Regime’s Fear of MEK Leads to Escalation of Cyber-Terrorism Campaign by MOIS
The National Council of Resistance of Iran (NCRI) Committee on Security and Counterterrorism released a new report on Thursday detailing the cyber campaign against the MEK by the Iranian regime’s Ministry of Security and Intelligence (MOIS).
Iran MOIS’ Futile and Disgraceful Ploys Targeting Iran Resistance
Crazed acts of Iran’s cyber war machine to counter Resistance’s international campaignhttps://t.co/ehWUXarf8d pic.twitter.com/ACvKbw4eEa
— NCRI-FAC (@iran_policy) August 14, 2019
According to the report, the regime is reeling from the effects of this summer’s Free Iran rallies in numerous world capitals and the five-day conference held at Ashraf-3, the MEK’s headquarters in Albania, which was attended by more than 350 prominent political figures and human rights activists from 47 countries. These events, combined with increasing resistance activity within Iran and tightening sanctions on Iran’s petrochemical industry and regime leaders and entities, have led the clerical dictatorship to the brink of collapse.
Influence at Home and Abroad
Regime leaders are now openly voicing their concerns about the MEK’s power and influence both inside Iran and abroad. On August 8th, the Kayhan daily newspaper wrote that the MEK “has penetrated deeply into our homes and its impact is being felt.”
In a July 29th interview on state-run television, IRGC Brigadier General Assadollah Nasseh said: “We must know that everything that takes place in the world against us is the result of their [MEK’s] lobbying effort somewhere or a price that they have paid… On the issue of missiles, we witness that it was based on the information that they provided to the Americans. Regarding human rights, they makeup dossiers and files and provide them to Europeans and they put pressure on us in this way. They use every leverage against us.”
Influence on Social Media
Regime officials have also expressed alarm at the MEK’s presence on social media.
#IRGC Commander: Second is the danger of #MEK infiltration inside the regime, which is the main obstacle in confronting them.”
Read more here:https://t.co/EC7i7g9XNr #FreeIran #WeSupportMEK @USAdarFarsi pic.twitter.com/C7Sm71qQJu
— MEKIran (@MEK_Iran) August 14, 2019
In a July 28th interview with the state-run ISNA, IRGC Brigadier General Gholamreza Jalali, who heads the regime’s civil defense forces, said: “Their [MEK] fingerprint is on many of the controversies that we face. Many of the news cycles in cyberspace that are orientated against the state and the revolution are their psychological warfare [read: expose our crimes] against us… [MEK] incite people to rise up… During last year’s events,… They try to influence public opinion and perception in society negatively, and to instill despair, disappointment and a sense of failure of the Islamic Republic.”
On August 2nd, Brigadier General Abolghassem Forootan told the state-run Mizan news agency, “This time they [MEK] want to harm the values of our nation and system through the use of cyberspace and soft power.”
The NCRI report cites the growing alarm by the Iranian regime as a reason for its escalating cyber campaign against the MEK. According to the report, “the MOIS, IRGC, and Qods Force have embarked on a futile campaign to counter the growing resistance to the regime by using their propaganda and cyberwarfare machine.”
Cyber attacks against the MEK
The NCRI report lists a number of specific examples of online attacks against the MEK and the Iranian Resistance by the regime.
- The English language website Iran Front Page (IFP) claimed that it had access to a “private meeting of the MEK in Albania.” As evidence for this false claim, the site posted a two-minute clip featuring the voice of Mr. Mehdi Abrishamchi reviewing the policies of past US administrations in appeasing the clerical regime. The clip in question was taken from a public meeting with Iranians after the annual NCRI gathering in Paris on July 1, 2017. The two-minute segment was not private, did not pertain to Albania, was not new, and was taken out of context. The website has been registered to an owner in Tehran since 2014.
- The MOIS claimed to have access to a second audio clip of Mr. Abrishamchi in another internal meeting in Albania, which they published on a website called Mozahemin.org [Nuisances]. The audio clip featured a photograph of Mr. Abrishamchi in a public meeting in Paris over the voice of a woman saying, “In 2013 a message announced that the regime would be overthrown in six months…” Neither the photo or the voice (which has not been verified) have any connection to Albania. The website is openly owned by and registered to the MOIS.
- The state-run Khorasan daily ran an article on June 3, 2019, acknowledging the regime’s inability to counter the MEK within Iran. The article published transcripts from an audio recording of “a secret internal meeting of the MEK in January 2018 in which Mehdi Abrishamchi, second in command of the group, explicitly revealing the terrorists’ role [dragetory for MEK] in the riots of December 2017.” The article quotes Mehdi Abrishamchi stressing the importance of activating 1,000 Ashraf bases, or resistance units, to inflame the uprisings taking place in cities across Iran. The regime has spent 40 years publicly denying that the MEK is an existential threat while spending millions to try to eliminate the group. The days of denying the threat of the MEK are over.
