By Kevin G. Hall
October 23, 2020
Iran’s state broadcasting company has quietly used U.S.-based operations of Webzilla, a Russia-linked company caught up in the 2016 election meddling probe, to disseminate Iranian government viewpoints in English and Spanish across the hemisphere, an investigation by McClatchy and the Miami Herald shows.
Despite being under U.S. sanctions, Islamic Republic of Iran Broadcasting, known by its acronym IRIB, is the only organization legally allowed to broadcast radio and TV in Iran. It operates state-run websites in French, English and Spanish that seek to influence U.S., Canadian and Venezuelan audiences. It does so via the domain names www.presstv.com, www.hispantv.com and www.urmedium.com.
Acting on a tip from researchers, McClatchy and the Herald confirmed that all three have had portions of their online website operations hosted since late last year on server blocks that are physically located in Dallas and administered by WZ Communications, which operates as Webzilla and has offices in Fort Lauderdale.
IRIB has been under U.S. sanctions since 2013, designed to make it a business and financial pariah globally. The investigation by McClatchy and the Herald shows the lengths to which Iran must now go to skirt an ever-tightening grip of sanctions. These steps include relying on a company in Cambodia to manage its email traffic and Webzilla to host videos online.
It’s unclear how the U.S. hosting of these websites had escaped notice of the Trump administration, which earlier this month, through the Department of Justice, seized 92 domains registered by three U.S. companies alleging they were fake news websites operated on behalf of Iran’s Islamic Revolutionary Guard Corps. On Wednesday, the agency said it has seized two domains — Aletejahtv.com and kataibhezbollah.com — that were registered by a Virginia company and linked to a sanctioned pro-Iran paramilitary group destabilizing Iraq called Kata’ib Hizballah, or the Hezbollah Brigade.
Webzilla is owned by XBT Holdings, a Cyprus-based company that has the unusual distinction of being the first foreign company allowed to operate servers in Russia. It was identified in the controversial dossier compiled by former British spy Christopher Steele, whose unverified raw intelligence — some proven true, some false — included allegations that XBT/Webzilla used “botnets and porn traffic to transmit viruses, plant bugs [and] steal data” in a hack against the Democratic Party leadership” during the 2016 election cycle.
The dossier was published by online news outlet BuzzFeed in January 2017, contributing to what became a full-blown Justice Department probe into Russian interference, led by Special Counsel Robert Mueller III. That probe led to indictments in February 2018 against 13 Russians and three Russian companies for election interference and “information warfare.”
Webzilla has been accused of looking the other way on copyright violations, and more recently a McClatchy-Miami Herald investigation in March 2019 showed how Webzilla servers had been used by purveyors of the Methbot advertising scam to steal away more than $36 million in online video advertising dollars. In both of those stories, the company said it acts on information when alerted by authorities and can’t always know what its users are up to.
XBT/Webzilla and its principal owner, Alexsej Gubarev, strongly denied the dossier allegations and sued BuzzFeed in South Florida for defamation, losing. The companies are now arguing their case on appeal. The company last Friday declined to comment for this story, citing ongoing litigation against Steele in Great Britain.
However, internet diagnostic tools showed that on Saturday, right after the Miami Herald/McClatchy made inquiries to Webzilla, a relocation of the websites began and by Monday all three IRIB-linked sites had been moved to a web-hosting company in Denmark called Sentia. Company officials there did not return calls and emails asking if they were aware they were hosting an Iranian government-tied website.
Information shared with McClatchy and the Miami Herald and verified by five independent experts had showed that Iran’s state broadcaster, placed under sanctions by the Obama administration in 2013, was being at least partly hosted by Webzilla servers in the United States.
Urmedium.com, created just last year, started briefly on the same Iranian server block that is registered to presstv.com before it was moved to the U.S.-based Webzilla network. Servers are the hardware that enables the hosting of websites and the sending and receiving of information over the internet.
Presstv.com, hispantv.com and urmedium.com all have specific Internet Protocol addresses that showed they were being hosted on the Webzilla network. An IP address is a unique string of numbers that identifies each computer communicating over a given network, sort of like a home address.
This was also confirmed by Webzilla’s Autonomous System Number, which denotes the large blocks of IP addresses it controls. A search of Webzilla’s ASN showed that hispanTV’s IP address was used mostly by porn companies hosted by Webzilla up until 2016, with domain names such as drboner.com and devilswife.com. Then the address was largely inactive until Dec. 16, 2019, when it began being used by hispanTV.
Most large companies or government agencies operate their own network and host their own websites, or they contract out the hosting to a mainstream service provider.
But deep in the coding that details a user’s location are identifiers that show that IRIB relies on telecommunications company Viettel in Cambodia to run hispanTV’s mail server, which is akin to a postman that delivers outgoing emails and receives incoming ones. The same coding shows Webzilla has been hosting hispanTV’s videos.
Similarly, the presstv.com website was — until Monday — hosted on Webzilla’s U.S. infrastructure and has multiple mail servers abroad, including one in China since November 2019.
“That’s just so bizarre. It’s not the way a traditional organization would run,” Gary Warner, director of computer-forensics research at the University of Alabama-Birmingham and a recognized cyber sleuth, said of the hosting arrangement “There’s just no legitimate reason to do that. … It really smells of trying to put infrastructure in places it can’t be reached through traditional legal processes.”
