Source: Gago Design via Shutterstock
Public records combined with documents leaked by Iranian anti-government groups suggest that several Middle Eastern cybersecurity firms are part of complex networks of government officials and cybersecurity specialists that have links to the Iranian Revolutionary Guard Corps.
The contractor firms, such as Emen Net Pasargad and Mahak Rayan Afraz (MRA), are responsible for — or have contributed to — attacks on democratic processes in Western countries, the targeting of industrial control systems and critical infrastructure, and compromises at major financial institutions, Recorded Future stated in a recent report.
In the cybersecurity community, the contractors are suspected to be linked to the activities of the Cotton Sandstorm and Imperial Kitten — also known as Crimson Sandstorm — threat actors, respectively.
Overall, the research and leaked data highlights networks of contractors and individuals responsible for cyber operations that constitute "cyber centers" that link to Iran's military and intelligence organizations, Recorded Future stated in the report.
"The leaks portray a long-standing relationship between intelligence and military organizations and Iran-based contractors," the report said. "Public records point to an ever-growing web of front companies connected via individuals known to serve various branches of the IRGC."
The effort to unmask Iran's cyber-operations groups comes as the nation's military and intelligence agencies ramp up attacks following Hamas's terrorist attack on Israeli civilians and Israel's ongoing military operations in Gaza. In December, pro-Iran hackers breached multiple water facilities across Western countries using Israeli-made programmable logic controllers and targeted Israeli critical infrastructure. In mid-December, Israel officials claimed that Iran had breached a hospital, stealing 500 gigabytes of medical data.
The US had previously sanctioned groups connected to Iranian intelligence, following cyberattacks on critical infrastructure in the US and European countries. As a result of the sanctions, several contractors in Iran have shut down, but experts expect them to restart under different names, says Rafe Pilling, director of threat research for the Secureworks' Counter Threat Unit (CTU).
"An organization like Emen Net Pasargad [has] essentially rebranded or changed his identity several times," he says, adding: "They [Iran] are leaning more heavily into the use of of cybercrime and hacktivist personas in different parts of the world to kind of protect and obfuscate their identity."
Crime and Sanctions
The cyber center concept, which some anti-government groups refer to as "khyber centers," typically bring together multi-disciplinary groups of hackers and cybersecurity specialist with Iran's government organizations. In some cases, they provide certain services, such as access to compromised networks, to other groups, according to members of Recorded Future's Insikt threat-intelligence group who asked not to be named.
US government indictments and sanctions of Iranian individuals and suspected threat actors have been an effective tool and making business more difficult for the cyber-offensive contractors, the Recorded Future report stated. However, the international strategy is unlikely to deter Iran from continuing its cyber operations, according to the firm's researchers.
"As it pertains to the current conflict, ... the Islamic Republic is almost certainly framing their support for Hamas and Gazans as a legitimate cause justifying their involvement," the researchers stated, adding: "We have observed examples of persons associated with the Iranian cyber program claiming that sanctions would not deter their activities."
The companies are likely considered to be legitimate commercial entities in Iran, says Pilling. "The operational model that that Iran uses ... is very much one where they use contractors — some people refer to them as front companies," he says. "Maybe they do other kind of like quasi-legitimate work in Iran, but they also essentially do government work, which is also probably considered legitimate, and that work just happens to be offensive cyber activity against perceived adversaries of Iran."
Not a Unique Business Arrangement
The Iranian contractors are not alone in their arrangements with government officials. Russia's cyber operations are often run by private companies, such as the Internet Research Agency, including massive disinformation campaigns that were launched prior to — and continue during — the invasion of Ukraine.
The contractors highlighted in the report are not only profiting from operations in Iran, but also across the border by selling services to other nations, likely including Iraq, Syria, and Lebanon, Recorded Future stated.
"Research on these groups has also highlighted financially motivated activities outside of Iran's borders that formalize the exportation of cyber technologies," the report stated. "While public information is still limited on this front, the cases identified in this research suggest that contractors rely on the IRGCQF to penetrate the highest levels of government to engage in presumably lucrative arrangements."