I am with Kapil Sharma” (145,712 likes).
That’s not all. Possibly emanating from the filter bubbles on Whatsapp and other messaging platforms, hindkhabar.in’s posts were fully mainstreamed over Twitter, too.
They were shared by Hardik Patel (a popular community leader from Gujarat with half-a-million followers), Digvijay Singh (a member of parliament, former chief minister of Madhya Pradesh and general secretary of the All India Congress Committee), Dr. Misa Bharti (a member of parliament), Tejashwi Yadav (leader of the opposition in Bihar and its former deputy chief minister), MK Venu (founding editor of TheWire.in), Vaibhav (chief spokesperson of the Aam Aadmi Party in Uttar Pradesh), Sudhir Bhardwaj (founder and national council member of the Aam Aadmi Party), Rachit Seth (from the communications cell of the the Indian National Congress) and many other verified Twitter profiles across the political spectrum. All of this was happening when the official social media accounts of hindkhabar.in got little traction whatsoever.
We are just entering the rabbit-hole. Now, let’s look at the infrastructural aspects of the operation, giving us a glimpse of the larger framework it’s tied to.
In May 2016, domain name hindkhabar.in pointed to two IP addresses whose reverse-DNS lookup resolved to sv44.pakistanwebserver.com and sv101-sach.pakistanwebserver.com. Apparently, the two IP addresses were owned by Pakistan Web Server, a reseller based in the garrison town of Rawalpindi.
Pay attention to this: the first IP address to which hindkhabar.in pointed to from 9th January, 2016 to 29th May, 2016 was 188.8.131.52. Thereafter, this IP address — which was most probably a VPS — also hosted sachtimes.com, hindkhabar.org and analysis.pk, before returning to hindkhabar.in again.
Sachtimes.com claims to be an Islamabad-based “News Website in four languages focusing on subcontinent i.e. India, Pakistan, Bangladesh, Nepal, Bhutan, Barma. Exclusive Reports, Articles, Stories….(sic)”.
All of these domains exhibited tell-tale signs of being big propaganda outlets.
Analysis.pk, too, became defunct like hindkhabar.in — my suspicion is that the threat actor was wary of the fact that regional top-level domains like .IN and .PK were prone to counterintelligence.
On two occasions in 2015, the DNS servers of sachtimes.com and pakistanwebserver.com also acted as the authoritative name servers hindkhabar.com (the currently active clone of hindkhabar.in) — thus establishing the fact all of these websites were under the control of a single entity related to Pakistan Web Server.
The story gets even more interesting. Sachtimes.com has two Twitter accounts, @SachTimes and @sachtimesen. On the former, a gentleman by the name of Murtaza Abbas (his Facebook profile has been disabled since I wrote this piece) has made a few posts.
Abbas is incidentally the owner of hosting reseller Pakistan Web Server which I mentioned earlier. But in the past, he was also associated with a charitable organisation called the Al-Basirah Trust.
Saqib Akber, the founder of the Al-Basirah Trust, professes certain affinity towards the post-Revolution Iranian regime of the ayatollahs.
Edit, 30th November, 2018: Akber’s pro-Palestinian, anti-Zionist views also find a mention at iuvmpress.com — dubbed as the “Iranian messaging laundromat” by The Atlantic Council — and many other news clippings of the Islamic Republic News Agency.
Both Iran and Pakistan are theocracies. The former is Shi’ite and the latter, primarily Sunni, having a strong Shi’ite sectarian undercurrent encouraged by sympathetic political parties.
And Abbas’s company Pakistan Web Server hosts not only the website of Al-Basirah but of the Iranian embassy in Pakistan as well (apart from the propaganda websites which were parked there).
Al-Basirah is most certainly a cut-out or a front of the Iranian state and Pakistan Web Server its online accessory. The likeliness of direct Pakistani involvement can’t be established but it must be mentioned that this Iranian actor also runs (or has run) similar disinformation sites targeting Pakistan.
