OCR of the Document

View the Document >>

Unheard Voice: Evaluating five years of pro-Western covert influence operations

UNHEARD VOICE Evaluating five years of pro-Western covert influence operations August 24 2022 Contents Contents 1 Executive Summary 2 2 Methodology Overview 2 1 Audience 2 2 Major Groupings 2 3 Posting Patterns 3 4 5 7 3 Central Asia 3 1 Overview 3 2 TTPs 3 3 Narratives 10 10 11 20 4 Iran 4 1 Overview 4 2 TTPs 4 3 Narratives 26 26 27 32 5 Afghanistan 5 1 Overview 5 2 TTPs 5 3 Narratives 38 38 39 40 6 Middle East 6 1 Overview 6 2 TTPs 6 3 Narratives 44 44 44 47 1 1 Executive Summary In July and August 2022 Twitter and Meta removed two overlapping sets of accounts for violating their platforms’ terms of service Twitter said the accounts fell foul of its policies on “platform manipulation and spam ” while Meta said the assets on its platforms engaged in “coordinated inauthentic behavior ” After taking down the assets both platforms provided portions of the activity to Graphika and the Stanford Internet Observatory SIO for further analysis Our joint investigation found an interconnected web of accounts on Twitter Facebook Instagram and five other social media platforms that used deceptive tactics to promote pro-Western narratives in the Middle East and Central Asia The platforms’ datasets appear to cover a series of covert campaigns over a period of almost five years rather than one homogeneous operation These campaigns consistently advanced narratives promoting the interests of the United States and its allies while opposing countries including Russia China and Iran The accounts heavily criticized Russia in particular for the deaths of innocent civilians and other atrocities its soldiers committed in pursuit of the Kremlin’s “imperial ambitions” following its invasion of Ukraine in February this year To promote this and other narratives the accounts sometimes shared news articles from U S government-funded media outlets such as Voice of America and Radio Free Europe and links to websites sponsored by the U S military A portion of the activity also promoted anti-extremism messaging As with previous disclosures Twitter and Meta did not share the technical details of their investigations Additionally neither company has publicly attributed the activity to any entity or organization Twitter listed the activity’s “presumptive countries of origin” as the U S and Great Britain while Meta said the “country of origin” was the U S The findings in this report are based on our own open-source investigation and analysis of the two datasets shared by the platforms The Twitter dataset provided to Graphika and SIO covered 299 566 tweets by 146 accounts between March 2012 and February 2022 1 These accounts divide into two behaviorally distinct activity sets The first was linked to an overt U S government messaging campaign called the Trans-Regional Web Initiative which has been extensively documented in academic studies media reports and federal contracting records The second comprises a series of covert campaigns of unclear origin These covert campaigns were also represented in the Meta dataset of 39 Facebook profiles 16 pages two groups and 26 Instagram accounts active from 2017 to July 2022 For this report we focused our analysis on the exclusively covert activity to better understand how different actors use inauthentic practices to conduct online influence operations IO We did note however some low-level open-source connections between the overt and covert activity in the combined Twitter and 1 On Aug 23 shortly before the publication of this report Twitter increased the size of its dataset to include an additional 24 accounts and 103 385 tweets The updated disclosure statement said the activity took place between March 2012 and August 2022 2 Meta data These consisted of limited cases of content sharing and one Twitter account that posed as an individual in Iraq but has previously claimed to operate on behalf of the U S military Without supporting technical indicators we are unable to assess further the nature of the relationship between the two activity sets We believe this activity represents the most extensive case of covert pro-Western IO on social media to be reviewed and analyzed by open-source researchers to date With few exceptions the study of modern IO has overwhelmingly focused on activity linked to authoritarian regimes in countries such as Russia China and Iran with recent growth in research on the integral role played by private entities This report illustrates the wider range of actors engaged in active operations to influence online audiences At the same time Twitter and Meta’s data reveals the limited range of tactics IO actors employ the covert campaigns detailed in this report are notable for how similar they are to previous operations we have studied The assets identified by Twitter and Meta created fake personas with GAN-generated faces posed as independent media outlets leveraged memes and short-form videos attempted to start hashtag campaigns and launched online petitions all tactics observed in past operations by other actors Importantly the data also shows the limitations of using inauthentic tactics to generate engagement and build influence online The vast majority of posts and tweets we reviewed received no more than a handful of likes or retweets and only 19% of the covert assets we identified had more than 1 000 followers The average tweet received 0 49 likes and 0 02 retweets Tellingly the two mostfollowed assets in the data provided by Twitter were overt accounts that publicly declared a connection to the U S military This report is non-exhaustive and benefited from previous studies by the academic and open-source research communities We hope our findings can contribute to a better-informed understanding of online influence operations the types of actors that conduct them and the limitations of relying on inauthentic tactics 2 Methodology Overview The decision to focus on the exclusively covert activity represented in two datasets drawn from separate takedowns by Twitter and Meta posed certain methodological challenges Accordingly we employed the following practices to build a subset of assets for further analysis • Firstly we conducted a qualitative review of content samples metadata and the profile information associated with each account to determine if an asset should be classified as overt or covert We conducted additional open-source investigation to determine asset classifications when required • We then built a social media network map of the covert Twitter accounts’ 3 2 1 Audience followers This helped us understand the collective audience these assets built and each asset’s relative influence and community The resulting network map revealed three major groups reflecting specific regions and nations including Iran Arabic-speaking Middle East and Afghanistan • We used these network groupings as a foundation to review further the covert Twitter and Meta assets and assign labels corresponding to their audience This included a qualitative review of asset behavior such as the fake personas they employed online and a quantitative content analysis of the assets’ most-used hashtags key terms and web domains • This second review resulted in four labeled asset groups each of which appeared to encompass a contained campaign targeting audiences in one country or geographic region The activity sets related to Central Asia Iran and Afghanistan were each distinct enough to merit their own labels We combined four less distinct Arabic-language clusters related to Iraq Syria Lebanon and Yemen as one group labeled “Middle East ” • Finally we analyzed the assets in each group individually and collectively to identify the tactics techniques and procedures TTPs they employed to conduct their campaigns and the narratives they promoted 2 1 Audience The below network map Figure 1 on the following page shows the communities in which these covert Twitter assets achieved a degree of influence thus providing a picture of the international audiences that engaged with the campaigns The major groupings in the map reflect three nations and regions Iran Afghanistan and an Arabic-speaking Middle East group comprising Iraqi and Saudi subgroups some of which contain a few accounts associated with Syria Kuwait and Yemen In addition to these major groupings there were smaller community clusters in the network containing mixed international accounts focused loosely on a variety of international figures and organizations We also encountered an unclustered set of accounts with insufficient data for categorization Although we identified a Central Asia-focused campaign based on a review of the assets’ activity the map lacks a Central Asia community The community’s absence is likely due to the reportedly limited use of Twitter in Central Asian countries including Kazakhstan Uzbekistan Kyrgyzstan and Tajikistan where Facebook Instagram WhatsApp and Telegram are considerably more popular Accordingly Twitter assets in the Central Asia group generated