Cyber Defense Advisors

Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare

U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israel’s participation in the sporting event.

The activity has been pinned on an entity that’s known as Emennet Pasargad, which the agencies said has been operating under the cover name Aria Sepehr Ayandehsazan (ASA) since mid-2024. It’s tracked by the broader cybersecurity community as Cotton Sandstorm, Haywire Kitten, and Marnanbridge.

“The group exhibited new tradecraft in its efforts to conduct cyber-enabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider,” according to the advisory.

ASA, the U.S. Federal Bureau of Investigation (FBI), Department of Treasury, and Israel National Cyber Directorate said, also stole content from IP cameras and used artificial intelligence (AI) software such as Remini AI Photo Enhancer, Voicemod, and Murf AI for voice modulation, and Appy Pie for image generation for spreading propaganda.

Cybersecurity

Assessed to be part of Iran’s Islamic Revolutionary Guard Corps (IRGC), the threat actor is known for its cyber and influence operations under the personas Al-Toufan, Anzu Team, Cyber Cheetahs, Cyber Flood, For Humanity, Menelaus, and Market of Data, among others.

One of the newly observed tactics concerns the use of fictitious hosting resellers to provision operational server infrastructure for its own purposes as well as to an actor in Lebanon for hosting Hamas-affiliated websites (e.g., alqassam[.]ps).

“Since approximately mid-2023, ASA has used several cover hosting providers for infrastructure management and obfuscation,” the agencies said. “These two providers are ‘Server-Speed’ (server-speed[.]com) and ‘VPS-Agent’ (vps-agent[.]net).”

“ASA set up its own resellers and procured server space from Europe-based providers, including the Lithuania-based company BAcloud and Stark Industries Solutions/PQ Hosting (located in the United Kingdom and Moldova, respectively). ASA then leverages these cover resellers to provision operational servers to its own cyber actors for malicious cyber activities.”

The attack directed against the unnamed French commercial display provider took place in July 2024 using VPS-agent infrastructure. It sought to display photo montages criticizing the participation of Israeli athletes in the 2024 Olympic and Paralympic Games.

Furthermore, ASA is alleged to have attempted to contact family members of Israeli hostages following the Israeli-Hamas war in early October 2023 under the persona Contact-HSTG and send messages likely to “cause additional psychological effects and inflict further trauma.”

The threat actor has also been linked to another persona known as Cyber Court, which promoted the activities of several cover-hacktivist groups run by itself on a Telegram channel and a dedicated website set up for this purpose (“cybercourt[.]io”).

Cybersecurity

Both the domains, vps-agent[.]net and cybercourt[.]io, have been seized following a joint law enforcement operation undertaken by the U.S. Attorney’s Office for the Southern District of New York (SDNY) and the FBI.

That’s not all. Following the breakout of the war, ASA is believed to have pursued efforts to enumerate and obtain content from IP cameras in Israel, Gaza, and Iran, as well as harvest information about Israeli fighter pilots and unmanned aerial vehicle (UAV) operators through sites like knowem.com, facecheck.id, socialcatfish.com, ancestry.com, and familysearch.org.

The development comes as the U.S. Department of State has announced a reward of up to $10 million for information leading to the identification or whereabouts of people associated with an IRGC-associated hacking group dubbed Shahid Hemmat for targeting U.S. critical infrastructure.

“Shahid Hemmat has been linked to malicious cyber actors targeting U.S. defense industry and international transportation sectors,” it said.

“As a component of IRGC-CEC [Cyber-Electronic Command], Shahid Hemmat is connected to other IRGC-CEC associated individuals and organizations including: Mohammad Bagher Shirinkar, Mahdi Lashgarian, Alireza Shafie Nasab, and the front company Emennet Pasargad, Dadeh Afzar Arman (DAA), and Mehrsam Andisheh Saz Nik (MASN).”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.