According to Microsoft, Iran’s attempts to influence the November US presidential election have increased recently and there are signs that Iran is planning to incite violence against key figures.

“Over the past several months, we have seen the emergence of significant influence activities by Iranian actors,” Microsoft said. “Iranian cyber-enabled influence operations have been a consistent feature of at least the last three U.S. election cycles.”

US elections have never been more secure, says CISA chief

READ MORE

The Windows maker added: “Iran’s activities are notable and distinct from Russian campaigns because they appear later in the election season and use cyberattacks that are more focused on electoral behavior than on influencing voters. Recent activity suggests that the Iranian regime – along with the Kremlin – could be similarly involved in the 2024 elections.”

Multiple state-sponsored groups and groups of unknown affiliation are believed to be involved, each with their own goals and methods. For example, the group Microsoft tracks as Sefid Flood has been laying the groundwork for influence operations since March 2024.

Microsoft did not provide details about the precise nature of this organized activity, but Sefid Flood is known for posing as a social and political activist in order to undermine trust in government officials and the election systems themselves.

That may be why the U.S. has been so adamant lately that elections are more secure than ever. CISA Director Jen Easterly spoke on the topic at Black Hat this week, saying that the infrastructure is solid, but that influence operations, particularly from Russia, are a concern because of their increasing sophistication.

According to Microsoft, Sefid Flood may want to use the impersonations to “cause chaos” and the activities “could go as far as intimidation, doxxing, or violent incitement targeting political figures or socio-political groups.”

On the state-sponsored side of things, Mint Sandstorm and Peach Sandstorm are both run by Iran’s intelligence agency, the Islamic Revolutionary Guard Corps (IRGC). As recently as June 2024, Mint Sandstorm was caught attempting to spearfish a presidential campaign official using the account of a former senior adviser the group had compromised. The email contained a link that would have allowed the IRGC to intercept the official’s traffic.

Just days earlier, on June 13, Mint Sandstorm also attempted – and failed – to gain access to the account of a former presidential candidate. While there is no definitive evidence that this activity was election-related, the timing of the activity so close to the aforementioned official’s targeting suggests that it may have been.

The group is also known to target political figures for reasons other than elections, and has been doing so for years. So no firm conclusions can be drawn officially.

A month earlier in May, its IRGC cousin, Peach Sandstorm, embarked on an elaborate password-spraying mission that helped it gain access to a user account at a county-level government in a U.S. swing state. It didn’t actually do much with the access, so it may have been unrelated to the election and more of a fluke, but Microsoft noted that the county, located in a well-known swing state, had recently experienced a “race-related controversy” that had made national news.

The description is too broad and racism is too pervasive in the US to even draw any conclusions from it. It could have happened in any number of possible states, as there were many states that fit that description.

Fake news

It was part of Russia’s recent efforts to influence the Paris Olympics. Iran has also set up fake news channels in an attempt to engage voters on both sides of the political divide.

One site has been online and active since 2022, “covering” the US midterms. EvenPolitics publishes about 10 articles per week and is run by Storm-2035, which has also set up several other sites to influence audiences in Arabic, English, French and Spanish. Microsoft calls groups “Storm-X” when they are in active development.

Nio Thinker was founded in October 2023 to cover the Israel-Hamas conflict, but has recently targeted left-wing American voters with sarcastic, anti-Trump tirades. It does have a few real zingers, to be fair, calling the Republican candidate/felon an “opioid pill bull in a MAGA china shop” and a “raging deranged process-aurian.”

Savannah Time, on the other hand, targets a conservative audience with pieces on Republican politics and topics such as gender-related issues.

“The Microsoft Threat Analysis Center has not observed significant amplification of these social media sites to date, but it is possible that this will occur closer to Election Day,” the report said (PDF).

The frequency with which the sites are updated suggests that pro-Iranian actors are putting quite a bit of resources into the endeavor, although AI is also helping them out a bit.

“Research into the source code of web pages and indicators within the articles themselves shows that the site operators are likely using SEO plugins and other generative AI-based tools to create article titles and keywords, and to automatically rephrase stolen content in a way that drives search engine traffic to their sites, while obfuscating the original source of the content,” Microsoft said. ®