Iranian misinformation network, website seizures, and what's left online | WhoisXML API

White Papers

Read other articles

Iranian misinformation network, website seizures, and what's left online

By Alexandre François, Head of Marketing & Security Researcher at WhoisXML API

Part 1: Context and website seizure by the U.S. Department of Justice (DOJ)

In June 2021, the U.S. Department of Justice (DOJ) went ahead and seized a few dozen of Iranian-owned domain names, on the grounds that the websites hosted on those had been spreading misinformation. Those websites were mostly media sites owned by or affiliated with the Iranian state.

Among the websites seized were:

  • presstv[.]com
  • lualuatv[.]com
  • almasirah[.]net

All of those websites now display the message “This Website Has Been Seized” and a note of the United States Government according to screenshot lookups (as of July 17):

All of those websites now display the message “This Website Has Been Seized” - 1
All of those websites now display the message “This Website Has Been Seized” - 2
All of those websites now display the message “This Website Has Been Seized” - 3

As we intend to investigate these properties closely, let’s add them to our list of objects:

Step 1: We add presstv[.]com, lualuatv[.]com, and almasirah[.]net

We add presstv[.]com, lualuatv[.]com, and almasirah[.]net

Now the first question would be about what those websites used to host. In other words, what were their contents before they were seized?

Step 2: To answer this, we ran the Maltego transform Snapshots between Dates [Wayback Machine] and set it just for June 1, 2021.

And so, for June 1, 2021, we found several results including the following:

for June 1, 2021, we found several results including the following - 1
for June 1, 2021, we found several results including the following - 2

We handpicked a few of those screenshots to show what presstv[.]com and almasirah[.]net used to host as of June 1:

Nothing was found for lualuatv[.]com for June 1, 2021, so we decided to broaden our range a little to cover the whole month of June. Here is our Maltego output using Snapshots between Dates [Wayback Machine]:

For June 10, 2021 for lualuatv[.]com, we found the following:

On a side note, an extensive review of all the screenshots for presstv[.]com seems to indicate that the actual seizure took place between June 23 and June 24, 2021. In fact, as of June 23, PressTV mentioned that the website had been seized:

But it may not have been effectively seized before June 24:

Part 2: Identifying public historical WHOIS registrant details with WhoisXML transforms

Now, from what we know about PressTV, it’s a rather extensive Iranian state-owned news and documentary network. So, as a starting point, we tried to establish ownership attribution by using WHOIS data.

Step 1: In Maltego, we used the transform WHOIS Records [WhoisXML] to gather the WHOIS record, and more specifically the transforms Registrant Name [WhoisXML], Registrant Email [WhoisXML], and Registrar [WhoisXML]; unfortunately, this query only returned information about the registrar information here below specified as Instra Corporation Pty Ltd. This is certainly related to the fact that presstv.com’s latest WHOIS information has been heavily redacted, thus leaving no such registrant email address or name.

We used the transform WHOIS Records [WhoisXML] to gather the WHOIS record, and more specifically the transforms Registrant Name [WhoisXML], Registrant Email [WhoisXML], and Registrar [WhoisXML]

Step 2: So, we check for that by running the transform Historical WHOIS Records [WhoisXML] for presstv[.]com

So, we check for that by running the transform Historical WHOIS Records [WhoisXML] for presstv[.]com

There we were able to find more WHOIS records dating back to 2019, for which we ran a Registrant Name [WhoisXML] query. This indicated, however, that the records were already made private as specified by the “Private data” and “REDACTED FOR PRIVACY”.

There we were able to find more WHOIS records dating back to 2019, for which we ran a Registrant Name [WhoisXML] query.

Step 3: Let’s specify these parameters in the Transform Manager for the Historical Whois Records [WhoisXML]. Under Transform Inputs, we can specify “2016-01-01” for Updated Date From and “2019-01-01” for Updated Date To:

Let’s specify these parameters in the Transform Manager for the Historical Whois Records [WhoisXML].