- On August 8, the Daily Beast wrote, “American intelligence officials are monitoring a social media disinformation campaign that attempted to falsely implicate the White House National Security Adviser in a global money laundering and drug trafficking operation. On Monday, a Twitter user claiming to be a high-ranking Canadian law enforcement official posted records supposedly showing a $350,000 wire transfer from a Canadian children’s apparel company to a Swiss bank account owned by National Security Adviser John Bolton’s daughter… Twitter suspended the fake Belanger account and Toronto Police Service spokesman Alex Li confirmed to The Daily Beast that it was ‘a fraudulent’ persona. The real police official the account had impersonated has never had a Twitter account. A U.S. official familiar with the apparent disinformation campaign said intelligence community officials were aware of the effort. And Lee Foster, an information operations intelligence analyst at the cybersecurity firm FireEye, told The Daily Beast that the hoax’s techniques are ‘consistent with what we’ve seen with previous pro-Iranian influence operations.’ Bolton is among the Trump administration’s most aggressive critics of the Iranian regime. The U.S. official, while not commenting on this week’s disinformation campaign specifically, said Bolton has been the target of state-sponsored influence operations designed to weaken his standing in the administration. Though Twitter quickly removed the tweet on Monday and suspended the account, it had already been picked up and covered by a handful of websites with editorial positions sympathetic to the Iranian government. News outlets such as Iran Front Page blared ‘Belanger’s’ claims that a Canadian business had supposedly transferred the funds at issue had been caught smuggling ‘a significant amount of opium” and “has close ties with the Mujahedin Khalq Organization (MKO) terrorist group.’”
- In July, the MOIS began using fake email accounts to send messages to supporters of the Iranian Resistance. The accounts are either similar to emails of well-known Resistance figures, or they carry the names of those people. The messages are used to disseminate false and misleading information about the Resistance.
- In July, the regime’s cyber army used a fake telegram account, @SetareganZamini, to contact friends of the Iranian Resistance in order to request financial support for resistance units in Iran.
- In July, the regime’s cyber army used the name and email of MEK supporter Zahra Asl Rousta ([email protected]) to send a message with a pdf attachment containing a series of questions. The pdf contained a virus that would give the hackers access to recipients stored data if opened.
- In April and May, a woman who introduced herself as Arezoo, an official with the MEK, contacted a number of MEK supporters, claiming that she would be busy with demonstrations and was going to be replaced by a person named Homa. Homa was an MOIS agent who repeatedly asked for information about the Resistance. For example, she wrote, “I want to know whether you know anyone in Iran who you can introduce and with whom I can speak? Let us know about anyone, anywhere, who you think could be in touch with us or give us any news or carry out even a small task. I would be very grateful.”
- In April, the regime sent a pdf file through the email account [email protected] with the title “a visual report on the residents of Ashraf in Albania.” The file contained a virus.
- In April, a regime cyber agent used a fake email account bearing the name of a Resistance official to send messages to a number of Resistance members claiming that his/her emails were hacked. One of these messages read, “Hi, I would like to inform you that email of——has been hacked. If he/she sends you an email, don’t click on it because it is a virus and will infect your computer and cellphone. Please let all friends know.” Shortly thereafter, the agent sent messages asking recipients to contact a different email and requesting personal information, such as phone numbers, saying that it had been lost.
- In April, a regime cyber agent sent a series of false reports about “infiltrators” to the group. He copied a text which had previously been sent to MEK supporters and added, “The collection of these issues in recent days speaks to the presence of infiltrators among the ranks of PMOI supporters and the PMOI itself, which only adds to the need for awareness about those around us and about drawing lines and being vigilant.” He also included a number of false reports about regime agents posing as MEK members asking for donations. The MEK does not collect donations in this manner.
- A man received a Telegram message from his brother in Iran asking him to travel abroad to visit. After following up on the message, the man discovered that his brother had been arrested and that the regime had sent the messages from his brother’s account in order to lure him to Iran.
- A regime cyber agent used the email account [email protected], which is similar to Hambastegi Meli’s email, to spread disinformation about the MEK and the Iranian Resistance. Meli’s actual email address is [email protected].
- MOIS agents used two accounts, [email protected], and [email protected] to email MEK supporters and Iranians, posing as dissidents. The emails would start with a series of questions and then progress to anti-MEK propaganda.
- Regime cyber agents used a Skype account that was similar to one that was used by a member of the Resistance to obtain information from MEK supporters.
- The MOIS sent threatening messages to MEK members on Telegram. One such message by “didban fazaye majazi” reads, “Dear telegram user, you have joined the telegram group nationwide uprising, which belongs to the PMOI. So far your membership appears to be out of ignorance. If you continue to be a member, it would be perceived as deliberate membership and would have legal repercussions for you.”
- Over the past few months, regime intelligence agents have used the telephone number 3-393-750-2075 to call Iranian Resistance supporters in France in order to steal their Facebook and email account information.
- An MOIS agent recently attempted to procure an interview with a MEK supporter by using an email account similar to the one used by a U.S. journalist. The agent copied the journalist’s picture and information and sent a dangerous virus to the MEK’s supporter’s computer in an attempt to hack his computer. The attempt was unsuccessful on all counts.
Avoid Unknown Contacts and Emails
The NCRI’s Committee on Security and Counterterrorism calls on all supporters and friends to expose the regime’s cyber campaigns. It further urges all supporters to be cautious in responding to emails or social media contacts, including Telegram, WhatsApp, and Skype. Do not respond to an unknown or suspicious email or social media requests, and report suspicious cases to NCRI representative offices or PMOI chapters in different countries.