significantly less engagement than their counterparts on Facebook and Instagram For each of the covert Twitter accounts we identified we calculated its “follower footprint” in each community cluster defined as the proportion of accounts in the community cluster that followed it There was a typical long-tail distribution in the follower footprints with a few influential accounts followed by a descending list of accounts with progressively fewer followers The distribution also featured a large set of assets about 20% of all the suspended covert Twitter assets with 4 2 2 Major Groupings no followers evident among the map’s communities Accounts with a significant follower footprint showed a clear association with a specific national or regional group in the map 2 2 Major Groupings Figure 1 Community network map of covert Twitter asset followers Color represents major community groupings Distance reflects network proximity with accounts appearing close to those they follow and that follow them The method used to construct the network map is designed to reveal the communities in which the covert assets were embedded We found 60 798 active Twitter accounts that followed at least one of the covert takedown assets on Twitter and collected follower and following data for each of these We used an iterative method to find the accounts among these best connected to each other in strong communities yielding a map of 13 946 densely interconnected accounts These were clustered based on network relationships into 49 individual community clusters then further categorized into seven map groupings based on the strength of their relationships with each other and an analyst review of language interests and behavioral characteristics Five of these map groupings combine further into two analytic parts Iran with three groupings and Middle East Arabic with two groupings The major parts of the network include 5 2 2 Major Groupings Table 1 Breakdown of the Twitter-based Network Map by Group Group Name Iran IRN PRO-REGIME IRN ANTI-REGIME IRN OTHER M-EAST Arabic IRQ SAU Afghanistan INT Unclustered Total Count Proportion 6335 2429 2415 1491 2867 2155 712 1482 401 2861 13946 45 4% 17 4% 17 3% 10 7% 20 6% 15 5% 5 1% 10 6% 2 9% 20 5% • Iran Three of the groupings together comprising nearly half of the map 45 4% are centered on Iran The largest of these groups contains twelve clusters of politically focused accounts strongly supportive of the Iranian government Another group of roughly equal size contains nine clusters of politically focused accounts strongly opposed to the government A third group contains seven clusters comprising mostly personal accounts with nondescript characteristics but also accounts focused on writing and other cultural topics This third group is generally critical of the Iranian regime to the extent that the accounts discuss politics • Arabic-speaking Middle East Two of the groupings comprising 20 6% of the map each contain Arabic-language communities associated with a specific country Iraq and Saudi Arabia The Iraq group 15 5% of the map contains ten clusters of accounts variously focused on personal life social activism government and opposition politics The Saudi group 5 1% of the map contains four clusters of accounts These clusters focused mainly on personal life and entertainment media but one also followed political and government leaders • Afghanistan This grouping 10 6% of the map contains six clusters five of which centered on Afghanistan and focused on personal life government and researchers scholars One of the clusters centered on Pakistan and focused on Pashtun politics • International This grouping 2 9% of the map contains two clusters The first is made up of loosely connected mainly personal accounts from across the MENA region Accounts in this cluster follow a number of accounts that are now suspended or no longer exist The second cluster comprises better-connected accounts that follow a range of international media and social influencers and are associated with a range of international locations • Unclustered A set of accounts 20 5% of the map that could not be 6 2 3 Posting Patterns clustered because of insufficient data 2 3 Posting Patterns After assigning each of the covert assets a label we were able to visualize activity and posting patterns for each group This provided an overview of each campaign and the set as a whole Figure 2 is based on data provided by Twitter and Meta and shows posting volumes for each group over time Tweets are represented in light blue Facebook page posts in dark blue and Instagram posts in purple The scale of the y-axis varies by group There are three key takeaways visible in the data • The small Afghanistan group was the longest-running campaign represented in the data While most accounts in this group became active in 2019 one account began tweeting in October 2017 The most recent Facebook and Instagram activity ran until July this year • Activity in the Afghanistan group peaked during periods of strategic importance for the U S including the months prior to and following the signing of the Agreement for Bringing Peace to Afghanistan U S –Taliban Deal in February 2020 and the months leading up to the completed U S departure from Afghanistan in August 2021 • The Central Asia group was the most active campaign with posting tweeting volumes peaking at almost 200 a day in the months leading up to and immediately after Russia’s invasion of Ukraine in February this year Figure 2 Posting volume by group Tweets are represented in light blue Facebook page posts in dark blue and Instagram posts in purple 7 2 3 Posting Patterns The following graphics show daily posting times for each group based on the data provided by Twitter and Meta Interestingly the assets in each group typically peaked in activity during the same period in any given 24 hours usually between 1200 and 1800 GMT Figure 3 Posting times for assets in Afghanistan group top left Central Asia group top right Iran group bottom left and Middle East group bottom right All times are shown in GMT 8 2 3 Posting Patterns Three of the groups also showed clear signs of automated or highly coordinated posting activity According to data provided by Twitter and Meta assets in the Afghanistan and Central Asia groups typically posted at roughly 15-minute or 30-minute intervals in any given hour Furthermore accounts in the Afghanistan Central Asia and Middle East groups almost exclusively posted in the first second of any given minute Figure 4 Radar charts showing posts by minute in any given hour for assets in the Afghanistan group left and Central Asia group right Figure 5 Radar charts showing posts by second in any given minute for assets in the Central Asia group left and Middle East group right 9 3 3 1 Central Asia Overview The Central Asia group consisted of 12 Twitter accounts 10 Facebook pages 15 Facebook profiles and 10 Instagram accounts We also found connected activity on Telegram YouTube and Russian social media platforms VKontakte VK and Odnoklassniki All the accounts were created between June 2020 and March 2022 As with other groups we analyzed the assets have been suspended on Facebook Twitter and Instagram and largely suspended on YouTube However accounts in the Central Asia group remain active on Telegram VK and Odnoklassniki Ten assets in the group posed as media outlets focused on Central Asia The operation’s segment on Odnoklassniki involved using almost certainly inauthentic personas to spread content to Central Asian Odnoklassniki groups Figure 6 The Faktograf Фактограф page on Odnoklassniki The operation targeted Russian-speaking Central Asian audiences and focused on praising American aid to Central Asia and criticizing Russia particularly its foreign policy Two assets concentrated on China and the treatment of Chinese Muslim minorities particularly the Uighurs in Xinjiang province The assets also frequently shared content about growing cooperation between Central Asian countries Content was almost exclusively in Russian except for a small number of tweets written in Central Asian languages such as Kazakh and Kyrgyz The Central Asia group gained little traction on social media Facebook posts often had fewer than 10 likes and only 10 posts gained more than 1 000 reactions However two of the sham media outlets in the group produced two viral videos that received hundreds of thousands of views on Facebook Figure 7 on the following page The first video was about Kyrgyzstan’s reported ban on Russian war symbols and the second was a non-political TV news excerpt about an Uzbek farmer growing fruits in the desert 10 3 2 TTPs Figure 7 The Central Asia group posted to Facebook two videos that went viral One discussed a man forced to take down from his car in Kyrgyzstan a sign in support of the Russian armed forces left and the other was about an Uzbek farmer growing apricots and watermelons in the desert right 3 2 3 2 1 TTPs Fake News Fake Faces Fake Followers The Central Asia-focused campaign first created assets on Instagram Telegram Twitter and Odnoklassniki