OpenAI announced on Friday that it had banned a set of accounts linked to what it said was a covert Iranian influence operation leveraging ChatGPT to produce content focused on the upcoming U.S. presidential elections.
«Earlier this week, we identified and removed a group of ChatGPT accounts that were creating content for a covert Iranian influence operation identified as Storm-2035,» said OpenAI.
The AI company stated that the content failed to garner any significant interaction, with most social media posts receiving few to no likes, shares, or comments. It also noted limited evidence of long-form articles created using ChatGPT being shared on social media platforms.
The articles targeted U.S. politics and global events, published on five different websites posing as progressive and conservative news outlets, indicating an effort to reach people across the political spectrum.
OpenAI mentioned that the ChatGPT tool was used to create comments in English and Spanish, which were then posted across a dozen X accounts and one on Instagram. Some of these comments were generated by asking its AI models to rewrite posts made by other social media users.
«The operation generated content on various topics: primarily, the conflict in Gaza, Israel’s presence in the Olympics, the U.S. presidential elections, and, to a lesser extent, politics in Venezuela, rights of Latino communities in the U.S. (in both Spanish and English), and Scottish independence,» OpenAI said.
The operation also mixed political content with comments on fashion and beauty, possibly to seem more authentic or to build an audience.
Additionally, Storm-2035 was among the threatening activity groups highlighted last week by Microsoft, describing it as an Iranian network «actively engaging with U.S. voter opposition groups on the political spectrum with polarizing messages on topics such as U.S. presidential candidates and LGBTQ rights.»
Some of the fake news and commentary websites set up by the group include EvenPolitics, Nio Thinker, Savannah Time, Teorator, and Westland Sun, using AI-enabled services to plagiarize some of their content from U.S. publications. The group is said to have been operational since 2020.
Furthermore, Microsoft has warned of increased foreign influence activity targeting the U.S. elections over the last six months, from both Iranian and Russian networks, with the latter being tracked as Ruza Flood (also known as Doppelganger), Storm-1516, and Storm-1841 (also known as Rybar).
However, signals indicate that the propaganda network is changing its tactics in response to aggressive enforcement, increasingly using non-political posts and ads, and mimicking non-political news and entertainment websites such as Cosmopolitan, The New Yorker, and Entertainment Weekly in an attempt to evade detection, according to Meta.
The social media company has disrupted 39 Russian, 30 Iranian, and 11 Chinese influence operations since 2017 on its platforms. Six new networks from Russia (4), Vietnam (1), and the U.S. (1) were discovered in the second quarter of 2024.
Meanwhile, Google‘s Threat Analysis Group (TAG) also said this week that it had detected and stopped Iran-backed spear-phishing attempts targeting high-profile individuals’ personal accounts in Israel and the U.S., including those associated with U.S. presidential campaigns.
The activity has been attributed to a threat actor called APT42, a state-funded hacking group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). It is known to share similarities with another intrusion set known as Charming Kitten (also known as Mint Sandstorm).
«APT42 uses a variety of tactics as part of its phishing email campaigns, including hosting malware, phishing pages, and malicious redirects,» said Google.
The overall strategy is to gain the trust of targets using sophisticated social engineering techniques to move them off email and into instant messaging channels like Signal, Telegram, or WhatsApp, before sending fake links designed to gather login credentials.
Phishing attacks are characterized by the use of tools like GCollection (also known as LCollection or YCollection) and DWP to harvest Google, Hotmail, and Yahoo user credentials, underscoring APT42’s «deep knowledge» of the email providers they target.
«Once APT42 gains access to an account, they often add additional access mechanisms, including changing recovery email addresses and leveraging features enabling non-two-factor authentication applications like specific passwords in Gmail and third-party app passwords in Yahoo,» Google added.
Update
U.S. intelligence agencies have formally accused Iran of attempting to undermine U.S. elections, stoke divisive opinions among the American public, and erode confidence in the electoral process, describing Iranian activity as «increasingly aggressive.»
«Iran has also demonstrated a lasting interest in exploiting social tensions through various means, including the use of cyber operations to try to obtain sensitive information related to U.S. elections,» the agencies said in an assessment.
The findings affirm and expand on reports by Google, Microsoft, and OpenAI that revealed Iran’s attempts to interfere in the U.S. presidential elections, which are less than three months away, amplifying propaganda and gathering political intelligence.
In a statement to the Associated Press, Iran’s mission to the United Nations denied the allegations as «unfounded and lacking in evidence,» adding that Iran had neither the motive nor the intention to interfere in the elections.
Vía The Hacker News
