September 26, 2024 | Memo
How U.S. Adversaries Undermine the Perception of Election Integrity
September 26, 2024 | Memo
How U.S. Adversaries Undermine the Perception of Election Integrity
Introduction
Hacking election infrastructure remains difficult, but attempts to hack people’s minds can be as easy as spinning up fake social media profiles and websites. While federal agencies and election officials repeatedly affirm the physical security and cybersecurity of U.S. elections,1 a significant vulnerability remains — the public’s belief in the integrity of elections. America’s adversaries — specifically China, Russia, and Iran — are seeking to cast doubt on the very value of democratic processes because America’s most enduring asset is the strength of its democracy.
Exposing these malicious campaigns limits our adversaries’ ability to sow discord and spread lies about America’s political system. For this reason, in the lead-up to and following the November elections, the Foundation for Defense of Democracies (FDD) will produce reports providing a snapshot of the foreign malign influence operations of Iran, Russia, and China targeting U.S. voters.
The reports will focus on attempts by U.S. adversaries to create inauthentic accounts, pages, and media brands that present themselves as the voices of actual Americans while delivering content crafted by Tehran, Moscow, and Beijing. The reports will emphasize examples of such deception that FDD has uncovered through its own research. While America’s adversaries also produce content that they distribute via outlets openly affiliated with their governments, such as Sputnik or China Daily, they are increasingly investing in capabilities to conduct covert influence operations.2
In addition to documenting foreign influence operations, FDD’s reports will identify actionable, short-term measures that U.S. policymakers, law enforcement, and private companies can take to combat attempts to undermine Americans’ belief in the value of U.S. elections. Specifically, this report recommends sanctioning both the operatives conducting these influence campaigns and the financial networks that enable the activity. Authorities also need to conduct more robust investigations and dismantle known infrastructure that supports these influence campaigns whether located in the United States or abroad.
FDD Exposes Network of 19 Iranian Websites
As part of a broader global operation, Iran is attempting to pass off as legitimate news outlets a series of websites it controls, attempting to trick Americans into consuming Iranian propaganda. In early August, Microsoft identified three such websites,3 and OpenAI exposed another two.4 FDD has shown that these five domains are part of a larger network of at least 19 websites tailored to diverse audiences around the world.5 These websites attempt to portray themselves as authentic, local voices but are likely run by Iranian operatives.
Within this broader network, eight English-language websites focus heavily on the U.S. election. Several target specific geographic, demographic, or affinity groups, including African Americans, Veterans, Spanish-speakers, and Muslims in Michigan. Two of the U.S.-focused websites promote more conservative views, while the others support liberal and progressive candidates.
Afromajority[.]com targets African American voters with content that is often critical of former President Donald Trump, sympathetic to Vice President Kamala Harris, and supportive of the Black Lives Matter movement. In addition to covering the U.S. election, much of the website’s content frames Iran in a positive light, with one article describing the Iranian Supreme Leader’s support for American student protesters as “a profound act of empathy, an embrace of the shared struggle for justice animating the current wave of mobilizations from the youth vanguard.”6 This website also shows evidence of AI-generated content, with one article including in its introduction what appears to be the prompt for an AI tool to write the article and another mistakenly referring in July 2024 to the late Ebrahim Raisi as the newly inaugurated president of Iran.7
The top portion of the Afromajority[.]com homepage as it appeared on September 9, 2024
Notourwar[.]com has a dedicated tab titled “Veterans,” indicating the apparent target of its content.8 The website provides slanted commentary on U.S. military history with a focus on alleged U.S. war crimes and human rights violations during past conflicts, particularly in the Middle East. The website also features some U.S. election-related content. Rather than supporting a particular candidate, the website appears intent on denigrating both major presidential candidates and U.S. democracy more broadly, with articles titled “The Bitter Choice: Biden vs. Trump and the Illusion of Democracy in the US” and “Two Presidents, One Problem: Drawing Parallels Between Biden and Trump’s Mental Disorders.”9 Not Our War is also one of the most explicitly pro-Iran websites in the network, with one article alleging that the United States is secretly researching a weather-controlling weapon meant to “curb Iran’s Geopolitical Supremacy.”10
Lalinearoja[.]net is a Spanish-language news website that is strongly anti-American, anti-Saudi, and anti-Israeli while expressing considerable sympathy toward Iran and its proxies.11 While the website primarily focuses on Latin American issues, with a particular focus on Cuba and Venezuela, it regularly publishes election-related content.12 The website generally expresses cautious optimism about Vice President Harris but also repeatedly criticizes her support for Israel.13 In an article titled “We won’t vote for genocide, Americans to Harris,” the website quotes Izzat Al-Rishq, a member of the Hamas political bureau, calling Harris “a hypocrite on human rights issues.” In “Harris avoids radical change in Israel’s politics,” the website pans Harris’ “ambivalent position on the Palestinian cause” while condemning her support for “the Zionist project,” calling Israel “a fundamental war laboratory for the imperialist web of the United States.”