in 2020 before later setting up accounts on Facebook and VK in 2021 According to domain registration records a website for the sham media outlet Intergazeta was created in March 2021 Assets still active on Odnoklassniki and VK provide insights into how this crossplatform campaign operated Fake personas created by the actors were typically linked to one of 10 sham media outlets which posed as independent news entities covering events in Central Asia These fake personas posed as individuals living in Europe and Central Asia were listed as administrators for the sham media outlets and posted content from the campaign to different social media groups On Odnoklassniki for example the personas regularly posted to groups including Fighters of Kyrgyzstan БОЙЦЫ КЫРГЫЗСТАНА and Central Asia News Новости Central Asia On Facebook a page for the sham media outlet Vostochnaya Pravda claimed to focus on debunking myths and sharing “absolute facts” about Central Asia Figure 8 on the next page Vostochnaya Pravda and other assets in the campaign typically posted long text blocks about local news events and geopolitics alongside an illustrative picture Like all posts by the covert Central Asia assets this content received close to zero engagement Facebook transparency data also showed the location for the administrators of four of the pages to be France despite Meta saying the network originated in the U S Some of the “news” pages such as Stengazeta used engagement-building 11 3 2 TTPs Figure 8 Vostochnaya Pravda’s profile on Odnoklassniki shows that the page registered itself as an “internet media” outlet on the platform top On Facebook Vostochnaya Pravda claimed to be a page debunking misinformation and sharing “absolute” facts about Central and West Asia bottom techniques including openly calling for interactions from their readers on what they had just read We witnessed similar behavior from the only active Facebook profile posting original content Attempts to grow a follower base were evident on Twitter where the assets repeatedly tweeted at real users including pro-Ukraine and pro-Russia accounts such as the self-proclaimed Ministry of Foreign Affairs of the Donetsk People’s Republic @MID_DNR We believe the Facebook pages in the group likely acquired followers inauthentically in an attempt to look like real and organic entities possibly by purchasing fake followers According to CrowdTangle data the pages quickly gained up to several thousand followers in their first few weeks Subsequently the pages experienced net losses in followers between June and August 2021 possibly as Facebook deleted the accounts of their fake followers Figure 9 on the following page The pages’ likes experienced the same phenomenon At least one of the group’s personas featured a doctored profile picture using a photo of Puerto Rican actor Valeria Menendez Figure 10 on the next page We suspect that at least two other fake users in the group used similar techniques but we could not identify the original photos Additionally at least one cross-platform persona used a picture stolen from a dating website and others often displayed pictures of Paris and its monuments echoing the pages’ listed administrator locations At least one asset on Odnoklassniki also had its location set to Paris 12 3 2 Figure 9 Total number of followers over time for the Central Asia group’s Facebook pages from 2021-2022 Data from CrowdTangle a public insights tool owned and operated by Meta Figure 10 One persona in the Central Asia campaign used a doctored picture left of actor Valeria Menendez right as its profile picture The asset that used this image was listed as the contact for Intergazeta’s VK page 13 TTPs 3 2 3 2 2 TTPs Lost in Translation The sham media outlet Intergazeta repeatedly copied news material with and without credit from reputable Western and pro-Western sources in Russian such as Meduza io and the BBC Russian Service The sham outlet often made minor changes to the copied texts in a likely effort to pass them off as original content Intergazeta also produced articles in Russian compiled from sections of different English-language sources Typically these sections were literal “word-to-word” translations into Russian as opposed to more-advanced semantic translations resulting in non-native sounding language In one case the outlet posted a Russian-language article about Russian disinformation in China that was almost certainly translated from the English-language version of a Ukrainian article published nine days earlier Intergazeta was not the only asset to translate content from English sources Facebook pages in the group sometimes posted Russian translations of press releases from the websites of the U S embassies in Central Asia These posts focused on U S financial and material support to Central Asian countries The posts also copied or translated content from U S -funded entities such as Radio Free Europe Radio Liberty and the independent Kazakh news outlet informburo kz Figure 11 Left an archived English translation of a Ukrainian-language article from Texty org ua Highlighted in yellow segments rephrased by Intergazeta In red segments removed by Intergazeta Right the translation into Russian by Intergazeta Highlighted in green additions from Intergazeta 14 3 2 3 2 3 TTPs Coordination and Copycat Content Assets in the Central Asia group showed clear and repeated signs of coordinated behavior they posted simultaneously used the same images and recycled content over time across accounts At times accounts in the group appear to have made an effort to mask this coordination For example when sharing identical content assets would leave periods of hours or days between posts The same images were also shared with slightly modified captions or headlines Figure 12 At least half of the assets interspersed their posts with content promoting the cultures and natural beauty of Central Asia possibly in an attempt to appear authentic and obscure their politically motivated activity Figure 12 Three assets in the group coordinated posting over three days in December 2021 However the coordination was especially clear when assets in the group posted about U S -related news or used translated content from official American sources such as U S embassies in Central Asia In one example the Vostochnaya Pravda Facebook page posted a word-for-word Russian translation of an Englishlanguage news bulletin from the U S embassy in Tajikistan Figure 13 on the next page The post included a link to a Radio Liberty article on the topic an excerpt of which was then shared by multiple other assets in the group The assets also sourced content from media outlets linked to the U S military particularly Caravanserai central asia-news com This outlet is one of three that previously operated as Central News Online centralasiaonline com which named the U S Central Command as its sponsor and before 2016 was part of the U S government’s Trans-Regional Web Initiative mentioned at the beginning of this report Multiple Facebook pages in the campaign shared screenshots from central asia- 15 3 2 TTPs news com and the Linktree of sham media outlet Stengazeta directed visitors exclusively to the website except for one link to an Avaaz petition demanding the Kazakh government ban Russian TV channels Figure 14 on the following page Figure 13 Left Vostochnaya Pravda posted a Russian translation of an Englishlanguage press release from the U S embassy in Tajikistan to its Facebook page alongside a link to a Radio Liberty article Right Other assets in the group subsequently shared the same excerpt of the article to Facebook and other platforms 16 3 2 Figure 14 The Linktree of Stengazeta led exclusively to central asianews com URLs except for one petition that demanded Kazakhstan ban Russian TV channels 17 TTPs 3 2 3 2 4 TTPs #Batches_of_Hashtags Around half of the assets posing as media entities such as Stengazeta and Fakt Tobe used batches of hashtags under their posts likely in an attempt to reach broader audiences The hashtags often corresponded to the names of Central Asian countries in Russian and other languages such as #казахстан Kazakhstan in Russian #қазақстан Kazakhstan in Kazakh and #qazaqstan romanized version of қазақстан Assets repeatedly used hashtags related to the topics of their social media posts but also generic Russian-language hashtags such as #интересно interesting Occasionally the promoted hashtags were unrelated to the topic of the post This was especially true for cultural content which sometimes featured unrelated hashtags about the war in Ukraine Table 2 The below table lists the top hashtags from the Central Asia group’s Twitter accounts While many referred to regional geopolitics some like “Old pictures ” promoted Central Asian culture Hashtag Translation центральнаяазия centralasia узбекистан Кыргызстан нетвойне кыргызстан казахстан путешествия сирия страны ukrainawar старыефото россия Узбекистан китай Central Asia Uzbekistan Kyrgyzstan No to war Kyrgyzstan Kazakhstan Travel Syria Countries Old Pictures Russia Uzbekistan China