June 2021 saw the U.S. Department of Justice (DOJ) shutting down and seizing several websites believed to be involved in misinformation campaigns. These websites published news-related content and seemingly had connections to Irani governmental entities. In fact, some of them were found to be the property of the Iranian Islamic Radio and Television Union (IRTVU), which was deemed by the DOJ to be owned or controlled by the Islamic Revolutionary Guard Corps (IRGC).

As such, they are not allowed to do business with American companies and citizens unless they have been given a license by the Office of Foreign Assets Control (OFAC). For this reason, irtvu[.]com was among the domains seized. A Screenshot Lookup of the domain confirms this.

We looked at dozens of domain names that point to IRGC and IRTVU through their registrant organization to see if some of their infrastructures were still running.

Obtaining Qualified Domain Names

One functionality of Reverse WHOIS Search is obtaining domain names that match a text string in a specific WHOIS field. For this study, the search strings used were “IRGC” and “IRTVU” in the domains’ registrant organization field.

The tool returned 92 domain names registered under “IRGC” and 21 domains registered with “IRTVU” in the registrant organization field. There could be false positives in the data set, especially since IRGC can also stand for “International Risk Governance Council.”

Bulk WHOIS Lookup and Screenshot API helped determine which domain names were qualified for further investigation. That left us with three domain names that satisfy these requirements:

• WHOIS records leave no doubt that they were owned and controlled by Iran-based IRGC. These domains were either based in Tehran, Iran, or registered under the exact registrant organization, IRGC Strategic Center (Islamic Revolutionary Guard Corps)
• Their screenshot results show that the domains still host live content.

Investigating 3 Active IRGC Domains

The domains that meet the two criteria listed above are gaamdovom[.]ir, irgcsc[.]ir, and raviyan[.]ir. These domains were registered under IRGC and host content, as seen in the screenshots below.

These domains are all managed by IRNIC, the domain registry for the Iranian country-code top-level domain (ccTLD). Therefore, they are certainly not covered by the U.S. DOJ sanction. But how about their connected domains? These were explored in the following sections.

Connected Domains: Sharing the Same IP Addresses

Using DNS Lookup, the IP resolutions of the three IRGC domain names were obtained. IP address details were then uncovered using IP Geolocation API and IP Netblocks API. The table below shows the data gathered.

Again, the IP addresses appeared to be out of the DOJ’s reach, as they were assigned to other countries and non-U.S.-based Internet service providers (ISPs).

Of the IP addresses, only 86[.]104[.]37[.]101 appeared to be a dedicated IP address. In particular, 8 domain names share the IP address with gaamdovom[.]ir, as revealed by Reverse IP API. These are:

• adsinhands[.]com
• asre-iranian[.]ir
• emtiazdaily[.]ir
• hejamat[.]ir
• ieltsia[.]ir
• razipress[.]com
• razipress[.]ir
• sooimages[.]com

The U.S. DOJ may be particularly interested in the .com domains. And so, using Maltego WhoisXML API Transforms, the registrars of the .com domains were mapped out.

Both registrars are American companies. Onlinenic Inc. is headquartered in California, while Tucows was incorporated in Pennsylvania. Even so, the .com TLD is managed by Verisign, an American organization. Screenshots of each domain can reveal what type of content they host:

An in-depth investigation by WhoisXML API revealed that the PressTV network, although impacted by the DOJ seizure, remains active and may also be operating in other non-English-speaking countries. On the other hand, another study mapped out the domain infrastructure of four seized websites (presstv[.]com, alalam[.]net, lualuatv[.]com, and almasirah[.]net). The outcome was that several news-related sites are still up.

The same could be said for the IRGC domain network. If these domains don’t have an OFAC license and primarily destined to a U.S. audience, they could be seized as well.

If you’re a cybersecurity professional interested in investigating the domain infrastructure of the Iranian misinformation network, feel free to contact us.