Google has deleted 58 accounts linked to Iran from YouTube and other sites, the company said in a blog post.
The company "identified and closed" 39 English-language YouTube accounts, 13 Google+ accounts, and 6 Blogger blogs found to be engaged in "politically motivated phishing." The accounts were found to have ties to the Islamic Republic of Iran, says Google.
"In recent months, we have discovered and blocked attempts by state-sponsored actors in different countries to target political campaigns, journalists, activists and academics around the world," said Kent Walker, vice president of global affairs.  We have invested in robust systems for detecting phishing and hacking attempts, identifying influences launched by foreign governments and protecting political campaigns against digital attacks through our Protecting Program.
Our Threat Analysis Group, working with our partners at Jigsaw and Googles Trust & Safety team identifies bad actors, disables their accounts, warns users about them, and shares intelligence with other companies and police.
This week, there have been many news about attempting state-supported hacking and impact campaigns. We wanted to provide a update on some of our ongoing work in this area:
– Technical Assignment of a Newly Reported Influence Campaign from Iran
– Sign Up and End of Activity on Google Features
Government-Forced Phishing Attack
Phishing Attempts at To trick users to provide a password that an attacker can use to log in to an account remains a threat to all email users. Our enhanced technology has enabled us to reduce the volume of phishing emails that come to our users. Automated protection, account security (like security keys), and specialized alerts give Gmail users industry-leading security. As part of our security efforts, for the last eight years, we have shown prominent alerts to Gmail users who are exposed to potentially state-sponsored actors phishing (although in most cases, the particular phishing attempt never reaches the user's inbox).
In recent months, we have discovered and blocked attempts by state-sponsored actors in different countries to target political campaigns, journalists, activists and academics around the world. Once we've seen these types of attacks, we've notified users as well as law enforcement.
On Monday morning, we sent out our latest series of notifications to Gmail users who were exposed to suspicious emails from a wide range of countries. We have written about such warnings here – if you received this type of warning, please read the blog post and do something immediately.
Iran and FireEye
To complement the work of our internal teams, we engage FireEye, a leading cybersecurity group and other top security consultants, to give us intelligence. Over the past two months, Google and Jigsaw have been working closely with FireEye on the Iranian-influenced operation that FireEye identified this week. We are grateful for FireEye to identify any suspicious Google Accounts (three email accounts, three YouTube channels, and three Google+ accounts), which we quickly disabled. FireEye's full report has just been published today. It is worth reading.
In addition to the intelligence we received from FireEye, our teams have investigated a wider range of suspicious actors associated with Iran who have engaged in this effort. We have updated US legislators and law enforcement about the results of our investigation, including its relationship with the political content of the United States. We wanted to provide a summary of what we told them.
Connections to IRIB: Forensic Evidence
Our technical research has identified evidence that these players are associated with IRIB, the Islamic Republic of Iran Broadcasting.
We may not disclose any technical details without disclosing information that would be useful to others who wish to abuse our platforms, but we have observed the following:
– Technical data relating to these players is strongly linked to the official IRIB IP address space.
– Domain ownership information about these players is strongly linked to IRIB account information.
– Account metadata and subscriber information associated with these players are strongly linked to related information related to IRIB, which indicates shared ownership and control.
These facts, along with other technical signals and analyzes, indicate that this effort was performed as part of the overall operation of the IRIB organization since at least January 2017. This finding complies with the internet activity we have warned about the latest years from Iran.
– We have regularly sent alerts to Gmail users if phishing attempts are from Iran (including Monday)
– We detected and warned users about a hidden human-to-middle security attack in Iran in 2012
– We unveiled and warned users about politically motivated phishing in Iran in 2013.
Google Properties Attribution and Exit Activity
Actors involved in this type of influencing operation violate our policies and we quickly removes such content from our services and terminates those players accounts. In addition, we use a variety of robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts.
We identified and closed a number of accounts linked to the IRIB organization that hidden the connection to this effort, including simultaneous English-language political content in the United States:
– 39 YouTube channels that had 13,466 total US views on relevant videos;
– 6 blogs on Blogger
– 13 Google+ Accounts
Our investigations on these topics are ongoing and we will continue to share our findings with law enforcement and other relevant government agencies in the United States and elsewhere as well as with others in the industry.
The state-aid phishing attacks, and the IRIB-related stakeholders described above, are clearly not the only state-sponsored actors on the job on the Internet. For example, last year we revealed information about actors associated with the Internet Research Agency (IRA). Since then, we have continued to monitor our systems and expand the scope of IRA-related actors against whom we have traded. In particular, we have discovered and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of less than 1800 U.S. views). We have also identified and closed the account associated with a Blogger blog.
We continue to monitor our systems actively, take quick action, share intelligence and be alert about these and other threats.