In recognition of the group’s prolific production and its transient nature, Citizen Lab labeled it “Endless Mayfly,” after the gangly, short-lived insects that hatch and swarm every summer. Citizen Lab said it cannot say for certain that the operation was sponsored by the Iranian government. But it noted that Facebook and Twitter removed hundreds of accounts last August linked to the same operation, and Facebook said those accounts had ties to Iranian state media.

Etienne Maynier, another author of the Citizen Lab report, said Endless Mayfly’s articles “frequently echoed official comments and positions of the Iranian government.”

The Iranian government denied any connection to the group.

“These claims are nothing but part of the propaganda campaign against Iran,” said Alireza Miryousefi, a spokesman for the Iranian mission to the United Nations. “The suggestion that the Iranian government is — with all the diplomatic efforts it is engaged in on a daily basis — involved in a silly online ‘fake news’ effort is on its face ridiculous. Linking anybody who does not agree with Israeli or Saudi policies to the Iranian government is simply absurd.”

Raz Zimmt, an expert on Iran at Israel’s Institute for National Security Studies, a think tank affiliated with Tel Aviv University, and a former Israeli military intelligence officer, said Iran has turned to cyberattacks and online influence campaigns in part because of military weakness. In addition, he said, such hard-to-trace operations allow Iran “to maintain the ambiguity needed to reduce the risk of open confrontation with opponents who maintain a military superiority over it.”

In setting up its ephemeral websites, the Endless Mayfly group used one tactic familiar from phishing operations: “typosquatting,” in which a website is created under a name a letter or two off from a well-known institution. Endless Mayfly used “theguaradian.com” to mimic “theguardian.com” and “theatlatnic.com” in place of “theatlantic.com.”

Researchers at Citizen Lab got their first clue in April 2017, after users on Reddit noticed an article on Brexit that appeared to be from the British newspaper The Independent actually came from a site spelled differently: “http://www.indepnedent.co/.” But when readers later tried to return to the article, they were sent to the actual newspaper’s official site. The article’s authors had deleted the fake one but changed the link to reinforce the impression that it had originated on the real newspaper’s site.