Count 118 101 91 61 60 59 52 46 45 44 43 42 39 37 37 At least four of the sham media outlets also made apparent attempts to launch hashtag campaigns related to the war in Ukraine For example posts about the Russian invasion of Ukraine from Puls Vostoka featured the hashtag #ЦАзаУкраину Central Asia for Ukraine Stengazeta promoted #СегодняУкраинаЗавтраЦA Today Ukraine tomorrow Central Asia and Shestigrannik promoted #украинаЦАстобой Ukraine Central Asia is with you Figure 15 on the next page Audience analysis suggests none of these hashtag campaigns gained significant traction with authentic users 3 2 5 Petitions The assets pushed at least four petitions on Facebook Twitter and Instagram One called for Kazakhstan to leave the Collective Security Treaty Organization 18 3 2 TTPs Figure 15 Posts from Facebook pages Puls Vostoka left and Stengazeta right used the hashtags #ЦАзаУкраину Central Asia for Ukraine and #СегодняУкраинаЗавтраЦA Today Ukraine Tomorrow Central Asia CSTO and the Eurasian Economic Union EEU A second demanded that Kyrgyzstan curb Chinese influence in the country The last two called on the Kazakh government to ban Russian TV channels Three of these petitions were launched on the U S non-profit petition platform Avaaz and one was posted on the Kazakh website Alash Four separate articles from Radio Liberty’s Kazakh website Azzatyq shared one of the petitions While we could not determine whether the operation created the petitions CrowdTangle data shows that assets were often the first to share the links on Facebook Figure 16 Figure 16 CrowdTangle shows the assets were the first to share petitions calling for the Kazakh government to ban Russian TV channels 19 3 3 3 3 Narratives Narratives The Central Asia group focused on a range of topics U S diplomatic and humanitarian efforts in the region Russia’s alleged malign influence Russian military interventions in the Middle East and Africa and Chinese “imperialism” and treatment of Muslim minorities Starting in February this year assets that previously posted about Russian military activities in the Middle East and Africa pivoted towards the war in Ukraine presenting the conflict as a threat to people in Central Asia 3 3 1 America Our Best Ally Assets in the group heavily promoted narratives supportive of the U S on Facebook Instagram Twitter YouTube and Telegram These posts primarily focused on U S support for Central Asian countries and their people presenting Washington as a reliable economic partner that would curb the region’s dependence on Russia Other posts argued that the U S was the main guarantor of Central Asia’s sovereignty against Russia frequently citing the war in Ukraine as evidence of the Kremlin’s “imperial” ambitions Interestingly the assets also promoted U S humanitarian efforts mentioning the United States Agency for International Development 94 times on Twitter and 384 times on Facebook in the respective datasets Figure 17 Posts about the U S helping Tajikistan secure its border with Afghanistan left and presenting the U S as the main guarantor of Central Asia’s stability and sovereignty right 20 3 3 3 3 2 Narratives Russia Looms Large Assets in the group consistently portrayed Russia as a threat to Central Asian countries A recurring narrative claimed that Russia is abusing Russian-Central Asian partnerships namely the CSTO and to a lesser extent the Commonwealth of Independent States CIS to extract one-sided benefits Figure 18 Posts frequently described the CSTO as a hazardous tool that Russia could use to circumvent Western sanctions and drag Central Asian countries into its war against Ukraine The assets also said Central Asian countries must leave these organizations if they wish to retake their full sovereignty from Russia As an alternative the assets advocated for creating exclusively Central Asian partnerships Accounts in the group celebrated steps taken by Central Asian governments to move away from Russia such as Kazakh President KassymJomart Tokayev’s decision to withdraw from the CIS agreement on the Interstate Monetary Committee or efforts to reinforce local languages and cultural identities Figure 18 Left A post about Russia’s imperialism in Central Asia Right A post about Russia possibly calling CSTO troops to Russian-occupied regions in Ukraine under the premise of peacekeeping Other posts criticized Russia’s use of propaganda to spread anti-West and proRussia narratives in Central Asia depicting Russia as a nefarious actor working to undermine independent democracies In January 2022 for example the accounts covered mass protests that followed a sudden increase in fuel prices in Kazakhstan but mainly through the lens of debunking Russian allegations of “foreign interference ” Some of the group’s media outlets also claimed that Russia sent Wagner Group mercenaries to seize Almaty airport and that Russia was using claims of foreign interference as a pretext to send Russian troops as CSTO peacekeepers to occupy Kazakhstan 21 3 3 Narratives The assets also highlighted the repression and abuse of Central Asian migrants in Russia Several posts covered the pressured sometimes forced enrollment of Central Asian migrants into the Russian army in exchange for promises of Russian citizenship This narrative overlapped with posts about the high casualty rate for ethnic minorities fighting for Russia in Ukraine Figure 19 Posts about Russia using ethnic minorities to fight in Ukraine left and the conscription of Central Asian migrants into the Russian military right 3 3 3 Imperial Russia — Wars Alliances Anti-Russia narratives advanced by the campaign frequently cited Russia’s “imperialist wars” in Ukraine the Middle East and Africa The most recent focus of the group was on Ukraine but assets previously posted about the activities of military contractors working for Russia’s Wagner Group in Africa and Moscow’s military intervention in Syria Ukraine War The assets posted about Russia’s invasion of Ukraine through the lens of what it would mean for people in Central Asia These posts often warned of Russia’s imperialist ambitions toward the former Soviet states and said the invasion of Ukraine showed what the Kremlin was capable of doing to its neighboring countries Other posts outlined the direct impact of the war on Central Asian countries such as food shortages and said all Central Asian nations should reconsider their relations with Russia in light of its illegal invasion Figure 20 on the following page More broadly assets in the group uniformly supported Ukraine which they said 22 3 3 Narratives was a country trying to free itself from Russia’s influence Shortly after the invasion began in February accounts promoted pro-Ukrainian protests in Central Asian countries Later posts reported on evidence of atrocities committed by Russian troops and Russia’s block on Ukrainian grain exports Figure 20 Posts warned that Russia’s invasion of Ukraine had triggered a food crisis in Central Asia left and presented its war in Ukraine as an unwillingness to give up its Soviet-era dominion over its neighbors right Russia in Africa and the Middle East Before Russia invaded Ukraine assets in the group frequently discussed Russian actions in Africa and the Middle East The pages criticized Russian businessman Yevgeny Prigozhin in particular for his role in orchestrating state-backed covert influence operations and deploying Russian military contractors to countries including Syria Mali and the Central African Republic Figure 21 on the next page Notably the Central Asia group mentioned “Вагнер” Wagner 193 times on Twitter and 312 times on Facebook The Central Asia group also criticized Russia’s relationship with the Taliban after the Taliban regained power in Afghanistan in 2021 For example the Shestigrannik Facebook page repeatedly accused Russia and China of ignoring the Taliban’s ethnic cleansing of Afghan minorities and mistreatment of women Figure 22 on the following page Many of the group’s sham media outlets attacked Russia for disregarding the threat that the Taliban and Islamist terrorism represent to Central Asia especially Tajikistan According to several assets Russia did not criticize the Taliban in the hope of gaining access to Afghanistan’s natural resources and has encouraged violence in the region by increasing the sale of weapons to Central Asia 23 3 3 Narratives Figure 21 The group posted content about murders linked to the Wagner Group in the Central African Republic left and Wagner Group losses in Ukraine right Figure 22 Posts about the threat the Taliban poses to Tajikistan left and the Taliban’s treatment of women right 24 3 3 Narratives Syria and the Syrian war Before the war in Ukraine many pages focused on Russia’s military actions in Syria Assets denounced the Russian government’s support of Syrian President Bashar al-Assad and Russian airstrikes that have killed and injured thousands of civilians in Syria since 2015 Figure 23 Facebook and Instagram accounts also noted that Russia impeded humanitarian aid deliveries to Syrians by blocking decisions at the U N and