In recognition of the group’s prolific production and its transient nature, Citizen Lab labeled it “Endless Mayfly,” after the gangly, short-lived insects that hatch and swarm every summer. Citizen Lab said it cannot say for certain that the operation was sponsored by the Iranian government. But it noted that Facebook and Twitter removed hundreds of accounts last August linked to the same operation, and Facebook said those accounts had ties to Iranian state media.
Etienne Maynier, another author of the Citizen Lab report, said Endless Mayfly’s articles “frequently echoed official comments and positions of the Iranian government.”
Raz Zimmt, an expert on Iran at Israel’s Institute for National Security Studies, a think tank affiliated with Tel Aviv University, and a former Israeli military intelligence officer, said Iran has turned to cyberattacks and online influence campaigns in part because of military weakness. In addition, he said, such hard-to-trace operations allow Iran “to maintain the ambiguity needed to reduce the risk of open confrontation with opponents who maintain a military superiority over it.”
In setting up its ephemeral websites, the Endless Mayfly group used one tactic familiar from phishing operations: “typosquatting,” in which a website is created under a name a letter or two off from a well-known institution. Endless Mayfly used “theguaradian.com” to mimic “theguardian.com” and “theatlatnic.com” in place of “theatlantic.com.”
Researchers at Citizen Lab got their first clue in April 2017, after users on Reddit noticed an article on Brexit that appeared to be from the British newspaper The Independent actually came from a site spelled differently: “http://www.indepnedent.co/.” But when readers later tried to return to the article, they were sent to the actual newspaper’s official site. The article’s authors had deleted the fake one but changed the link to reinforce the impression that it had originated on the real newspaper’s site.
In all, Citizen Lab said it had identified 73 web domains created by the group, 135 ersatz articles it had posted and 11 fake identities like Mona A. Rahman, often used as bylines on the fake articles. Some of the articles had been previously flagged as false by reporters and researchers, who sometimes pointed at Russia as the likely culprit. But the overall operation has not previously been described and linked to Iranian interests.
The group appears to still be active, according to Citizen Lab, though most of its operation has been shut down. “On the surface, they look like a not-very-successful viral advertising campaign,” said John Scott-Railton, a senior researcher at Citizen Lab.