Westlandsun[.]com is a Michigan-focused, English-language outlet.14 The website focuses on issues of concern to Muslim Americans, specifically those in Michigan, and publishes extensively on the U.S. election, typically criticizing conservatives and praising progressive candidates. For example, one article discusses President Joe Biden’s outreach to Muslim and Arab Americans in Dearborn, Michigan, and another calls the Michigan primary “a political litmus test for Biden’s stance on Israel.”15 Meanwhile, the website’s coverage of Iran and U.S. policy towards Iran have a pro-regime slant.16
Two other U.S. election-focused domains in this network align themselves with liberal and progressive politics: Niothinker[.]com and Evenpolitics[.]com.17 A third website in the network, Savannahtime[.]com aggressively criticizes Harris and “proudly embraces conservative principles, advocating for limited government, individual liberties, and traditional values.”18 Curiously, this website calls Iranian President Ebrahim Raisi’s death a “tragedy” and repeatedly calls for U.S. and Israeli diplomatic engagement with Iran.19 Another domain in the network, Teorator[.]com, promotes far-right views and conspiracy theories that Democrats are trying to “rig [the] election with foreign voters.”20 This website also criticizes Iranian proxies and Iranian immigrants in the United States.21
Despite the diversity of these websites’ audiences, technical indicators show that they are in fact related. Most notably, they currently share and previously have shared the same web hosting servers. Patterns in the email addresses of the creators of several domains indicate at least some coordination. Many use the same WordPress building software (Elementor) and the same WordPress theme (Hello Elementor). Half of the domains also have social media icons with broken links. These websites also typically attribute content to unnamed staff authors, rather than specific writers. While posing as independent outlets that have no relationship to each other, these websites appear to be part of a malign influence campaign run by Iran.
Pro-Iranian Persian-Language Accounts on X Target Iranian Diaspora
While Iran has banned X (formerly Twitter) domestically, Iranian officials, including the supreme leader, have X accounts.22 An Iranian official once justified this to a group of students at the University of Tehran, saying that Iranian officials need to use social media to communicate Iran’s message to the world, and in particular, to Iranians living overseas.23 It appears that the regime — or, at the very least, its supporters — is doing just that ahead of the U.S. presidential election.
FDD has uncovered 2,378 unique X accounts (as of August 19, 2024) posting content about the U.S. election, primarily in Persian, in an apparent attempt to reach Iranian expats, including in the United States, which is home to over 400,000 members of the Iranian diaspora community.24 The accounts frequently repost each other’s content, and many have Iranian flags in their names. Many of the accounts post in high volumes that indicate possible automation. Several accounts use profile pictures that appear to have been generated by artificial intelligence to mask the identity of the account’s operator.
The accounts post ample election-related content that heavily criticizes both President Trump and Vice President Harris (and President Biden before he dropped out of the race). Criticism of Trump claims he is racist and Islamophobic and condemns his stance on the Israel-Hamas conflict.25 While the accounts’ content about Harris is generally less critical,26 it similarly decries her position on the war, urging her to stop supporting Israel.27
Left: Post from X account in network claiming Trump is racist and Islamophobic. Right: Post from the same account claiming Harris is performing better than Trump in swing states and with youth.
In addition to its election-related content, the network consistently praises Iran and its proxies, including Hamas, the Houthis, and Hezbollah.28 The network shares political cartoons depicting the debunked story that the Houthis had successfully struck an American aircraft carrier, the USS Eisenhower. On the day of Hamas leader Ismail Haniyeh’s assassination, the network shared a photo of a child in front of a destroyed building holding a portrait of Haniyeh.