promoted the work of U S humanitarian aid and support programs for Syrian refugees The topic was one of the most covered across the group as assets mentioned “Сирия” Syria over 600 times on Twitter and over 1 500 times on Facebook Lastly the assets posted about Russian propaganda related to the war in Syria and analyzed the techniques used by Russian media to “twist narratives” around the war At the same time the group shared content celebrating U S successes in its fight against the Islamic State group and al-Qaeda in the Middle East especially in Syria Figure 23 Posts praising the international coalition in Syria in its fight against the Islamic State left and covering Russia’s bombing of civilians in Syria right 3 3 4 Caution China A small cluster of assets within the Central Asia group focused almost exclusively on China These accounts—a fake persona and sham media outlet—mainly focused on the genocide of Uighurs and Muslim minorities in “re-education” camps in Xinjiang Posts described alleged organ trafficking forced labor sexual crimes against Muslim women and suspicious disappearances of ethnic Muslims in Xinjiang The assets also posted about the Chinese Communist Party’s CCP 25 poor treatment of women in the country and often framed these stories around news about domestic violence Other assets in the group also posted about China but asserted that Chinese authoritarianism and financial imperialism threatened Central Asia and other regions of the world The assets frequently referred to China’s cooperation with Russia especially on military issues and said Beijing should be held responsible for Russia’s invasion of Ukraine because the CCP had secretly supplied the Kremlin with weapons The group rebuked China for buying stolen Ukrainian grain from Russia and predicted that Moscow’s invasion of Ukraine would precipitate a Chinese invasion of Taiwan Figure 24 Posts about alleged organ harvesting of Muslims in Xinjiang left and blaming China for being the main sponsor of Russia’s war against Ukraine right 4 4 1 Iran Overview This section discusses the 21 Twitter accounts two Facebook pages five Facebook profiles and six Instagram accounts that formed the covert campaign focused on Iranian audiences These assets had names in Persian and those that posted content mainly did so in Persian and about Iran The Twitter accounts posted primarily from November 2020 through March 2022 and the Facebook pages and Instagram accounts posted primarily from May 2021 through June 2022 There were no visible posts for the Facebook profiles Several of the Twitter accounts were tied to the Facebook and Instagram accounts 26 4 2 TTPs For example they shared similar usernames However the Twitter accounts exhibited a wider range of activity and narratives that did not appear in the data shared by Meta including content promoting hardliner narratives that advocated for anti-reformist and hawkish policies in Iran We additionally found linked activity on YouTube Balatarin and Telegram The accounts in this cluster frequently claimed to be Iranians and often Iranian women Accounts listed professions such as “teacher” and “political analyst ” There were also two front media outlets that claimed to provide independent news 4 2 TTPs Accounts in the Iran group employed many of the same IO tactics we saw from the other groups though with a few innovations These assets included accounts claiming to be independent media outlets shared U S -funded Persian-language media had a low-engagement cross-platform presence and showed low-effort spammy follow-back activity 4 2 1 Mock Media Multiple Platforms Several suspended accounts were linked to two sham media outlets operating in Persian Fahim News tagline “Accurate news and information” and the more developed Dariche News which claimed to be an independent media outlet The about page of Dariche News’ website says it is “an independent website and unaffiliated with any group or organization ” It goes on to claim to have a commitment to providing “uncensored and unbiased news ” While some Dariche News content appeared to be original to the outlet many of their articles were explicit reposts from U S -funded Persian-language media including Radio Free Europe Radio Liberty’s Radio Farda and VOA Farsi Figure 25 on the following page The Fahim News accounts similarly shared content from these outlets along with content from Iran International a media outlet based in the U K that allegedly has financial links to Saudi Arabia Many of the fake personas in the network also shared Iran International content The suspended media outlet accounts showed links to other social media accounts on Telegram YouTube and Balatarin The Telegram and YouTube channels had few followers Like other parts of this group the sham media outlets’ YouTube channels created many short-form videos Profiles on Balatarin a Persian link-sharing platform frequently linked to stories from Persian-language U S -funded media While these sham media outlets had few followers we found an interesting instance of Russian state media outlet Sputnik embedding an Instagram post from Dariche News into one of their articles Dariche News and Fahim News were not unique in having Telegram channels with very few subscribers We identified four additional Telegram channels linked to the Iran cluster that had 1 4 48 and 57 subscribers 27 4 2 Figure 25 Top An article on Dariche News suggested that Iran was behind an August 2022 drone attack near a U S -led coalition base in Syria The article was reposted from Radio Farda Bottom The end of the article says “main article” and links to the original Radio Farda article 28 TTPs 4 2 Figure 26 The now-suspended YouTube channels for Dariche News and Fahim News top left and top right and the Telegram channels for Dariche News and Fahim News bottom left and bottom right Figure 27 An Aug 18 2022 Fahim News post on Balatarin said that social media is the only way Iranians can access the free world and is the main enemy of the Iranian regime’s propaganda “Therefore the regime uses all of its efforts to censor and filter the internet ” Assets in the Central Asia group similarly criticized Russian information control 29 TTPs 4 2 Figure 28 Screenshot of the Dariche News website 30 TTPs 4 2 4 2 2 TTPs Camouflage and Spam While the accounts in this group primarily posted political content they exhibited some spammy characteristics likely geared towards building a large online audience Several accounts had follow-back language in their profiles such as the phrase “follow follow back ” Many accounts also posted non-political filler content including Iranian poetry and photos of Persian food in a likely attempt to build an audience and present themselves as authentic users Figure 29 The Iran group tried to engage with real Iranians on Twitter often by joking with users about non-political internet memes Accounts often replied to tweets with the face with tears of joy emoji Figure 29 Left An image shared by a Twitter asset saying merry Sizdah Be-dar Sizdah Be-dar is an Iranian festival celebrated with a picnic Right An asset retweeted this photo of cats 4 2 3 Voice of America We observed multiple instances of accounts in the Iran group sharing content from sources linked to the U S military For example in 2020 and 2021 a Twitter account that presented itself as an Iranian individual living in “Cambridge” posted links to almashareq com and diyaruna com 25 and 26 times respectively Both websites say they are sponsored by the U S Central Command CENTCOM and post pro-Western articles in Persian and Arabic This Twitter account was created on June 16 2019 and its Twitter bio linked to a Telegram account with the same name and just three subscribers The Twitter account was critical of the Iranian government and often used a sarcastic tone to mock Iranian state media and other parts of the state apparatus It also tweeted about how Iranian meddling abroad only hurt Iranians at home Based on an analysis of shared technical infrastructure domain registration records and social media activity we assess with high confidence that almashareq com is the latest rebranding of al-shorfa com while diyaruna com is the latest rebranding of mawtani com and mawtani al-shorfa com Prior to 2016 al-shorfa com and mawtani com were part of the U S government’s Trans-Regional Web Initiative mentioned at the beginning of this report 31 4 3 Narratives Figure 30 Two images tweeted by the account that shared U S military-linked domains Left This image was tweeted on Aug 11 2021 and the tweet text said that Qais al-Khazali—who heads an Iranian-backed paramilitary group in Iraq—dances like a puppet of the Iranian regime Right This image was tweeted on Feb 24 2022 and says “freedom of speech in Iran ” Text accompanying the tweet used two Persian hashtags one protesting an internet control bill and the other saying “no to the Islamic Republic ” Additionally Dariche News frequently quoted CENTCOM officials and discussed U S military activities in the region We counted at least 50 Dariche News articles that mentioned