A dozen years ago, Treadstone 71 shifted adversary targeting from strictly cyber jihadist activity to include Iran. We tracked movements of the earliest hacking groups following their activities from low-level defacements to repurposing Stuxnet to become a recognized global power in cyber and influence operations. Treadstone 71 specializes in monitoring Iranian cyber and influence operations, research hacking groups, and regularly post information and intelligence on their activities. Many posts describe the Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) cyber activities, organizational structures, internal recruiting methods, educational activities, cyber conferences, information on malware, and threat actors and their capabilities. We continuously seek patterns and trends within those patterns. We examine adversary tendencies in online forums, blogs, and social media sites. In the run-up to the 2020 U.S. presidential election, we focused on social media and looked for possible infiltration that would affect voters. In the run-up to the 2020 U.S. presidential election, we focused on social media and seeking possible influence operations that may affect voters. In July of this year, we came across highly unusual spikes in social media activity that, at first glance, seemed random. A closer look led us in a direction we did not expect. As with many strategic intelligence analysis efforts, collected data is the evidence driving the findings. The findings herein led us down a path we did not expect.

Campaign Core Users

At least four accounts played an essential role in managing the campaign to ensure the hashtag trended in Iran. At least nine other accounts belonging to IRGC Cyber Units were responsible for managing and expanding the campaign in different social environments. (Figure 1 in the report)

The latter, most with high followership, portrayed themselves as "monarchists," "reformists," or "regime change advocates" in various social environments while tweeting contents to fit the description, playing a serious role under the given persona in mobilizing and expanding the campaign against the MEK.

A significant feature of these accounts is young women's personas disguising themselves while attracting and luring unsuspecting users for messaging expansion and potential collaboration. 

The RGCU launched the primary campaign on July 17 at 16:59 CEST, immediately after the speech by Maryam Rajavi, starting the process of audience involvement, account mobilization, and hashtag repetition. The coordinated launch helped to create identifiable Twitter trending. The RGCU expanded the campaign by distributing and republishing influential core members' tweets and content. The republishing triggered thousands of bots and fake accounts with low followership belonging to Basij Cyber Units.

Inside the Report

With the entry of influencers (Figure 3 in the report), the campaign entered the next operations stage. The content and tweets were distributed and republished by those influential IRGC Cyber Units. The narrative between these users reveals their role in promoting the campaign and the purpose of the personas.

Thousands of bots and fake accounts with low followership belonging to Basij Cyber Units widely republished and retweeted tweets published by influencers and retweeted and promoted the posts by other accounts that had used the given hashtag.

This campaign was continued for 60.6 hours by the IRGC Intelligence Cyber Units using thousands of low paid Basij accounts resembling a Dunbar's Number concentric circles of trust throughout the country (Figure 4 in the report).

Campaign Overview and Analysis Based on Available Data and Research:

• The IRGC intended to influence and drown out the spread of MEK's messaging throughout Iran via social media by creating a flood of negative messaging using propaganda.
• Using tweets, mentions, and retweets, IRGC proxy groups call out to spread the messaging beyond proxies to unsuspecting Twitter users
• The campaign used a series of bots to create buzz and increase usage.
• Anonymous communications occurred via @BChatBot and @BiChatBot non-inclusively on Telegram for communication purposes between Cyber Units, to prevent Twitter from realizing an organized campaign and implementation of restrictions on the accounts.
• The Nejat Society (the brainchild of the Ministry of Intelligence) simultaneously used all its social media accounts, publishing messages with negative connotations about Iranian dissidents creating a negative narrative. (The active participation of Nejat Society affiliated with the MOIS in this campaign clarifies the operation's nature).
• The IRGC cyber chain-of-command likely coordinated communication between the various Cyber Units. Social media post content created identifiable patterns, trackable trends, and clear user tendencies.

Treadstone 71 believes the operation violates many Twitter rules related to the "Platform manipulation and spam policy," the "Impersonation policy," and the "Synthetic and manipulated media policy."

Request for Information (RFI) – Cyber Threat Intelligence

The RFI process includes any specific time-sensitive ad hoc requirement for intelligence information or products to support an ongoing event or incident not necessarily related to standing requirements or scheduled intelligence production. When the Cyber Threat Intelligence Center (CTIC) submits an RFI to internal groups, there is a series of standard requirements for the context and quality of the data requested.

Iranian Link Analysis of various cyber threat actors. Download the eye opening report here.

Our training examines Sherman Kent's Analytic Doctrine from the cyber perspective as well as the availability and use of OSINT tools. Students are able to understand the cyber intelligence lifecycle, the role and value of cyber intelligence relative to online targeting and collection, in modern organizations, businesses, and governments at the completion of this course and, use of our advisory services.

What you receive from Treadstone 71 is detailed information and intelligence on your adversary that far surpasses the technical realm. Where Treadstone 71 service excels is in the ability to provide you with techniques, methods, capabilities, functions, strategies, and programs to not only build a fully functional intelligence capability, but a sustainable program directly aligned with stakeholder requirements.

This intelligence brief explains the intricacies as well as cans and cannots with repect to the capabilities of cyber intelligence.

Understanding your stakeholders and what they need to help make decisions is more than half the battle. This brief covers the old adage “Know your professor, get an A."

Syrian violations of sanctions with Russian FSB assistance to manufacture ballistic vests – Not discovered by any organization other than Treadstone 71 - No sensors, no aggregation of thousands of taps – Just hard-nosed open-source collection and analysis, and an interesting read of false identities, dispersed purchasing, and deceit.

Middle Eastern Cyber Domain – Iran/Syria/Israel

An academic review of these nation-states and their work to achieve cyber operations dominance.

Intelligence Games in the Power Grid – Russian Cyber and Kinetic Actions Causing Risk

Unusual purchasing patterns from a Russian firm selling PLCs from a Taiwanese company with massive holes in its product software download site. What could go wrong?

Statement of Cyber Counterintelligence The 10 Commandments for Cyber CounterIntel

Thou shall and thou shalt not. Own the cyber street while building creds. Follow these rules and maybe you will survive the onslaught.

Much has been written about Mr.Tekide and his crypters used by APT34 (OilRig) and others. Other

organizations have documented information about Mr.Tekide's tools in 'celebrated' cyber attacks against Fortune 500 institutions, governments, educational organizations, and critical infrastructure entities.

Identification

However, identifying Mr.Tekide, his background, locations, and his own words has never been openly accomplished. Many believe that following an individual does not pay dividends. Treadstone 71 demonstrates the alignment of Mr.Tekide to the Iranian government through years of support using crypters such as the iloveyoucrypter, qazacrypter, and njRAT.

Fallacies in Threat Intelligence Lead to Fault Lines in Organizational Security Postures

This brief covers some general taxonomy along with a review of common mistakes concerning cyber and threat intelligence and how possible to not fall into these traps while knowing how to dig out if you do.