On Friday, OpenAI said it had banned a set of accounts linked to what it called a covert Iranian influence operation that used ChatGPT to create content that focused on, among other things, the upcoming US presidential election.
“This week we identified and took down a cluster of ChatGPT accounts that were creating content for a covert Iranian influence operation codenamed Storm-2035,” OpenAI. said.
“The operation used ChatGPT to create content focused on a range of topics — including commentary on candidates from both sides of the US presidential election — which was then shared via social media accounts and websites.”
The artificial intelligence (AI) company said the content did not generate significant engagement and most of the social media posts did not receive likes, shares or comments. He also noted that he found no evidence that long-form articles created using ChatGPT were shared on social media platforms.
The articles focused on US politics and global events and were published on five different websites posing as progressive and conservative news outlets, suggesting an attempt to target people on different sides of the political spectrum.
OpenAI said its ChatGPT tool was used to create comments in English and Spanish that were then posted to a dozen X accounts and one Instagram account. Some of these comments were made asking AI models to rewrite comments posted by other social media users.
“The operation generated content on several topics: mainly the conflict in Gaza, Israel’s presence at the Olympics and the US presidential election – and to a lesser extent politics in Venezuela, Latino rights in the US (both in Spanish and English), and Scottish independence ” said OpenAI.
“They interspersed their political content with comments about fashion and beauty, perhaps to appear more authentic or in an attempt to build a following.”
Storm 2035 was also one of the threat clusters highlighted last week by Microsoft, which described it as an Iranian network that “actively engages groups of US voters on opposite ends of the political spectrum with polarizing messages on issues such as US presidential candidates, LGBTQ rights and the Israel-Hamas conflict.”
Some of the fake news and commentary sites created by the group include EvenPolitics, Nio Thinker, Savannah Time, Teorator and the Westland Sun. It has also been observed that these sites use AI-enabled services to plagiarize some of their content from American publications. The group will reportedly be active from 2020.
Microsoft has further warned a surge of foreign malicious activity targeting the US election over the past six months from both Iranian and Russian networks, the latter of which has been traced to clusters tracked as Ruza Topop (aka Doppelganger), Storm-1516 and Storm-1841 (aka Fisherman).
“Double distributes and spreads fabricated, fake or even legitimate information on social media,” French cybersecurity company HarfangLab said. “To do this, social media accounts post links that initiate a confusing chain of redirects that lead to websites with the final content.”
However, there are signs that the propaganda network is changing its tactics in response to the aggressive measures, increasingly using non-political messages and ads and spoofing non-political and entertainment news publications such as Cosmopolitan, The New Yorker and Entertainment Weekly in an attempt avoid detection. , for Meta.
The posts contain links that, when clicked, redirect users to articles related to the war or Russian geopolitics on one of the fake domains that mimic entertainment or medical publications. Ads are created using hacked accounts.
The social media company, which has foiled 39 influence operations from Russia, 30 from Iran and 11 from China since 2017 on its platforms, said it had discovered six new networks from Russia (4), Vietnam (1) and the US (1). . ) in the second quarter of 2024.
“Since May, Doppelganger has resumed attempts to share links to its domains, but at a much slower rate,” Meta said. said. “We’ve also seen them experiment with multiple redirects, including the link shortening service TinyURL, to hide the final destination behind the links and trick both Meta and our users into trying to avoid detection and drive people to their websites off-platform “.
The development comes after Google’s Threat Analysis Team (TAG) also said this week that it had detected and stopped an Iran-backed phishing attempt aimed at hacking the personal accounts of prominent users in Israel and the US, including those linked to presidential campaigns. in the USA.
The activity was attributed to a codenamed threat actor APT42a state hacking group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). It is known to overlap with another invasion set known as Charming Kitten (aka Mint Sand Storm).
“APT42 uses many different tactics as part of its phishing campaigns — including the deployment of malware, phishing pages and malicious redirects,” the tech giant said said. “They usually try to abuse services like Google (such as Sites, Drive, Gmail and others), Dropbox, OneDrive and others for these purposes.”
The broad strategy is to gain the trust of your targets through sophisticated social engineering techniques to lure them away from email and into instant messaging channels such as Signal, Telegram or WhatsApp before clicking on fake links designed to recruit them. login information.
Phishing attacks are characterized by the use of tools such as GCollection (aka LCollection or YCollection) and DWP to collect credentials from Google, Hotmail and Yahoo users, Google said, stressing that APT42 has a “firm understanding of the email providers they are targeting.” .
“Once APT42 gains access to an account, they often add additional access mechanisms, including changing recovery email addresses and using features that allow apps that don’t support multi-factor authentication, such as passwords for individual apps in Gmail and passwords third-party programs. at Yahoo,” he added.