CENTCOM For example a September 2021 article discussed how Bahraini leaders pledged to work with U S Naval Forces Central Command to adopt new technologies A December 2021 article quoted a former CENTCOM commander saying that the Iranian government was starving people to build missiles The network amplified programs to people wanted by the U S government to justice For example on Aug 10 2022 a Telegram channel linked to a suspended Twitter account shared an FBI wanted pamphlet for Shahram Poursafi an Islamic Revolutionary Guard Corps IRGC member accused of plotting to assassinate former U S National Security Advisor John Bolton Dariche News like some other covert accounts we reviewed shared content from the U S State Department’s Rewards for Justice Program seeking information about Iranians who may have interfered in U S elections Figure 31 on the following page 4 3 Narratives The Twitter accounts in this group can be divided into those that criticized the Iranian government and a smaller number of accounts that shared hardliner views The suspended Facebook and Instagram accounts either criticized the Iranian government or did not contain any publicly visible posts 32 4 3 Narratives Figure 31 A Dariche News article highlighting the U S Department of State’s Rewards for Justice program The article says there is a reward of up to $10 million for information about Iranians who attempted to interfere in U S elections 4 3 1 Needling Iran Anti-government accounts criticized Iran’s domestic and international policies and highlighted how the government’s costly international interventions undermined its ability to care for its citizens Posts claimed the government took food from Iranians to give to Hezbollah One Instagram post said that by supporting Hamas and Hezbollah the late Qasem Soleimani had brought poverty and misery to Iran Soleimani was the former head of the Quds Force a branch of Iran’s IRGC Some tweets highlighted embarrassing events for Iran such as a reported power outage that caused the Iranian chess team to lose an international online tournament Human and civil rights were another common theme from the group Some tweets with higher engagement levels criticized the government particularly Supreme Leader Ayatollah Ali Khamenei for killing protesters in 2021 Tweets also highlighted a teacher protest in January 2022 Across platforms the group promoted Amnesty International content One tweet from May 2021 highlighted an Amnesty International report about how the government executed four imprisoned Ahwazi activists in 2021 see Figure 32 33 4 3 Narratives The Ahwazi are an Arab ethnic minority group in Iran An April 2022 Instagram post shared an Amnesty International image drawing attention to the unjust imprisonment of human rights activist Behnam Mousivand A July 2021 Instagram post highlighted in poetic terms the unjust imprisonment of an Iranian poet who has since died in prison Figure 32 A May 19 2021 tweet on the extrajudicial killing of four Ahwazi activists The image text says “Amnesty International Iranian authorities have hidden the bodies of four executed Ahwazi Arab activists ” The group also focused on women’s rights though most prominently on Facebook and Instagram Dozens of posts compared Iranian women’s opportunities abroad with those in Iran Posts also noted that little has changed for women in Iran over time Many posts highlighted domestic protests against hijab dress requirements Many tweets linked government corruption to domestic hardships For example one post said that “corruption and mafia relations in the IRGC judges and the families of the heads of Islamic Republic… are the main reason for Iran’s poverty and misery ” Tweets likewise blamed the government for the country’s rising cost of living claiming that prices for food and medicine increased at the same time that hardliner Ebrahim Raisi became the country’s president in 2021 These tweets also noted that the IRGC controls the country’s domestic production of these goods Criticism of the IRGC was a particularly prominent theme in the group Dariche News explicitly said its main focus was “to inform about the destructive role of 34 4 3 Narratives Figure 33 A post on the Facebook page Iran Land ‫ ایران زمین‬on June 10 2022 The post compares the experience of Iranian women abroad such as working as astronauts left with an Iranian woman in Iran seemingly being beaten right Figure 34 A post from Feb 7 2022 on the Iran Land Facebook page Top left Before the Taliban Top right Before the Islamic Revolution Bottom left After the Taliban Bottom right After the Islamic Revolution This post received 1 336 likes despite the page having just 642 followers 35 4 3 Narratives the Islamic Revolutionary Guard Corps in all the affairs and issues of Iran and the region ” Multiple assets also claimed to be “Justice for the victims of #Flight752” accounts referring to the Ukraine International Airlines flight that the IRGC shot down in January 2020 In addition to blaming the IRGC for this incident tweets also placed responsibility directly on Khamenei At the time of the incident accounts discussed how it was playing out internationally For example accounts shared news articles about a Canadian court ruling the incident an act of terrorism The Twitter accounts in this group used hashtags related to this flight e g #PS752 and #ps752justice hundreds of times Like other groups in the broader covert set the Iranian group criticized Russia’s invasion of Ukraine often using it to frame local narratives The group’s posts used Persian versions of the Russian opposition hashtags #no_to_Putin and #no_to_war Accounts noted that Khamenei verbally supported Putin and accused Iran of supplying drones to Russia which Russia then used to kill civilians In addition to claiming that Iran’s support for Russia was morally wrong the group also pushed the narrative that Iran’s support would incur negative economic repercussions and made unflattering comparisons between Khamenei and Ukraine’s President Volodymyr Zelensky One “has sold Iran to Russia and ordered their peoples’ murder ” an account tweeted “The other is wearing a combat uniform alongside his people and has stopped the colonization of Ukraine by Russia with all his might ” Figure 35 An Aug 7 2022 post from a Telegram channel linked to a suspended Twitter account The post says that Russia has started using Iranian drones in Ukraine and that Iran’s military support for Russia “is not in Iran’s favor and will cause many diplomatic and political problems for Iran in the future ” Accounts also criticized the Quds Force’s activities abroad and particularly its former leader Soleimani calling him a murderer and saying that his values were 36 4 3 Narratives inconsistent with Islam The tweet in Figure 36 is from just after the Taliban seized control of Afghanistan in 2021 It says that Quds Force personnel were pretending to be journalists and going to Afghanistan to squash the country’s opposition Figure 36 A Sept 19 2021 tweet saying that Quds Force personnel were in Afghanistan to squash the country’s anti-Taliban opposition Figure 37 A cartoon from an article on darichenews com The cartoon is branded with the Dariche News name in the top left corner The text says “IRGC Greatest threat to the Middle East ” The image shows Khamenei as an octopus spreading his tentacles around the Middle East with missiles police batons and nooses Notably the article accompanying this cartoon includes a quote from a former CENTCOM commander 37 4 3 2 A Handful of Hardliners Four Twitter accounts in the group promoted hardliner narratives that advocated for anti-reformist and hawkish policies in Iran Some of these narratives took aim at Iranian state officials for being too moderate but any negative content about the Iranian government was infrequent The hardliner accounts tweeted during the same period as the anti-regime assets and used similar tactics but their purpose is unclear These assets did not share anti-U S content as one would expect from nationalistic voices in Iran Most of the hardliner tweets came from just one account a self-declared “political science expert” whose account had 3 769 followers and was created on Nov 25 2020 This account mostly posted on Twitter and a related Telegram channel about the progress of Shi’a Islam over time For example in one tweet the account asserted that Shiites were now able to exert influence in the Middle East after previously playing a more submissive role This tweet received 84 likes A Facebook and Instagram account linked to this Twitter account are also suspended though they were not included in the dataset shared by Meta Other hardliner accounts praised Soleimani tweeting that he should rest in peace calling him a martyr and saying that he is more dangerous to Iran’s enemies dead than alive One account suggested that former President Akbar Hashemi Rafsanjani the office of the presidency and Iran’s Expediency Council were too moderate This same account also tweeted that former President Hassan Rohani and former Foreign Minister Javad