A Telegram account appears to orchestrate the activity of a subset of accounts in the network. These accounts repost content shared in a Persian-language, pro-Iran Telegram channel called “Revolutionary Twitter – X” (توییتر انقلابی – ایکس).29 This Telegram channel (@twtenghelabi) also links to associated accounts on Instagram and several Iranian platforms, including Eitaa, Rubika, and Splus. The channel has over 62,000 subscribers30 and appears, at least in part, to seed content that the Persian-language accounts use on X. For example, on July 22, after the Telegram channel shared a post by X user @faeze1990 about Trump’s statements on the Iranian economy,31 the network reposted this content over 35 times over the course of eight days, with identical or nearly identical text. Several of these posts even included the logo of the @twtenghelabi Telegram channel in their photos, showing that they took these photos directly from the Telegram channel, rather than from the original post on X.32
Hezbollah’s Cross-Platform Influence Operation
Iran also appears to be using its terrorist proxies to conduct cyber-enabled influence operations to interfere with the U.S. election. Four years ago, according to U.S. intelligence, Hezbollah conducted small-scale efforts to influence the 2020 U.S. election.33 During the 2024 election cycle, Hezbollah is once again attempting to undermine Americans’ faith in their democracy and the stability of the U.S. political system.
The “Hoopoe Platform,” a media brand that the threat intelligence firm Recorded Future first outed as a foreign influence operation,34 propagates English-language, pro-Hezbollah, anti-U.S., and anti-Israel content across YouTube, Facebook, Instagram, X, TikTok, Telegram, and LinkedIn. The network’s YouTube channel has since been taken down, while its other channels remain online (as of September 2, 2024).35
The Hoopoe Platform variously criticizes and expresses support for both major presidential candidates,36 but its distinctive emphasis is the denigration of the democratic process itself. The platform alleges that both political parties “take money from the same people,” that elections present an “illusion of choice” and that the country is run by a “uniparty.”37 Other posts on X and TikTok suggest that “Israel rules America” and that the election is controlled by Israel, Jewish financial interests, or the deep state.38 Hoopoe material also insinuates that the deep state was responsible for the July 13, 2024, assassination attempt against President Trump or, conversely, suggests the attempt was staged.39 The platform also promotes content from others warning that civil war might erupt should Trump lose the election.40
Post on X from Hoopoe Platform discouraging voters from choosing Trump or Biden.
The Hoopoe Platform also appears to share U.S. election-related content to garner more engagement from U.S. audiences for its explicitly pro-Hezbollah content. This material often quotes Hassan Nasrallah and warns that Hezbollah will strike Israeli military bases as well as power plants, oil refineries, ports, and civilian airports.41 Several posts even share official statements from Hezbollah.
The platform takes its name from the hoopoe bird, a prominent symbol in Levantine and Middle Eastern culture and Islamic texts. For this same reason, Hezbollah named its drones “hoopoe drones.” The Hoopoe Platform has shared at least one of Hezbollah’s videos purporting to show surveillance footage of strategic locations in Israel.42
While Recorded Future identified the platform as Iranian, deeper research by FDD into the content and the past and present affiliations of the Hoopoe Platform’s news hosts indicates that Hezbollah plays a prominent role. If Iran is indeed involved, it is more likely a joint enterprise involving both patron and client. At least one video on the Hoopoe Platform’s (now defunct) YouTube page appears to be a news program, filmed in a television studio, hosted by a man named Srdjan Preradovic who appears to have numerous connections to Hezbollah. His Facebook profile, for example, lists only two friends, one of whom works as a reporter for Iranian state news outlet PressTV, and the other shared a post recruiting people to work at al-Ahed, a Hezbollah-owned news outlet.43 He also appears to have previously hosted a show titled “News Analysis with host Srjdan Preradovic,” broadcasted by al-Etihaj TV Newsroom, a channel owned by Kataib Hezbollah, an Iranian terrorist proxy in Iraq.44 Additionally, the Hoopoe Platform’s YouTube channel and Facebook page list an email address, Hoopoeplatform@gmail[.]com.45 Using open-source intelligence platform OSINT Industries, FDD found that the phone number affiliated with this email address has a Lebanese country code, further suggesting Hezbollah’s involvement.
Left: Screenshot of Hoopoe Platform YouTube video (which has since been taken down) showing the name of the ‘news anchor’ who appears in much of the network’s content. Right: Facebook page of this man showing his friend connections with people associated with Iran and Hezbollah-run news outlets.
Russia Intertwines the U.S. Election and Support for Ukraine
During the 2024 election cycle, Russian President Vladimir Putin is attempting not only to stoke divisions in American society and undermine public confidence in democratic institutions but also to weaken American support for Ukraine, especially in swing states, according to U.S. intelligence.46 Microsoft warned it is tracking upwards of 70 Russian groups engaging in “Ukraine-focused disinformation” using “both covert and overt operations.”47 One particular such effort is the prolific Doppelganger campaign.