“Much of the talent and infrastructure appears to be homegrown [Iranian], as those with talents and skills were encouraged to continue their professional development and share their knowledge and understanding with others,” said Brian Moran, a former Air Force digital forensics analyst who now runs his own firm, BriMor Labs. “This has resulted in the Iranian capabilities evolving from those with little more than run-of-the-mill tactics to an adversary that conducts activities and operations with the skill and precision of nation-states that have long been considered as more sophisticated adversaries.”
In a nod to that sophistication, the Justice Department on Oct. 7 announced it had seized the 92 domain names it said were misused by Iran to covertly engage in a global disinformation campaign. The seizure was described as a collaborative effort between the FBI and social media companies Google, Facebook and Twitter. The domains were registered through Go Daddy and OnlineNIC — both in Arizona — and NameCheap, based in San Leandro, California.
Those seizures underscore how unusual it is that IRIB-controlled domains like Press TV and HispanTV have been reaching Americans through domains hosted by Webzilla in the United States.
Is it illegal?
It would appear to be under the justifications used by the Justice Department action. The Justice Department cited the broad prohibition of doing business with Iranian government entities, and it linked the websites directly to a specific sanctioned entity, the Revolutionary Guards.
In the 134-page affidavit supporting the takedowns, the FBI noted that one of the affected domains, iraqnews.com, plagiarized information from several sources “including from the Iranian media outlet Press TV, a network affiliated with the Iranian state-owned Islamic Republic of Iran Broadcasting [IRIB].”
The affidavit also said that because the U.S.-registered websites represented a foreign government they should have registered with the Justice Department under the Foreign Agents Registration Act, or FARA.
Press TV does not appear to have registered under FARA, although a New Mexico-based journalist, Yuram Abdullah Weiler, registered in July with the Justice Department as a writer for Press TV.
Several Iran experts and former administration officials steered clear of comment. A lawyer involved in Iran sanctions litigation said on the face of it Webzilla seems to have violated U.S. sanctions laws. There are some exceptions where a general license could be granted, said the lawyer, who demanded anonymity in order to discuss the sensitive matter. The quick move to shift the websites overseas suggests there was no such license.
IRIB was blacklisted by the Obama administration’s sanctions in February 2013 for human rights abuses, accusing Iran of using the broadcaster to “trample dissent” by airing forced confessions of political opponents. It also accused Iran of trying to jam local broadcasts of the Voice of America and BBC.
Then in pursuit of a deal to limit Iran’s nuclear ambitions, the same administration a year later waived a prohibition on providing satellite services to IRIB, meaning it could be carried by a service like DirecTV. That waiver has been granted on an annual basis ever since, although sanctions remain, according to a July 2020 report by the Congressional Research Service, a research arm of Congress.
When IRIB was first sanctioned, U.S. and European satellite broadcast providers dropped Iranian channels and for the most part they remain off despite the annual waiver. IRIB has managed to skirt some of that by using smaller companies in less-developed countries and focusing its resources on television over the internet.
IRIB’s websites in the United States operate much like Russia’s state-run RT or Sputnik, pushing pro-regime messages and attacking the United States and its policy priorities.
In its About Us section, Tehran-based presstv describes its vision as “Heeding the often neglected voices and perspectives of a great portion of the world.”
On Sept. 30, the day after the first U.S. presidential debate, presstv headlines questioned the integrity of American elections and attacked German Chancellor Angela Merkel for visiting poisoned Russian dissident Alexei Navalny.
That same morning, hispantv.com’s main story was Venezuelan strongman Nicolás Maduro’s new anti-blockade law attacking U.S. imperialism and another labeling the presidential debate an embarrassment for the United States.
It’s unclear if the Treasury Department, which monitors efforts to skirt U.S. sanctions on Iran, is aware that IRIB had been using Webzilla’s U.S.-based platform. The agency declined to comment. The Justice Department declined to comment but provided its lengthy affidavit from the Oct. 7 domain takedowns.
Beyond having hosted Iranian websites, Webzilla also appears in the FinCEN Files, a recently published leak of secret bank documents published last month involving Suspicious Activity Reports (SARs) sent by financial institutions to the U.S. Treasury Department.
SARs are required under the Bank Secrecy Act and are not proof of a crime, functioning more like unverified intelligence tips to alert authorities. The FinCEN Files involve a leak of 2,100 such reports, which were obtained by online news outlet BuzzFeed and shared with the International Consortium of Investigative Journalists. It assembled a team of about 400 journalists in 88 countries — including journalists from McClatchy, the Miami Herald and El Nuevo Herald — for a series of stories across the globe that began publishing on Sept. 20 and continue to be released.
Webzilla appears in a Barclays Bank filing in New York about Maxim Polyakov, a Ukrainian businessman who grew wealthy from adult websites such as shagaholic.com, UpforIt.com and saucysingles.com. They were owned by Alcuda Limited, his offshore company, and the bank report to Treasury’s Financial Crimes Enforcement Network listed Webzilla and the domain hosting company for these sites.
Websites tied to Alcuda, 39 in all and many hosted on Webzilla, offered webcam services, pornography and modern-day mail-order brides. Customers paid by the minute for time spent watching their “potential match.”
None of that is illegal. The regulatory filing cited suspicious wire transfers and possible fraud on the adult-dating sites over a period from May 2011 to April 2015 and included concerns about an unclear age verification process for Alcuda’s websites hosted by Webzilla.
The suspicious activity report from Barclays also cited a Google Diagnostics page that revealed hundreds of Webzilla hosted websites were associated with malicious software that installed itself without user consent. It said that “655 sites served content that resulted in malicious software being downloaded and installed without user consent.”