Zarif were traitors Other posts promoted the use of the hijab and shared provocative images like those shown in Figure 38 Figure 38 An image shared by a hardliner account The image at left says “without veil ” and the image at right says “veil ” 5 5 1 Afghanistan Overview A small group of assets in the Twitter and Meta takedown sets posted primarily about issues in Afghanistan but emphasized narratives critical of Iran the Islamic State group and the Taliban This group comprised six Twitter accounts one 38 5 2 TTPs Facebook profile and one Instagram account The accounts posted mainly in Pashto but also occasionally in Persian Urdu and Arabic The assets were primarily active from September 2019 to July 2022 but one account began posting in 2017 We also identified one affiliated YouTube account that was created in October 2020 5 2 TTPs Despite this group’s small number of assets its campaign leveraged clear TTPs that we also observed in the broader set of covert accounts All these accounts used fake personas including one account claiming to be an Afghan man Some of the personas attempted to present as real people by using profile pictures that were likely created using artificial intelligence techniques such as generative adversarial networks GAN Like assets in the Central Asia group the Afghanistan accounts typically included hashtag blocks at the end of their posts often including #IRGCEXPOSED They also shared content from sources linked to the U S military particularly afghanistan asia-news com which names the U S Central Command as its sponsor Based on an analysis of shared technical infrastructure domain registration records and social media activity we assess with high confidence that afghanistan asia-news com Salaam Times is one-third of the latest rebranding of centralasiaonline com the other two being pakistan asianews com Pakistan Forward and central asia-news com Caravanserai Before 2016 centralasiaonline com was part of the U S government’s TransRegional Web Initiative mentioned at the beginning of this report Figure 39 Left A fake persona in the Afghanistan group likely used artificial intelligence techniques such as GAN to create its profile photo Right We have superimposed the same profile picture over two sample GAN-generated images from outside the network The alignment of the eyes in multiple different images strongly suggests the profile picture was created using artificial intelligence techniques 39 5 3 Narratives Figure 40 Screenshot of an archived Instagram post by the same fake persona who used a likely GAN-generated profile image The post includes a video from the U S military-linked website afghanistan asia-news com and claims that imports of low-quality Iranian honey are damaging Afghanistan’s beekeeping industry 5 3 5 3 1 Narratives Iran Again Accounts in the Afghanistan group consistently advanced narratives critical of Iran and its actions often within a framework of issues and events relevant to Afghan audiences Sometimes these narratives included inflammatory claims accompanied by articles from the U S military-linked website afghanistan asianews com One example was a tweet from March 11 2022 which claimed that relatives of deceased Afghan refugees had reported bodies being returned from Iran with missing organs The post linked to an afghanistan asia-news com video which was posted to YouTube and also shared in a Feb 14 2022 article by pakistan asia-news com The article includes interviews with an Afghan official and Afghan nurse making the same unverified claims Another anti-Iranian narrative claimed in late 2021 and early 2022 that the IRGC was forcing Afghan refugees to join militias fighting in Syria and Yemen and that those who refused were being deported Like accounts in the Middle East group many posts focused on the actions of Iranian-backed militias in Syria accusing 40 5 3 Narratives Figure 41 An article on a U S military-linked domain alleged that Afghan refugees were having their organs harvested in Iran fighters of committing human rights abuses and Tehran of sponsoring terrorism Since February this year the Afghanistan accounts began to weave in narratives related to Russia’s invasion of Ukraine comparing the actions of Russian soldiers to those of IRGC-backed militias in Syria Figure 42 An April 2022 tweet compared Russia’s “illegal” invasion of Ukraine to the IRGC sending militia forces to Syria 41 5 3 Narratives Accounts in the group also posted general criticism of Iranian policies that did not directly relate to Afghanistan For example the YouTube account we identified posted multiple Shorts showing Iranians protesting and looting supermarkets due to food shortages The Shorts were captioned in Pashto English and Urdu and commented that “There is no difference between IRGC and ISIS” and “People looting shops in Iran but the Iranian government is still interfering in other countries ” Figure 43 A YouTube Short shared by an account linked to the suspended Twitter and Meta assets compared the IRGC to the Islamic State group The account profile photo is likely GAN-generated 5 3 2 No Taliban No ISIS Multiple accounts in this group shared posts and tweets that resembled Afghan military press releases From 2019 to 2021 these posts highlighted successful Afghan military operations against the Taliban Islamic State group and other extremist organizations such as a March 2020 post applauding police in Afghanistan’s Nimroz Province for seizing opium used to finance al-Qaeda Posts also typically praised former President Ashraf Ghani After Afghanistan fell to the Taliban in August 2021 accounts in the group began sharing advice for people trying to flee the country Initially this included warnings not to gather around Kabul airport without the necessary foreign travel documents as the scene devolved into chaotic evacuations by retreating U S forces In the following weeks posts highlighted women’s protests against 42 5 3 Narratives Taliban authorities and criticized Afghanistan’s new government for its treatment of women and journalists Lastly many posts attempted to undermine support for the Islamic State group’s affiliate in Afghanistan claiming to reveal “the true fact” that the group is anti-Islam A May 2022 tweet said in Pashto that the Islamic State group’s actions contradicted Islamic teachings and that the group “exists as the most dangerous terrorist group in the region and threatens all nations with weapons of ignorance ” Though often used without context #NotMyIslam in English appeared frequently Figure 44 An image shared by an asset on Aug 19 2021 The accompanying tweet said in Persian that the U S Department of Defense was working to increase airport security and the number of flights evacuating people from Kabul Figure 45 An image shared with a tweet on Aug 25 2021 The accompanying text said in Persian that more than 20 000 Afghans had been evacuated in the past 24 hours as the U S and allies worked to complete evacuations by Aug 31 43 6 Middle East 6 1 Overview The Middle East group of covert assets discussed in this section focused broadly on issues related to Iraq Syria Lebanon and Yemen While not as distinct as other groups in the takedown sets we identified multiple technical behavioral and content links between these accounts which exclusively posted in Arabic about the same topics and themes The group comprised 30 Twitter accounts six Instagram accounts six Facebook pages eight Facebook profiles and one Facebook group The earliest activity in the data provided by Twitter and Meta dates from early 2018 Activity levels were generally low across the group For example sixteen of the Twitter accounts posted fewer than 100 tweets and six of the Facebook profiles had no publicly visible activity Our investigation identified clear signs of coordination and inauthentic behavior TTPs employed by the accounts included sharing identical content across platforms coordinated posting times using GAN-generated faces and creating fake profile pictures One Facebook page in the group also posed as a person living in Iraq This page shared the same name and picture as a Twitter account that previously claimed to operate on behalf of the United States Central Command CENTCOM The group chiefly promoted narratives seeking to undermine Iran’s influence in the region but also took aim at Russia and Yemen’s Houthi rebels For example accounts on Twitter posed as Iraqi activists in order to accuse Iran of threatening Iraq’s water security and flooding the country with crystal meth Other assets highlighted Houthi-planted landmines killing civilians and promoted allegations that Russia’s invasion of Ukraine would lead to a global food crisis 6 2 6 2 1 TTPs Fake Faces Lead to Florida One of the Facebook pages in the group showed links to a Twitter account that has previously claimed to operate on behalf of CENTCOM Created on Nov 1 2021 the page used the Arabic word for “discoverer” ‫ مكتشف‬as its name and presented itself as an Iraqi man posting predominantly about the misdeeds of the Iranian government and its influence in Iraq