WASHINGTON – Facebook, Twitter and Alphabet have identified and removed hundreds of “inauthentic” accounts and profiles originating in Iran, several of which conducted “traditional cybersecurity attacks” on subjects in the United States, Britain, Latin America and the Middle East, the social media giants said on Tuesday.

In a statement Facebook said it had removed “652 pages, groups and accounts for coordinated inauthentic behavior that originated in Iran and targeted people across multiple internet services.”

“We are able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same admins,” the organization said, identifying several mislabeled accounts traced back to Press TV, Iran’s state-run news channel. “Since there are US sanctions involving Iran, we’ve also briefed the US Treasury and State Departments.”

Twitter, which called the effort “coordinated manipulation,” said it removed 284 accounts.

The accounts spent about $12,000 to advertise through Facebook and Instagram using a variety of currencies, Facebook said. The company said it had notified the US Treasury and State departments of the purchases, which may potentially violate sanctions.
The same investigation – which was prompted by a tip from a separate cybersecurity firm, called FireEye – identified additional Russian accounts taking part in a disinformation campaign to sow discord in the US.

Facebook said the Russia-linked accounts it removed were engaged in “inauthentic behavior” related to politics in Syria and Ukraine. It said that activity did not appear to be linked to the Iranian campaign.

Microsoft said this week that hackers linked to the Russian government sought to steal email login credentials from US politicians and think tanks, allegations the Russian foreign ministry described as a “witch-hunt.”

FireEye said in a statement that Iran’s activity did not appear specifically targeted toward the 2018 midterm elections. But it characterized Iran’s influence campaign as a sophisticated operation using new forms of media as “a means of shaping political discourse.”

FireEye expressed “moderate confidence” about the Iranian origins, but said it has not been able to tie the accounts back to a specific organization or individuals.

Hundreds of thousands of people followed one or more of the Facebook pages implicated in the campaign, Facebook said.
It shared examples of removed posts, including a cartoon depicting an Israeli soldier executing a Palestinian and a fake movie poster showing US President Trump embracing North Korean leader Kim Jong Un.

“Broadly speaking, the intent behind this activity appears to be to promote Iranian political interests, including anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as to promote support for specific US policies favorable to Iran, such as the US-Iran nuclear deal (JCPOA),” the cybersecurity firm said. “In the context of the US-focused activity, this also includes significant anti-Trump messaging and the alignment of social media personas with an American liberal identity.”

The accounts used a combination of different hashtags to engage in US culture, including “#lockhimup,” “#impeachtrump” and “#notmypresident.”

Facebook CEO Mark Zuckerberg said the accounts identified on his company’s platform were part of two separate campaigns, the first from Iran with some ties to state-owned media, the second linked to sources which Washington has previously named as Russian military intelligence services.

In Israel this week, US National Security Advisor John Bolton warned that Iran, Russia, China and North Korea were all trying to influence the 2018 midterm elections through cyber campaigns.

The United States earlier this year indicted 13 Russians for alleged attempts to meddle in US politics.

Reuters contributed to this report.