On Friday, OpenAI announced that it had taken action against a network of accounts allegedly tied to an Iranian covert influence operation that utilized ChatGPT to disseminate propaganda content. presidential election.
“This week, OpenAI announced that it had identified and taken down a cluster of ChatGPT accounts generating content for a clandestine Iranian influence operation known as Storm-2035.”
The AI-generated content platform employed ChatGPT to produce comprehensive material focused on a wide range of topics, including candid commentary on political candidates from both sides in the U.S. The presidential election was widely disseminated through social media platforms and online websites.
The AI firm lamented that its content failed to spark meaningful interactions, with most social media posts eliciting minimal or no engagement in the form of likes, shares, and comments. While it is well-known that ChatGPT has generated a significant number of long-form articles with limited evidence suggesting they have been widely shared on social media platforms?
The articles catered to U.S. Politics and international events were manipulated and disseminated across five distinct online platforms masquerading as progressive and conservative news sources, aiming to polarize individuals by targeting those with opposing political views.
According to OpenAI, its AI-powered tool, ChatGPT, was utilized to generate responses in both English and Spanish, which were subsequently published on multiple social media platforms, specifically approximately 12 accounts on X and one account on Instagram. Some feedback had been produced by instructing the AI models to rephrase comments made by various social media users.
The operation produced content related to multiple topics, predominantly centring around the conflict in Gaza, Israel’s participation at the Olympics, and the United States. The tumultuous 2020 presidential election—and, by extension, the complex dynamics surrounding politics in Venezuela—have had significant implications for the rights and representation of Latinx communities within the United States. Spanish: Los temas de conversación más populares incluyen el COVID-19, la economía global y la independencia escocesa.
English: The most popular topics of conversation include COVID-19, global economy, and Scottish independence.
“They seamlessly integrated their political commentary with discussions of fashion and beauty, likely aiming to appear more authentic or cultivate a loyal fan base.”
Microsoft, in a recent risk exercise cluster, dubbed Storm-2035, identified an Iranian community “actively participating in U.S.-focused hacking attempts.” Voters are increasingly divided into teams on opposite sides of the political spectrum, fueled by highly polarizing messages on contentious issues such as US presidential elections, LGBTQ rights, and the Israel-Hamas conflict.
The websites spreading misinformation and commentary, as designated by a collective, comprise EvenPolitics, NoThinker, Savannah Times, Theorator, and Westland Solar. These websites have been observed utilizing AI-powered tools to plagiarize small portions of their content from US-based sources, with the majority of the content still being original. publications. According to reports, the organization has allegedly been active since 2020.
Microsoft has seen a significant increase in international malware attacks focused on the U.S.? Over the preceding half-year, Iranian and Russian networks have conducted a series of operations that have been linked back to specific clusters: namely, the Doppelganger network, Storm-1516, and Storm-1841, also known as Rybar.
“Sophisticated algorithms spread and amplify both fabricated and authentic information – including officially sanctioned content – across vast swaths of social media platforms, according to French cybersecurity experts at HarfangLab.” “To initiate action, social network accounts typically share links that trigger a complex sequence of redirects, ultimately leading to the final content website.”
Notwithstanding, intelligence suggests that the propaganda network is adapting its tactics in response to intensified surveillance, increasingly employing innocuous social media content and covertly infiltrating reputable outlets such as Cosmopolitan, The New Yorker, and Leisure Weekly to circumvent detection, according to Meta.
The posts feature links that, upon tapping, redirect users to articles on Russia-related war or geopolitics topics published on fabricated websites masquerading as leisure or wellness outlets. The advertisements were crafted using compromised online profiles.
The social media company announced that, since 2017, it has removed 39 affected operations from Russia, 30 from Iran, and 11 from China across its platforms, revealing six newly discovered networks from Russia (four) and Vietnam (one), as well as one from the U.S. By the middle of 2024.
“Since then, Meta’s Doppelganger has attempted to share links to its domains again, albeit at a significantly lower rate.” “We’ve observed that they’re employing multiple redirect hops, in conjunction with TinyURL’s link-shortening service, to conceal the final destination behind links and evade detection by both Meta and our users. The goal appears to be avoiding scrutiny and directing people to their external websites.”
This week, Google’s Threat Analysis Group (TAG) disclosed that it had identified and thwarted Iranian-backed spear-phishing attacks targeting the personal accounts of prominent individuals in Israel and the US, including those connected to the US government. presidential campaigns.
The exercise has been linked to a threat actor codenamed by researchers, believed to be a state-sponsored hacking group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The APT34 threat actor has been linked to share similarities with the Charming Kitten (also known as Mint Sandstorm) cyber espionage group.
“The notorious cybercriminal group APT42 employs an array of sophisticated tactics in their email phishing operations, including deploying malware, creating convincing phishing pages, and orchestrating malicious redirects.” “They frequently try to exploit companies like Google,” Users rely on cloud storage services such as Google Drive, Microsoft’s OneDrive, and other platforms (including websites like Dropbox) to facilitate these features.
Cybercriminals employ sophisticated social engineering tactics to manipulate targets’ beliefs, ultimately luring them away from email and onto instant messaging platforms such as Signal, Telegram, or WhatsApp, where they can be tricked into clicking malicious links that harvest login credentials.
APT42’s malicious activities involve utilizing tools such as GCollection, LCollection, and YCollection, along with DWP, to compromise users’ credentials from prominent email providers like Google, Hotmail, and Yahoo. Notably, APT42 demonstrates a strong understanding of the email services they target, underscoring their sophistication.
As soon as APT42 gains access to an account, they often deploy additional layers of access control, including modifying recovery email addresses and implementing features that enable apps lacking multi-factor authentication capabilities, such as Gmail’s application-specific passwords and Yahoo’s third-party app passwords.
