OpenAI banned accounts linked to Iran’s covert influence operation Storm 2035, which used ChatGPT to generate social media content targeting the US presidential election from both sides of the political spectrum. Simultaneously, Google disrupted APT42 (linked to Iran’s IRGC) spear-phishing campaigns aimed at US presidential campaign accounts. Nation-state actors are using AI to scale election interference operations — though with limited engagement so far.
Stories Covered
OpenAI Blocks Storm 2035: Iran Used ChatGPT to Generate US Election Propaganda
OpenAI identified and shut down a cluster of ChatGPT accounts tied to Storm 2035, an Iranian covert influence operation that used the AI model to generate social media content about the US presidential election, the conflict in Gaza, Israel’s participation at the Olympic Games, Venezuelan politics, and the Latin X community. Content was produced in English and Spanish and distributed across approximately a dozen accounts on X (formerly Twitter) and one on Instagram. The operation’s tactics included using AI to re-spin comments posted by real social media users, interspersing political content with posts about fashion and beauty to appear authentic, and building fake influencer personas with manufactured interaction history before activating them for influence purposes. OpenAI noted that despite the scale of content generation, the posts received negligible engagement — minimal likes, shares, or comments — and found little evidence the long-form articles generated using ChatGPT were meaningfully distributed.
The parallel threat from Russia is more mature and operationally evolved. Microsoft has tracked an uptick in Russian foreign influence activity targeting the US election. The Doppelganger network (also tracked as Rooza Flood), Storm 1516, and Storm 1841 (Rybar) have all been active. Doppelganger’s particular innovation is link obfuscation: social media posts contain links that initiate multi-hop redirect chains — including URL shorteners like TinyURL — to conceal the final destination and evade automated link-checking bots. Meta reported that the network has disrupted 39 Russian, 30 Iranian, and 11 Chinese influence operations across its platforms since 2017. The ongoing cat-and-mouse is exactly what one would expect: as platforms improve detection, operators shift to nonpolitical cover content (entertainment, lifestyle) and additional redirect layers to avoid tripping automated defenses.
Google’s Threat Analysis Group simultaneously disclosed that it detected and disrupted spear-phishing campaigns by APT42 — an Iranian state-sponsored threat actor affiliated with the Islamic Revolutionary Guard Corps, overlapping with the group also known as Charming Kitten and Mint Sandstorm — targeting personal accounts of high-profile individuals in Israel and the US, including those associated with presidential campaigns. APT42’s approach exploits trusted cloud services: malicious files and phishing pages hosted on Google Drive, Google Sites, OneDrive, and Dropbox to reduce suspicion before redirecting to attacker infrastructure. The broader picture is that influence operations and account-compromise operations are two tracks of the same program — one generates propaganda at scale, the other seeks to take over high-reach accounts to amplify it through an audience that trusts the hijacked identity.
Leave a Reply