OpenAI Prohibits Iranian Influence Operation Using ChatGPT for U.S. Election Misinformation
On Friday, OpenAI announced the cessation of a group of accounts associated with what it termed an Iranian concealed influence campaign that utilized ChatGPT to create information that, among other things, targeted the approaching U.S. presidential election.
“We detected and deactivated a set of ChatGPT accounts this week that were producing content for a secret Iranian influence campaign dubbed Storm-2035,” OpenAI revealed in a statement.
“The campaign employed ChatGPT to generate content concentrating on various subjects — including analysis on candidates from different political spectrums in the U.S. presidential election – then distributed this content through social media profiles and websites.”
The artificial intelligence (AI) corporation mentioned that the posts didn’t gain significant traction, as most social media publications received minimal to no likes, shares, or comments. Additionally, there was scarce evidence that the long-form posts produced with ChatGPT were propagated on social platforms.
The posts addressed American politics and worldwide occurrences and were posted on five different websites identified as progressive and conservative news sources, indicating an effort to engage individuals from divergent political backgrounds.
According to OpenAI, its ChatGPT tool was employed in crafting comments in English and Spanish, which were subsequently shared across a dozen X accounts and one Instagram account. Some of these remarks were generated by instructing AI models to paraphrase comments published by other social media users.
“The campaign generated content regarding a multitude of topics: namely, the strife in Gaza, Israel’s involvement in the Olympics, and the U.S. election—and to a lesser extent Venezuelan politics, advocacy for Latinx communities in the U.S. (in both English and Spanish), and the independence movement of Scotland,” stated OpenAI.
“They blended their political content with discussions on fashion and beauty, likely to seem more genuine or to amass a following.”
Microsoft had recently showcased Storm-2035 as one of the threat operations outlined last week, labeling it as an Iranian network “actively engaging U.S. voter groups with polarizing communications on subjects such as the U.S. presidential candidates, LGBTQ rights, and the Israel-Hamas conflict.”
Several fake news and opinion platforms created by the group include EvenPolitics, Nio Thinker, Savannah Time, Teorator, and Westland Sun. These sites have also been identified to use AI-powered tools to copy a portion of their content from American media. The group’s activities date back to 2020.
Additionally, Microsoft has alerted about an increase in foreign malicious influence operations targeting the U.S. election over the past six months from Iranian and Russian networks, the latter traced to groups known as Ruza Flood (aka Doppelganger), Storm-1516, and Storm-1841 (aka Rybar).
“Doppelganger disseminates and amplifies falsified, fabricated, or even accurate information across social media networks,” noted French cybersecurity firm HarfangLab in a statement. “To accomplish this, social media accounts share links that begin a convoluted series of redirections leading to the final content websites.”
Nevertheless, current indications suggest the misinformation network is adapting its strategies in response to heightened enforcement, increasingly deploying non-political content and advertisements, mimicking non-political and entertainment news channels like Cosmopolitan, The New Yorker, and Entertainment Weekly to try to avoid detection, as per Meta.
The posts incorporate links that, upon interaction, redirect users to an article related to Russia’s war or geopolitics on one of the fraudulent domains imitating entertainment or health publications. The advertisements are created utilizing compromised accounts.
The social media giant, which has disrupted 39 malicious operations from Russia, 30 from Iran, and 11 from China since 2017 across its platforms, has reported uncovering six new networks originating from Russia (4), Vietnam (1), and the U.S. (1) in the second quarter of 2024.
“Since May, Doppelganger has resumed sharing links to its domains, albeit at a reduced rate,” disclosed Meta in a report. “We have also observed them experimenting with multiple redirect chains including usage of TinyURL’s link shortening to mask the final destination behind the links and deceive both Meta and our users in an effort to evade identification and direct individuals to their off-platform websites.”
These revelations coincide with Google’s Threat Analysis Group (TAG) revealing this week that it had detected andthwarted Iranian-supported phishing activities designed to compromise the personal accounts of prominent users in Israel and the United States, including individuals linked to U.S. presidential campaigns.
The responsibility for this activity has been attributed to a hacking group identified as APT42, which is backed by a government and linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). This group is known to have similarities with another intrusion entity known as Charming Kitten (also known as Mint Sandstorm).
“APT42 employs a range of tactics in their email phishing campaigns — which involve hosting malware, phishing pages, and malicious redirects,” stated the technology company in a blog post. “They often exploit services such as Google (such as Sites, Drive, Gmail, etc.), Dropbox, OneDrive, and other similar platforms for their deceptive operations.”
The overarching approach revolves around building trust with their targets through sophisticated social engineering methods, ultimately aiming to shift the communication from emails to instant messaging platforms like Signal, Telegram, or WhatsApp, where they can then share fake links aimed at harvesting login credentials.
The phishing attempts are distinguished by the usage of techniques like GCollection (also known as LCollection or YCollection) and DWP to extract information from users of Google, Hotmail, and Yahoo, identified by Google as clear indicators of APT42’s deep understanding of the email services they are targeting.
“Upon gaining entry into an account, APT42 frequently implements additional methods of access, such as altering recovery email addresses and leveraging features that bypass multi-factor authentication, like application-specific passwords in Gmail and third-party app passwords in Yahoo,” the company elaborated.
About Author
