By Chris Ciaccia, ,
Published August 23, 2018
Google said it has uncovered a "state-sponsored phishing attack" that is connected to the Islamic Republic of Iran Broadcasting (IRIB), marking the first time the tech giant has found a direct link between Iran's state media and misinformation attacks.
In a blog post Thursday, the company said it had found a number of different YouTube channels, blogs and Google+ accounts that are linked to the campaign from IRIB.
"We identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort, including while sharing English-language political content in the U.S.," Google's Kent Walker, SVP of Global Affairs, wrote in the post.
Walker said that three important pieces of evidence gave the company confidence the attack was being carried out by the IRIB:
- "Technical data associated with these actors is strongly linked to the official IRIB IP address space."
- "Domain ownership information about these actors is strongly linked to IRIB account information."
- "Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control."
The violations were found in "39 YouTube channels that had 13,466 total U.S. views on relevant videos; six blogs on Blogger and 13 Google+ accounts.
Walker added the company had been working with cybersecurity company FireEye on the "influence operation," noting that FireEye specifically identified "some suspicious Google accounts," which the company then disabled.
The full 20-page report from FireEye can be found here.
Walker also wrote that the advertising giant, which has come under scrutiny in recent days for tracking its users without notice, is working with U.S. lawmakers and law enforcement about the findings of the investigation, "including its relation to political content in the United States."
The news comes just days after Facebook said it has removed 652 pages, groups and accounts linked to Iran for "coordinated inauthentic behavior" — including the sharing of political material — and had also removed other pages tied to Russian military intelligence services.
In a statement, the social network said the activity originating in Iran and the activity sourced to Russia were not related. It also said it was not aware of any activity from the Russia-based accounts that targeted American users.
Fox News' Samuel Chamberlain contributed to this report. Follow Chris Ciaccia on Twitter @Chris_Ciaccia