OpenAI said Friday that it has blocked a number of accounts linked to a covert Iranian influence operation that used ChatGPT to generate content targeting, among other things, the upcoming US presidential election.

“This week, we identified and took down a group of ChatGPT accounts that were generating content for a covert Iranian influence operation known as Storm-2035,” OpenAI said.

“The operation used ChatGPT to generate content focused on a number of topics, including commentary on candidates on both sides of the US presidential election. This content was then shared across social media accounts and websites.”

The artificial intelligence (AI) company said the content failed to generate meaningful engagement, with most social media posts receiving negligible to no likes, shares and comments. It further noted that it found little evidence that the long-form articles created using ChatGPT were shared across social media platforms.

The articles focused on US politics and global events and were published on five different websites posing as progressive and conservative news sources, suggesting an attempt was made to reach people on opposite sides of the political spectrum.

OpenAI said its ChatGPT tool was used to create comments in English and Spanish, which were then posted to a dozen accounts on X and one on Instagram. Some of those comments were generated by asking its AI models to rewrite comments made by other social media users.

“The operation generated content on a variety of topics: primarily the Gaza conflict, Israel’s presence at the Olympics, and the US presidential election, and to a lesser extent, Venezuelan politics, the rights of Latin American communities in the US (in both Spanish and English), and Scottish independence,” OpenAI said.

“They interspersed their political content with comments on fashion and beauty, possibly to appear more authentic or in an attempt to build a following.”

Storm-2035 was also among the clusters of threat activity highlighted by Microsoft last week. Microsoft described it as an Iranian network that “actively targets American voter groups at opposite ends of the political spectrum with polarizing messages on issues such as the U.S. presidential candidates, LGBTQ rights, and the conflict between Israel and Hamas.”

Some of the fake news and commentary sites set up by the group include EvenPolitics, Nio Thinker, Savannah Time, Teorator, and Westland Sun. These sites have also been observed using AI-enabled services to plagiarize a fraction of their content from US publications. The group is said to be operational as of 2020.

Microsoft has further warned of an increase in malicious foreign influence activities targeting the US elections over the past six months. These activities are being carried out from both Iranian and Russian networks. The latter have been traced to clusters such as Ruza Flood (also known as Doppelganger), Storm-1516 and Storm-1841 (also known as Rybar).

“Doppelganger spreads and amplifies fabricated, fake or even legitimate information via social networks,” according to French cybersecurity firm HarfangLab. “To do this, social network accounts post links that initiate an obscured chain of redirects leading to websites with the final content.”

However, there is evidence that the propaganda network is changing its tactics in response to aggressive enforcement. According to Meta, it is increasingly using non-political messages and advertisements, and parodying non-political news sources and entertainment news outlets such as Cosmopolitan, The New Yorker and Entertainment Weekly, all in an effort to avoid detection.

The posts contain links that, when tapped, take users to an article about the Russian war or geopolitics on one of the fake domains that impersonate entertainment or health publications. The ads are created using compromised accounts.

The social media company, which has disrupted 39 influence operations from Russia, 30 from Iran and 11 from China on its platforms since 2017, said it discovered six new networks from Russia (4), Vietnam (1) and the US (1) in the second quarter of 2024.

“Since May, Doppelganger has resumed its attempts to share links to its domains, but at a much slower pace,” Meta said. “We’ve also seen them experiment with multiple redirect hops, including using TinyURL’s link-shortening service to hide the final destination behind the links and trick both Meta and our users in an attempt to avoid detection and direct people to their off-platform sites.”

The development follows a report from Google’s Threat Analysis Group (TAG) this week that it had detected and disrupted Iranian-backed spear-phishing attempts that targeted the personal accounts of high-profile users in Israel and the US, including accounts of users involved in US presidential campaigns.

The activity has been attributed to a threat actor codenamed APT42, a state-sponsored hacking crew affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). It is known to overlap with another intrusion group known as Charming Kitten (also known as Mint Sandstorm).

“APT42 uses a variety of tactics as part of their email phishing campaigns, including hosting malware, phishing pages, and malicious redirects,” the tech giant said. “They generally attempt to abuse services such as Google (i.e. Sites, Drive, Gmail, and others), Dropbox, OneDrive, and others for these purposes.”

The overall strategy is to gain the trust of victims through sophisticated social engineering techniques. The goal is to lure victims from their email and convince them to go to instant messaging channels such as Signal, Telegram or WhatsApp. Then, fake links are placed that are designed to collect their login details.

The phishing attacks are characterized by the use of tools such as GCollection (also known as LCollection or YCollection) and DWP to collect credentials from Google, Hotmail and Yahoo users, Google said, with APT42 highlighting “the strong knowledge of the email providers they target.”

“Once APT42 gains access to an account, they often add additional access mechanisms, such as changing recovery email addresses and leveraging features that allow applications that do not support multi-factor authentication, such as application-specific passwords in Gmail and third-party app passwords in Yahoo,” it added.