Home / Industry

Investigation of an Iranian Misinformation Network: Are Some IRGC Domains Still Up?

June 2021 saw the U.S. Department of Justice (DOJ) shutting down and seizing several websites believed to be involved in misinformation campaigns. These websites published news-related content and seemingly had connections to Irani governmental entities. In fact, some of them were found to be the property of the Iranian Islamic Radio and Television Union (IRTVU), which was deemed by the DOJ to be owned or controlled by the Islamic Revolutionary Guard Corps (IRGC).

As such, they are not allowed to do business with American companies and citizens unless they have been given a license by the Office of Foreign Assets Control (OFAC). For this reason, irtvu[.]com was among the domains seized. A Screenshot Lookup of the domain confirms this.

irtvu.com website screenshot

We looked at dozens of domain names that point to IRGC and IRTVU through their registrant organization to see if some of their infrastructures were still running.

Obtaining Qualified Domain Names

One functionality of Reverse WHOIS Search is obtaining domain names that match a text string in a specific WHOIS field. For this study, the search strings used were “IRGC” and “IRTVU” in the domains’ registrant organization field.

The tool returned 92 domain names registered under “IRGC” and 21 domains registered with “IRTVU” in the registrant organization field. There could be false positives in the data set, especially since IRGC can also stand for “International Risk Governance Council.”

Bulk WHOIS Lookup and Screenshot API helped determine which domain names were qualified for further investigation. That left us with three domain names that satisfy these requirements:

  • WHOIS records leave no doubt that they were owned and controlled by Iran-based IRGC. These domains were either based in Tehran, Iran, or registered under the exact registrant organization, IRGC Strategic Center (Islamic Revolutionary Guard Corps)
  • Their screenshot results show that the domains still host live content.

Investigating 3 Active IRGC Domains

The domains that meet the two criteria listed above are gaamdovom[.]ir, irgcsc[.]ir, and raviyan[.]ir. These domains were registered under IRGC and host content, as seen in the screenshots below.

gaamdovom.ir website screenshot
irgcsc.ir website screenshot
raviyan.ir website screenshot

These domains are all managed by IRNIC, the domain registry for the Iranian country-code top-level domain (ccTLD). Therefore, they are certainly not covered by the U.S. DOJ sanction. But how about their connected domains? These were explored in the following sections.

Connected Domains: Sharing the Same IP Addresses

Using DNS Lookup, the IP resolutions of the three IRGC domain names were obtained. IP address details were then uncovered using IP Geolocation API and IP Netblocks API. The table below shows the data gathered.

Domain NameIP AddressesIP GeolocationIP NetblockAS Name
gaamdovom[.]ir86[.]104[.]37[.]101Iran86[.]104[.]37[.]100 - 86[.]104[.]37[.]107AFRANET
irgcsc[.]ir185[.]143[.]233[.]104
185[.]143[.]234[.]104
Netherlands
Japan
185[.]143[.]233[.]0 - 185[.]143[.]233[.]255AbrArvan-AS
raviyan[.]ir116[.]203[.]149[.]169Germany116[.]203[.]0[.]0 - 116[.]203[.]255[.]255Hetzner Online

Again, the IP addresses appeared to be out of the DOJ’s reach, as they were assigned to other countries and non-U.S.-based Internet service providers (ISPs).

Of the IP addresses, only 86[.]104[.]37[.]101 appeared to be a dedicated IP address. In particular, 8 domain names share the IP address with gaamdovom[.]ir, as revealed by Reverse IP API. These are:

  • adsinhands[.]com
  • asre-iranian[.]ir
  • emtiazdaily[.]ir
  • hejamat[.]ir
  • ieltsia[.]ir
  • razipress[.]com
  • razipress[.]ir
  • sooimages[.]com

The U.S. DOJ may be particularly interested in the .com domains. And so, using Maltego WhoisXML API Transforms, the registrars of the .com domains were mapped out.

Both registrars are American companies. Onlinenic Inc. is headquartered in California, while Tucows was incorporated in Pennsylvania. Even so, the .com TLD is managed by Verisign, an American organization. Screenshots of each domain can reveal what type of content they host:

adsinhands.com website screenshot
razipress.com website screenshot
sooimages.com website screenshot

An in-depth investigation by WhoisXML API revealed that the PressTV network, although impacted by the DOJ seizure, remains active and may also be operating in other non-English-speaking countries. On the other hand, another study mapped out the domain infrastructure of four seized websites (presstv[.]com, alalam[.]net, lualuatv[.]com, and almasirah[.]net). The outcome was that several news-related sites are still up.

The same could be said for the IRGC domain network. If these domains don’t have an OFAC license and primarily destined to a U.S. audience, they could be seized as well.

If you’re a cybersecurity professional interested in investigating the domain infrastructure of the Iranian misinformation network, feel free to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign