In recognition of the group’s prolific manufacturing and its transient nature, Citizen Lab labeled it “Endless Mayfly,” after the gangly, short-lived bugs that hatch and swarm each summer time. Citizen Lab stated it can not say for sure that the operation was sponsored by the Iranian authorities. But it famous that Facebook and Twitter eliminated lots of of accounts final August linked to the identical operation, and Facebook stated these accounts had ties to Iranian state media.
Etienne Maynier, one other creator of the Citizen Lab report, stated Endless Mayfly’s articles “frequently echoed official comments and positions of the Iranian government.”
Raz Zimmt, an knowledgeable on Iran at Israel’s Institute for National Security Studies, a suppose tank affiliated with Tel Aviv University, and a former Israeli navy intelligence officer, stated Iran has turned to cyberattacks and on-line affect campaigns partially due to navy weak point. In addition, he stated, such hard-to-trace operations enable Iran “to maintain the ambiguity needed to reduce the risk of open confrontation with opponents who maintain a military superiority over it.”
In organising its ephemeral web sites, the Endless Mayfly group used one tactic acquainted from phishing operations: “typosquatting,” by which a web site is created below a title a letter or two off from a well-known establishment. Endless Mayfly used “theguaradian.com” to imitate “theguardian.com” and “theatlatnic.com” rather than “theatlantic.com.”
Researchers at Citizen Lab bought their first clue in April 2017, after customers on Reddit observed an article on Brexit that seemed to be from the British newspaper The Independent really got here from a website spelled otherwise: “http://www.indepnedent.co/.” But when readers later tried to return to the article, they had been despatched to the precise newspaper’s official website. The article’s authors had deleted the faux one however modified the hyperlink to strengthen the impression that it had originated on the actual newspaper’s website.
In all, Citizen Lab stated it had recognized 73 net domains created by the group, 135 ersatz articles it had posted and 11 faux identities like Mona A. Rahman, usually used as bylines on the faux articles. Some of the articles had been beforehand flagged as false by reporters and researchers, who generally pointed at Russia because the probably perpetrator. But the general operation has not beforehand been described and linked to Iranian pursuits.
The group seems to nonetheless be lively, in response to Citizen Lab, although most of its operation has been shut down. “On the surface, they look like a not-very-successful viral advertising campaign,” stated John Scott-Railton, a senior researcher at Citizen Lab.