Now let’s re-run the transform Historical WHOIS Records [WhoisXML] for presstv[.]com with these new parameters. As expected, it shows new records for these dates:

Let’s re-run the transform Historical WHOIS Records [WhoisXML] for presstv[.]com

Step 4: Let’s now re-run a Registrant Name [WhoisXML] query for these new records. And bingo! For some of these records, we now have a name “Hami Farajolli”. How about attempting to get an email address and registrant organization too? For that, we run the Registrant Email [WhoisXML] and Registrant Organization [WhoisXML] queries for these records with a name mentioned. Doing so gave us the details PressTV as an organization and the email address [email protected].

Let’s now re-run a Registrant Name [WhoisXML] query for these new records.

We have now explicitly linked presstv[.]com to an individual and an organization. These are all WHOIS details for which we can consider running a reverse WHOIS query to find all domains that share the same details. After all, there might be a lot of domain names owned by the PressTV network. And, we can possibly try to understand if the U.S. Department of Justice (DOJ) has seized all of them.

But before doing that, let’s keep trying our luck and see if we can find more historical WHOIS information. In particular, can we learn more about presstv.com’s past DNS infrastructure. For that purpose, we ran the Nameservers [WhoisXML] and could identify two of them, namely ns2.presstv.ir and ns1.presstv.ir:

We ran the Nameservers [WhoisXML] and could identify two of them, namely ns2.presstv.ir and ns1.presstv.ir

Part 3: Reverse WHOIS analysis of identified public registrants using WhoisXML transforms

So, to recap, we identified 5 public WHOIS registrant details in presstv[.]com’s historical WHOIS records. These are:

So, to recap, we identified 5 public WHOIS registrant details in presstv[.]com’s historical WHOIS records

For the next part of the investigation, we will want to check for connected domain properties. An interesting finding would be to identify more websites that are part of the PressTV network but haven’t or couldn’t have been seized by the U.S. Department of Justice (DOJ).

Step 1: So, we ran a series of Domains and IP addresses (Historical Reverse WHOIS Search) [WhoisXML] queries for our different objects -- i.e., note that it’s needed to run the transform Domains and IP addresses (Historical Reverse WHOIS Search) [WhoisXML] for each object type individually.

This led us to identify multiple domain footprints, some of which have domain names overlapping across object types:

This led us to identify multiple domain footprints, some of which have domain names overlapping across object types - 1
This led us to identify multiple domain footprints, some of which have domain names overlapping across object types - 2
This led us to identify multiple domain footprints, some of which have domain names overlapping across object types - 3

In total, we are now looking at 37 properties. We expect, however, that there are more of such connected properties that we could identify if we were specifying more specific date ranges. Though just a sample, those 37 properties still give us a good overview of how extensive the PressTV network might be today (or how extensive it might have been historically).

Still, we wanted to find out which of those domains might still be active today, and may or may not have been targeted originally by the DOJ, or simply were overlooked or out of scope. So, we tried retrieving live screenshots as of July 17 for each of those domains.

What stood out was the following:

  • 18 of the 37 domain properties displayed live content
  • Though presstv[.]com was seized, presstv[.]ir may have become its replacement or at least it has been used to host the same or similar content with the same branding. In fact, the live screenshot for presstv[.]ir looks very much like the content hosted on presstv[.]com prior to the seizure as per the below:
    The live screenshot for presstv[.]ir looks very much like the content hosted on presstv[.]com prior to the seizure as per the below - 1
    The live screenshot for presstv[.]ir looks very much like the content hosted on presstv[.]com prior to the seizure as per the below - 2
  • PressTV’s network may go beyond English-speaking communities. Live websites were notably found in French and Spanish:
    PressTV’s network may go beyond English-speaking communities. Live websites were notably found in French and Spanish - 1
    PressTV’s network may go beyond English-speaking communities. Live websites were notably found in French and Spanish - 2

Conclusions

As this investigation shows, the PressTV network was hit, probably critically, by the seizure of some of its domains by the U.S. Department of Justice (DOJ). Even so, the network remains active. Also, the PressTV network does not limit its operations to English-speaking countries.

Connections between presstv[.]com and other websites above could be established using the capabilities of Maltego and historical WHOIS data from WhoisXML API.

Feel free to reach out to me at [email protected] to discuss this or other investigations you may wish to carry out using WhoisXML API datasets.

Read other articles
Try our WhoisXML API for free
Get started