Iranian Cyber Group Emennet Pasargad’s Expanding Operations Targeting Global Networks

by do son · October 31, 2024

A joint cybersecurity advisory from the FBI, U.S. Department of Treasury, and Israel National Cyber Directorate has revealed new tactics employed by the Iranian cyber group Emennet Pasargad (operating under Aria Sepehr Ayandehsazan or ASA). Known in the private sector as Cotton Sandstorm and Haywire Kitten, this group has escalated its activities, employing new infrastructure and expanded targeting techniques across multiple sectors, including the 2024 Summer Olympics and prominent international entities. The advisory warns of ASA’s growing capabilities in cyber-enabled information operations and system compromises, underscoring the need for heightened vigilance.

ASA’s evolving operations have taken a multi-faceted approach. According to the advisory, the group has exhibited “a myriad of cover personas, including multiple cyber operations… targeting the 2024 Summer Olympics.” Notably, Emennet Pasargad compromised a French display provider to spread disinformation, signaling the group’s willingness to integrate psychological and digital components into its strategy. In another example, ASA targeted IP cameras to gather live footage in sensitive locations, including Israel and Gaza, to support its narrative-driven campaigns. The advisory highlights that “ASA enumerated IP addresses running the Real Time Streaming Protocol… in Israel, Gaza, and Iran,” gaining access to sensitive visual data that could be used for propaganda purposes.

ASA’s infrastructure strategies are sophisticated and reveal efforts to mask the origin of its operations. Using fictitious hosting providers, ASA created “Server-Speed” and “VPS-Agent” to source server space from Europe-based vendors, including BAcloud and Stark Industries Solutions. This infrastructure serves to “centralize and manage provisioning of operational infrastructure while providing plausible deniability.” Additionally, these cover providers have supplied hosting for controversial sites, such as Hamas-affiliated domains, strengthening ASA’s ties with regional cyber actors. In July 2024, ASA pivoted its operations, using this infrastructure to launch targeted influence campaigns during the 2024 Olympic and Paralympic Games in France.

(Images of vps-agent[.]net website)

ASA has expanded its use of artificial intelligence to generate and distribute fake content. During its “For-Humanity” campaign, ASA deployed an AI-generated anchor to broadcast manipulated narratives, illustrating the group’s pivot toward more sophisticated AI-enhanced disinformation tactics. The advisory states, “This is consistent with a greater ASA effort to incorporate AI-related services,” citing tools like Remini AI Photo Enhancer and Voicemod for voice modulation, creating a hyper-realistic threat landscape where disinformation is seamlessly integrated into digital communication.

In response to ASA’s enhanced tactics, the advisory recommends a series of mitigations, including close monitoring of VPN-based authentications and the deployment of demilitarized zones (DMZ) to isolate public-facing applications from core networks. Emphasis is placed on “regular updates to applications and the host operating system to ensure protection against known vulnerabilities,” as ASA has leveraged outdated system defenses in previous campaigns. To help organizations defend against ASA’s infrastructure reconnaissance techniques, the advisory advises employing Web Application Firewalls (WAFs) and input validation checks to limit ASA’s ability to manipulate and penetrate network defenses.