In recognition of the group’s prolific manufacturing and its transient nature, Citizen Lab labeled it “Countless Mayfly,” after the gangly, short-lived bugs that hatch and swarm each summer time. Citizen Lab mentioned it can’t say for sure that the operation was sponsored by the Iranian authorities. But it surely famous that Fb and Twitter eliminated a whole lot of accounts final August linked to the identical operation, and Fb mentioned these accounts had ties to Iranian state media.
Etienne Maynier, one other writer of the Citizen Lab report, mentioned Countless Mayfly’s articles “continuously echoed official feedback and positions of the Iranian authorities.”
Raz Zimmt, an skilled on Iran at Israel’s Institute for Nationwide Safety Research, a assume tank affiliated with Tel Aviv College, and a former Israeli army intelligence officer, mentioned Iran has turned to cyberattacks and on-line affect campaigns partly due to army weak point. As well as, he mentioned, such hard-to-trace operations permit Iran “to take care of the anomaly wanted to scale back the chance of open confrontation with opponents who keep a army superiority over it.”
In establishing its ephemeral web sites, the Countless Mayfly group used one tactic acquainted from phishing operations: “typosquatting,” through which an internet site is created below a reputation a letter or two off from a widely known establishment. Countless Mayfly used “theguaradian.com” to imitate “theguardian.com” and “theatlatnic.com” rather than “theatlantic.com.”
Researchers at Citizen Lab acquired their first clue in April 2017, after customers on Reddit seen an article on Brexit that gave the impression to be from the British newspaper The Impartial really got here from a web site spelled in a different way: “http://www.indepnedent.co/.” However when readers later tried to return to the article, they have been despatched to the precise newspaper’s official web site. The article’s authors had deleted the faux one however modified the hyperlink to strengthen the impression that it had originated on the true newspaper’s web site.
In all, Citizen Lab mentioned it had recognized 73 internet domains created by the group, 135 ersatz articles it had posted and 11 faux identities like Mona A. Rahman, typically used as bylines on the faux articles. A few of the articles had been beforehand flagged as false by reporters and researchers, who typically pointed at Russia because the doubtless offender. However the general operation has not beforehand been described and linked to Iranian pursuits.
A tweet by “Mona A. Rahman.”Credit scoreCitizen Lab
The group seems to nonetheless be lively, in response to Citizen Lab, although most of its operation has been shut down. “On the floor, they appear to be a not-very-successful viral promoting marketing campaign,” mentioned John Scott-Railton, a senior researcher at Citizen Lab.