Doppelganger earned its name by cloning mainstream news websites. Within the United States, Doppelganger has spoofed Fox News and The Washington Post while also creating original brands, such as Election Watch and Lies of Wall Street, that purport to be American.48 In early September, the Department of Justice (DOJ) seized 32 Doppelganger websites and indicted three companies operating these domains for violating U.S. money laundering and criminal trademark laws.49
Doppelganger has used AI-generated content and manufactured statements from celebrities to drive audience engagement.50 According to DOJ, Doppelganger also used paid social media ads and “social media profiles posing as U.S. (or other non-Russian) citizens” to attempt “to trick viewers into believing they were being directed to a legitimate news media outlet’s website.”51
Doppelganger began targeting European audiences two years ago and expanded to U.S. audiences last year.52 While Doppelganger attempts to exacerbate political divisions within the United States by angering all sides,53 its approach to Ukraine is one-sided: the campaign attacks Democrats who support Kyiv and bashes Ukrainians directly. In all cases, Doppelganger attempts to hide its Russian identity by appearing as authentic American voices.
In partnership with Alliance4Europe and other organizations in the Counter Disinformation Network (CDN), FDD analyzed Doppelganger activity on X in June 2024.54 Just as in other forums, central to Doppelganger’s efforts on X is the claim Ukraine is corrupt and thus U.S. aid is a waste of Americans’ “hard-earned money,” like “pouring water into a sieve.” Other content seeks to drive a wedge between the United States and its NATO allies, arguing that the European Union should “carry its weight.” The campaign often alleges that Ukrainian President Volodymyr Zelenskyy is power-hungry, betrays the Ukrainian people and his allies, is militarily incompetent, or is a puppet of the Democratic Party. In turn, Doppelganger has criticized President Biden for allegedly focusing too much on providing military support to Ukraine, claiming Biden is neglecting domestic issues or misdirecting resources that would better serve U.S. citizens.55
Screenshots of English-language Doppelganger posts on X from CDN dataset analyzed by FDD.
Since the start of the war between Israel and Hamas, Doppelganger has pushed narratives on X implying that Israel controls the United States or that Israeli military actions have caused excessive Palestinian civilian deaths. At other times, however, Doppelganger has praised Israeli Prime Minister Benjamin Netanyahu and criticized the Democratic Party for allegedly distancing itself from Israel for political gain. The campaign has even argued that Washington should divert Ukrainian aid to Israel or even Taiwan, stating, “It seems wasteful to support a country [Ukraine] whose officials pocket the help they receive. Better aid Israel.”56 In this respect, it appears Doppelganger is simply using discussions of Israel to further its anti-Ukraine agenda.
Persistent Chinese Operation Targets U.S. Elections
Spamouflage, a sprawling Chinese multiplatform influence operation, has persisted over many years despite numerous attempts by social media companies to delete thousands of accounts associated with this malign influence campaign. The operation posts vast amounts of apolitical content in an attempt to hide its anti-American and pro-Chinese Communist Party (CCP) content from social media algorithms designed to weed out inauthentic activity. Since the first few months of 2024, Spamouflage has been sharing polarizing content related to the U.S. elections.57 In these efforts, Spamouflage impersonates U.S. voters to spread divisive content,58 criticize American democracy more broadly,59 and traffic in antisemitic tropes about Jewish control of the American government.60
FDD previously uncovered yet another wing of Spamouflage operating on Facebook, observing its attempts to begin pivoting from general anti-American content toward content more specifically tied to the upcoming election.61 After FDD revealed its existence in March and provided relevant information to Meta on about 450 inauthentic accounts, this wing of the network appears to have ceased operation.
In April 2024, however, a British think tank, the Institute of Strategic Dialogue, exposed Spamouflage accounts on X posing as Trump supporters.62 Some of these accounts previously posted pro-CCP and anti-American content, criticizing Republicans and President Trump,63 but now claim to be patriotic Americans and “Pro-Trump.”64
Spamouflage has historically criticized President Biden but posts much less frequently about Vice President Harris. After Biden dropped out of the race, however, the network began criticizing her,65 including sharing an apparently AI-generated cartoon of Harris attacking Trump with an axe in the bathtub with reference to The Shining.66
Many other posts criticize both candidates simultaneously, often by insinuating that Israel controls both political parties. At least twice, Spamouflage accounts have shared similar AI-generated images depicting a kneeling Trump and Harris worshipping a standing Israeli Prime Minister Netanyahu.67 Another post similarly argues that Israel controls America, with a cartoon of Trump and Harris in Netanyahu’s suit jacket pockets.68
AI-generated images depicting a kneeling Trump and Harris worshipping a standing Israeli Prime Minister Netanyahu.