IT companies as fronts of state security agencies is a trend that has been observed from the times of the Russian Business Network.
Via the shared infrastructure and other overlapping use of identifiers, one could easily link this South Asia-centric network to the larger grid of 80 or so websites detailed by Josh Russell. So potent is its scale and reach that some of the crafted news has even been incorporated by Wikipedia (like this link referring to sachtimes.com). And I have not even accounted for the websites targeting other geographies.
To strengthen the attribution, it must be mentioned that, immediately after registration, sachtimes.com and hindkhabar.com pointed to the DNS servers of an Iranian hosting agency called atenahost.ir — a common OPSEC mistake.
Many of the other interlinked websites were being directly billed to Iranian individuals — e.g. the domains niazemarkazi.com and niazearak.com pointed to Faraso Samaneh Pasargad Ltd in Tehran.
During the investigation, I stumbled upon some other worrisome aspects as well.
It seems as if hindkhabar.in had physical presence in India. I was actually able to locate and have telephonic conversation with an individual who claimed to have been employed by the said “media organisation” in the past.
Upon probing further, the individual told me that he was referred to the “company” by someone known to him and only contributed content to the portal for a few months. When I subtly mentioned that the website might be peddling fake news, he confidently answered that they were merely reusing content from other mainstream news portals. I didn’t enquire much as I was not sure what I was getting into. He may have unwittingly contributed to the operation — so I am withholding his identity for time being. Possibly via suspicious outfits or social organisations (using the Al-Basirah template), the threat actor may have recruited unsuspecting but sympathetic contributors.
Conclusion & Recommendations
In August, while reviewing the book of Deputy National Security Advisor Dr. Arvind Gupta, I wrote:
If there’s anything that makes you a (more or less) lucrative target than others, it’s geopolitics. The political vocabulary you use becomes the technical grammar of your adversary’s cyber operations. And it isn’t just the vocabulary you expend for foreign affairs or other outwardly matters that gets exploited, but even the inward-looking stances on domestic politics.
It seems that my ominous prophecy turned out to be true too soon, too abruptly.
I am 99.99% sure that India’s cyber defence apparatus is unprepared to handle disinformation at this scale. I don’t think that we have a doctrinal view or strategy as to how information warfare or information operations are to be dealt with. So, the intent of the operation — whether it should be deemed as a crime, espionage or a serious violation of our sovereignty — may remain underivable. As a result, proportional response — an essential qualitative and quantitative marker for military operations — would remain ambiguous, too, thus discouraging counter-action.
On one hand, intelligence agencies like the NTRO don’t have the interdisciplinary insight (across cyber intelligence, Internet-wide OSINT, geopolitics, deception, psychology and linguistics, etc.) that information operations entail; on the other, unified commands like the Defence Cyber Agency are so new that they may not have operational structures in place and can’t emulate the recent manoeuvres of the US Cyber Command.
If the matter is relegated to a central investigative agency as some criminal activity, then it may remain stuck in the red tape of ‘letter rogatory’ forever as most of the websites are beyond our jurisdiction.
The only decisive option and deterrent here is the swift neutralisation of the command-and-control via cyber offensive operations – a ‘defend forward‘ cyber strategy that the US has adopted against the Russian actors. Its escalatory risks would be minimal and not affect our relationship with Iran.
Disinformation has to be dealt with impartially and apolitically else the situation may worsen even more, leading to domestic collateral damage.
Selective actions against such actors may conveniently undermine the fact most fake news outlets peddling right-wing propaganda are linked to domestic fringe elements. While websites like AltNews.in have done a commendable job busting them, the government has to acknowledge the national security risk which the weaponisation of polarising/communal politics in cyberspace poses now. The Rubicon got crossed a while back and we haven’t even approached the election year.
Part II of this article: Ayatollah Khomeini’s ‘soft war’ hits the Indian hinterland. I attribute the influence operation to an arm of the Iranian state and flag a few persons of interest.
Edit, 2ⁿᵈ December, 2018: