Microsoft says Iran's efforts to influence the November US presidential election have gathered pace recently and there are signs that point toward its intent to incite violence against key figures.
"Over the past several months, we have seen the emergence of significant influence activity by Iranian actors," Microsoft said. "Iranian cyber-enabled influence operations have been a consistent feature of at least the last three US election cycles."
US elections have never been more secure, says CISA chief
READ MORE
The Windows maker added: "Iran's operations have been notable and distinguishable from Russian campaigns for appearing later in the election season and employing cyberattacks more geared toward election conduct than swaying voters. Recent activity suggests the Iranian regime – along with the Kremlin – may be equally engaged in election 2024."
Multiple state-sponsored groups and those whose affiliations are unknown are thought to be involved, each with their own objectives and methods. The group Microsoft tracks as Sefid Flood, for example, has been laying the groundwork for influence operations since March 2024.
Microsoft didn't go into detail about what this staging activity entailed, but Sefid Flood is known for impersonating social and political activist groups with a view to undermining trust in officials and election systems themselves.
It's perhaps why the US has been so adamant recently that its elections are safer than they've ever been. CISA director Jen Easterly spoke on the topic at Black Hat this week, saying the infrastructure is sound, but influence operations, namely from Russia, are a concern due to their improving sophistication.
Sefid Flood may look to use its impersonations as a means to "stoke chaos", Microsoft said, and its operations "may go as far as intimidation, doxxing, or violent incitement targeting political figures or social/political groups."
On the state-sponsored side of things, Mint Sandstorm and Peach Sandstorm are both run by Iranian intelligence, the Islamic Revolutionary Guard Corps (IRGC). As recently as June 2024, Mint Sandstorm was caught trying to spear-phish a presidential campaign official using a former senior advisor's account the group compromised. The email contained a link that could have allowed the IRGC to intercept the official's traffic.
Just days before, on June 13, Mint Sandstorm also tried – and failed – to access the account of a former presidential candidate. While there's no definitive proof this activity was election-related, the timing of it being so close to the targeting of the aforementioned official suggests it might be.
The group is also known for targeting political figures for reasons other than elections – it has been doing so for years – so no firm conclusions can be drawn officially.
A month earlier in May, its IRGC cousin, Peach Sandstorm, embarked on a wide password spraying mission that helped it gain access to a user account at a county-level government in a US swing state. It didn't actually do a great deal with that access so it may not have been election-related and instead more of a dumb-luck result, but Microsoft noted the county, located in a known swing state, had recently experienced a "race-related controversy" that made national news.
The description is too broad and racism too rife in the US to even draw any kind of conclusions here – it could have been in one of multiple possible states as many fit that description.
Fake news
It was part of Russia's recent attempts to influence the Paris Olympics and Iran has also been observed setting up phony news outlets in an apparent attempt to engage voters on each side of the political divide.
One site has been online and active since 2022, "covering" the US mid-terms. EvenPolitics publishes around 10 articles a week and is run by Storm-2035, which also has various other sites set up to influence audiences in Arabic, English, French, and Spanish languages. Microsoft names groups "Storm-X" when they're under active development.
- Georgia's voter portal gets a crash course in client versus backend input validation
- Meta will use your social media posts to train its AI. Europe gets an opt out
- Andrew Tanenbaum honored for pioneering MINIX, the OS hiding in a lot of computers
- World's top AI chatbots have no problem parroting Russian disinformation
Nio Thinker was created in October 2023 to cover the Israel-Hamas conflict, but recently shifted to target left-leaning US voters with sarcastic, anti-Trump tirades. It does have some real zingers to be fair, calling the Republican candidate/felon an "opioid-pilled elephant in the MAGA china shop" and a "raving mad litigiosaur."
Savannah Time, on the other hand, seeks out conservative audiences with pieces on Republican politics and topics such as gender-based issues.
"Microsoft Threat Analysis Center has not observed significant social media amplification of these sites as of yet, though it is possible they will begin closer to election day," the report [PDF] reads.
The frequency with which the sites are updated suggests that the pro-Iran actors are dedicating a decent amount of resources to the endeavor, although AI is helping them out a smidge.
"Examination of webpage source code and indicators in the articles themselves suggest the sites' operators are likely using SEO plugins and other generative AI-based tools to create article titles, keywords, and to automatically rephrase stolen content in a way that drives search engine traffic to their sites while obfuscating the content's original source," Microsoft said. ®