More recently, in September, social media analytics firm Graphika exposed more Spamouflage accounts on X, again posing as concerned U.S. citizens.69 The report warns, “Spamouflage’s attempts to pose as U.S. users are more expansive than previously reported.” It further notes that while Spamouflage has gained little traction on X, a Spamouflage account on TikTok posing as a conservative American media outlet amassed 1.5 million views on one of its videos.
Recommendations
Ensuring election integrity requires a long-term commitment to action by the federal and state governments, social media and traditional media companies, and American citizens. In the next two months, however, there are concrete steps these parties can take to deter, thwart, and mitigate foreign malign cyber-enabled influence operations by America’s adversaries.
- Sanction the financial networks that facilitate illicit cyber activity: The U.S. Department of the Treasury has previously sanctioned individuals and entities for illicit cyber activity, including attempts to interfere in U.S. elections.70 The Department of Justice has likewise issued indictments. In coordination with interagency partners at the State, Treasury, and Justice Departments should continue these efforts. Sanctions and indictments that target operators, however, are insufficient given that the operators likely have limited financial exposure outside their home countries. However, identifying and sanctioning the operatives’ financial backers (and then enforcing those sanctions) may have a more immediate, detrimental effect, as those financiers likely have more ties to the international financial system and are thus more susceptible to U.S. (and multilateral) sanctions.
- Conduct investigations merging traditional open-source cybersecurity research and counter-influence operations strategies: The FDD research outlined in this report involved a combination of traditional cybersecurity techniques exploring domain registrants and malicious infrastructure alongside influence operations research analyzing narratives and messaging. This type of interdisciplinary investigation — whether conducted by the federal government, the intelligence community, and law enforcement or by academics and independent researchers — should become the norm to more rapidly identify and attribute foreign malign cyber-enabled influence operations targeting U.S. elections and the American people more broadly.
- Dismantle known infrastructure: While FDD research has exposed previously unidentified adversarial operations, it also highlights a systemic failure to disrupt known influence operations that persist despite public exposure. To varying degrees, social media companies disable accounts definitely linked to foreign malign influence operations, but these companies can do a better job enforcing their own policies against inauthentic activity. U.S. law enforcement, meanwhile, should work with internet service providers, cloud providers, web hosts, and other technology companies to take down domains associated with foreign influence operations.
- Work with U.S. allies to hold web hosting providers accountable: U.S. regulations require American web hosts and other service providers to verify the identity of foreign customers. Many foreign operatives and criminal actors, however, use hosts located outside the United States, beyond the reach of U.S. law enforcement. The U.S. government, through the State Department’s Bureau of Cybersecurity and Digital Policy and the FBI’s overseas cyber assistant legal attachés, should work with European and other allies to strengthen know-your-customer and other vetting processes for all internet infrastructure providers within their jurisdictions and help dismantle domains engaged in illegal activities whether they be influence operations or traditional criminal activity.71
- Provide additional technical information on foreign influence campaigns: In the lead-up to the November elections, the Office of the Director of National Intelligence committed to providing regular updates about threats to election integrity.72 The federal government is also moving quickly to confirm the attribution of campaigns exposed by private cybersecurity firms.73 However, neither these efforts nor previous declassified reports on threats to elections explains the tactics the intelligence community is observing. While discretion is necessary to protect U.S. sources and methods, foreign influence operations are largely conducted in the public eye. Open-source intelligence reveals a great deal about what China, Russia, and Iran are doing in cyberspace. Just as providing indicators of compromise helps the private sector protect itself from cyberattacks, providing more technical information helps social media companies, internet infrastructure providers, and private researchers identify and dismantle influence campaigns. More information may also enable the American people and their elected representatives to take additional steps to mitigate the vulnerabilities that U.S. adversaries are exploiting.
Conclusion
China, Russia, and Iran are actively attempting to undermine the faith that Americans have in democratic institutions and processes. Each of these adversaries employs inauthentic websites and content to mask their propaganda as an expression of genuine American opinion. Between now and the November election, federal and state governments, law enforcement, technology companies, and the American people themselves must take steps necessary to thwart attempts to undermine the public’s belief in the importance of elections. Over the long term, however, more needs to be done to address the underlying weaknesses in our technology, politics, and society that these adversaries are exploiting. Future reports in this series will seek to contribute to that vital conversation.