Notably Discoverer used a profile picture likely generated using artificial intelligence techniques such as GANs An Instagram account and a Facebook profile in the Middle East group used the same image as well An account in the Twitter dataset also used the Arabic word for “discoverer” as its name and the same fake face as the three Meta assets The Discoverer Twitter account was created in November 2016 and claimed in its bio to be “always in the service of Iraqis and Arabs ” 44 6 2 TTPs Figure 46 The profile picture used by the Facebook page Discoverer and two other assets in the Middle East group Issues with the left ear and the central alignment of the eyes suggest it was generated using artificial intelligence techniques However archived versions of the Discoverer Twitter account show that prior to May 2021 it used a different picture listed its location as “Florida USA ” and publicly identified as an “account belonging to the U S Central Command” that “aims to uncover issues related to regional security and stability ” At that time the account promoted similar anti-Iran narratives related to Iraq and Syria but also posted statements presented as coming from the U S embassy in Baghdad Figure 47 Left Archived version of the Discoverer Twitter account with an Arabic-language bio claiming an affiliation with CENTCOM Right The same account shortly before it was suspended by Twitter 45 6 2 TTPs Figure 48 An archived tweet by the Discoverer Twitter account from September 2018 criticized the actions of Iranian proxies in Iraq and promoted humanitarian efforts by the U S government 6 2 2 Cut Out and Collage Accounts in the Middle East group frequently used fake profile pictures to construct online personas This is a common tactic in online IO and we increasingly see actors leverage GAN-generated faces such as those shown in Figure 49 While at first presenting as photorealistic human faces GAN-generated images are typically easy to identify due to their consistent central eye alignment blurred backgrounds and telltale glitches around the teeth eyes and ears Figure 49 GAN-generated profile pictures used by accounts from the Middle East group on Twitter But we also identified assets in this group using fake profile pictures that appeared to be collages of different images available online This is a relatively novel technique and though it is easy to spot images that have been edited in this manner it could complicate strategies to detect inauthentic personas 46 6 3 Narratives For example an Instagram and Twitter account in the Middle East group used the same picture of a man in a suit holding a water bottle Reverse image searches revealed that the man’s torso was identical to a photo from a 2012 fashion blog which had then been edited to add a new face and background We also saw accounts in the Central Asia group employ this TTP Figure 50 Left Original photo from a 2012 fashion blog Right Collaged photo used by assets in the group 6 2 3 Coordinated Posting and Content Sharing We identified multiple instances of assets in the Middle East group sharing content and exhibiting coordinated posting patterns on Facebook Instagram and Twitter Typically this activity involved supposedly independent accounts posting the same images or identical text content within hours or even minutes of each other For example on Sept 23 2021 a Facebook profile using a likely fake persona and the Facebook page Here Is Yemen ‫ هنا اليمن‬posted the same video with identical captions about alleged mass executions planned by Houthi rebel leaders in Yemen The two Facebook assets made these posts just two minutes apart 6 3 6 3 1 Narratives The “Disease” of Iranian Influence in Iraq Accounts in the Middle East group consistently shared content that supported the U S -recognised Iraqi Security Forces ISF while criticizing the actions of Iran and Iraqi militias backed by Tehran These accounts repeatedly asserted that Iraqi militias supported by Iran’s Islamic Revolutionary Guard Corps IRGC were loyal to Tehran over the Iraqi government and were fighting to implement Iran’s imperialist project in the Middle East Some accounts also accused Iranian- 47 6 3 Narratives Figure 51 A Facebook profile and Facebook page made identical posts about Houthi rebel leaders planning mass executions just two minutes apart Figure 52 The Facebook pages Class Watcher ‫ مراقب الصف‬and Watching Eyes ‫ عيون راصدة‬posted the same picture with a partially matching caption just six days apart in late 2021 backed militias of causing civilian casualties through rocket strikes on Baghdad’s Green Zone In particular accounts in the group promoted content critical of Qais al-Khazali the leader of the influential Shiite paramilitary organization Asa’ib Ahl al-Haq The U S designated Asa’ib Ahl al-Haq as a foreign terrorist organization in January 2020 after its members were accused of killing demonstrators at anti-government protests in Iraq in 2019 Other posts from the Middle East group accused Tehran of engineering a drought in the country by jeopardizing the water supply of cross-border rivers smuggling weapons and fuel through Iraq to Iranian fighters in Syria and fuelling Iraq’s crystal meth epidemic 48 6 3 Narratives Figure 53 Assets in the group shared a tweet left and Instagram post right with the same cartoon accusing Iraqi militias of taking orders from Iran Figure 54 An asset shared on Facebook an image showing Qais al-Khazali in an IRGC uniform with Islamic State group militants on either shoulder 49 6 3 Narratives Figure 55 An asset in the group shared on Twitter a cartoon depicting Iranian influence as a disease destroying Iraq 50 6 3 6 3 2 Narratives A Russian Plot to Engineer Global Famine Although the Middle East group predominantly focused on Iran a small cluster of accounts on Facebook Instagram and Twitter promoted content critical of Russia particularly its interventions in Libya and Syria Beginning in February this year these accounts tailored content to Russia’s invasion of Ukraine and designed anti-Russian messaging to appeal to Arabic-speaking audiences in the Middle East In addition to reports of Russian soldiers killing civilians the accounts amplified the narrative that Russian President Vladimir Putin planned to induce a global food crisis that would hit less economically developed countries the hardest The accounts reported on Russian bombings of Ukrainian grain silos and Turkey’s detention of a Russian-flagged ship carrying “stolen” Ukrainian grain to bolster this narrative These anti-Russian narratives overlapped thematically with content from some accounts in the Central Asia group At the same time the accounts applauded ongoing efforts by the United States Agency for International Development USAID in Iraq and posted about positive interactions between American troops and children in Syria Figure 57 on the following page Figure 56 An account in the group made a post on Instagram accusing Russia of deliberately causing global food shortages by invading Ukraine 51 6 3 Narratives Figure 57 A Facebook post from an asset in the group showed U S soldiers meeting children in Syria 52 6 3 6 3 3 Narratives Yemen Houthis and Landmines A second cluster of accounts in the Middle East group focused on issues in Yemen These accounts also present on Facebook Instagram and Twitter primarily shared content critical of Iranian and Houthi rebel activity in Yemen Posts accused Houthi rebel leaders of blocking humanitarian aid deliveries acting as proxies for Iran and Hezbollah and closing bookstores radio stations and other cultural institutions in the Yemeni capital Sana’a Recently the cluster amplified a narrative highlighting Houthi forces’ widespread use of landmines which human rights groups say have caused thousands of civilian casualties since the beginning of the conflict These posts typically included the number of civilian casualties and highlighted the alleged Iranian origins of the landmines Figure 58 A Tweet from one asset claimed Houthi forces take orders from powers in Iran 53 6 3 Narratives Figure 59 A post by the Facebook page Here Is Yemen claimed that Houthiplanted landmines have killed 2 812 civilians and injured 3 655 more between April 2014 and March 2022 54 Graphika is an intelligence company that maps the world’s online communities and conversations Graphika helps partners worldwide including Fortune 500 companies Silicon Valley human rights organizations and universities discover how communities form online and understand the flow of information and influence within large-scale social networks Customers rely on Graphika for a unique network-first approach to the global online landscape The Stanford Internet Observatory is a cross-disciplinary program of research teaching and policy engagement for the study of abuse in current information technologies with a focus on social media The Stanford Internet Observatory was founded in 2019 to research the misuse of the internet to cause harm formulate technical and policy responses and teach the next generation how to avoid the mistakes of the past