The United States and Israel this week published a cybersecurity advisory describing the latest activities of an Iranian threat group, including attacks targeting the recent Olympics and surveillance cameras.
The FBI has been tracking this group’s activities since 2020. The threat actor is known in the private sector as Cotton Sandstorm, Marnanbridge, and Haywire Kitten, but it’s probably best known as Emennet Pasargad, the name of the company that was until recently used as a front for the group’s activities.
According to the new advisory written by the FBI, the US Department of Treasury and Israel’s National Cyber Directorate, since mid-2024 the name of the front company has been Aria Sepehr Ayandehsazan (ASA). The company, which has been legally registered in Iran, is used for finance-related and HR purposes, among others.
Emennet Pasargad and now Aria Sepehr Ayandehsazan officially have been providing cybersecurity services within Iran, including to government organizations. However, the US government has repeatedly warned that the firm has conducted malicious cyber operations.
Charges and sanctions were announced against the company and its employees in recent years over election-focused operations, as well as cyberattacks targeting various sectors in the United States, Europe and the Middle East.
The threat actor, which often leverages hacktivist and cybercrime group personas, is known to aim many of its attacks on Israel.
The new report from the FBI shares the group’s latest tactics, techniques and procedures (TTPs) and describes some of its recent operations.
Investigations found that Aria Sepehr Ayandehsazan set up its own cover hosting providers to manage and hide its infrastructure. Two of these providers are called Server-Speed and VPS-Agent, and they have been used to provision operational servers and for hosting websites affiliated with the terrorist organization Hamas.
According to the FBI, one ASA operation involved contacting the family members of Israeli people taken hostage by Hamas following the October 2023 attack, “likely in an effort to cause additional psychological effects and inflict further trauma”.
In another influence operation, ASA hacked into the systems of a US-based IPTV streaming company to spread propaganda.
In July 2024, ahead of the Summer Olympics in France, the threat actor hacked a French commercial dynamic display provider in an effort to show photo montages denouncing the participation of Israeli athletes in the Olympics.
In addition, ASA has conducted IP camera hacking, mainly targeting devices in Israel, but also in Gaza and Iran.
“ASA made images and content from Israeli cameras available for clients to access via several servers beginning in October 2023,” the advisory noted.
The agencies also pointed out that ASA has been using various AI services to generate photos and for voice modulation. OpenAI recently revealed that Iranian hackers had used ChatGPT to plan attacks on industrial control systems (ICS).
Related: Iranian Hackers Tried but Failed to Interest Biden’s Campaign in Stolen Trump Info, FBI Says
Related: Iranian Hackers Use Brute Force in Critical Infrastructure Attacks
Related: Iranian Cyberspies Exploiting Recent Windows Kernel Vulnerability
