Source: Muhammad Toqueer via Shutterstock
An Iranian cyber-operations group, Emennet Pasargad — also known as Cotton Sandstorm — has broadened its attacks, expanding its targets beyond Israel and the United States and targeting new IT assets, such as IP cameras.
In an advisory published last week, the US Departments of Justice and Treasury — along with the Israel National Cyber Directorate (INCD) — called out the change in tactics and noted that the group had provided resources and infrastructure services to Middle Eastern threat groups by operating as a legitimate company, Aria Sepehr Ayandehsazan (ASA). In addition, since the beginning of the year, Emennet Pasargad has scanned for IP cameras, targeted organizations in France and Sweden, and actively probed a variety of election sites and systems, according to the government advisory.
"Similar to the Emennet campaign that targeted the 2020 U.S. Presidential election, the FBI judges the group's recent campaigns include a mix of computer intrusion activity and exaggerated or fictitious claims of access to victim networks or stolen data to enhance the psychological effects of their operations," the advisory stated.
The latest intelligence highlights Iran's increasing use of cyber operations as a way to target its perceived enemies. In 2020 and 2022, Emennet Pasargad created disinformation campaigns to target the US presidential and midterm elections, posing as Proud Boys volunteers and sending fake videos to Republican lawmakers. The US Department of Justice indicted two Iranian nationals for the crimes, as well as for sending threats through email and attempting to hack election websites.
Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks
Over the past year, Iran has stepped up its attempts to use cyberattacks to disrupt its enemies using bolder tactics, says John Fokker, head of threat intelligence for Trellix, a threat detection and response firm.
"Since October 2023, the beginning of the Israeli-Palestine crisis, Iranian hackers have intensified their activities against the United States and Israel, targeting critical sectors such as government, energy, and finance," he says. "We have observed Iran-linked actors disrupting organizations by stealing sensitive data, conducting denial-of-service attacks, and also deploying destructive malware such as ransomware or wiper strains, like the Handala wiper."
Iranian Cyberattackers Broaden Their Sights
Emennet Pasargad often operates by posing as a legitimate IT services company, ASA, as a front for accessing large language model (LLM) services and to scan and harvest data on IP cameras. The group has "used several cover hosting providers for infrastructure management and obfuscation," the Joint Cybersecurity Advisory added.
Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel
The use of a cover organization to hide operations and make them seem legitimate is a common approach for Iranian threat actors, says Tomer Bar, vice president of security research at SafeBreach, a breach and attack simulation platform provider which has offices in Tel Aviv. For instance, Charming Kitten, or APT35, conducted reconnaissance and attacks under the guise of two companies, Najee Technology and Afkar System, which were sanctioned by the US Treasury Department in 2022.
"The usage of a cover company is not new, and it has been used by Iran both for espionage and distractive purposes," Bar says.
It also gives groups the ability to use commercial services as part of their infrastructure and hide their activities — for a time, says Trellix's Fokker.
"Threat actors have to acquire resources, software and hosting for their illicit activities," he says. "Having a 'legitimate' front company will make it easier to acquire these services and can serve as additional backstopping to give a plausible deniability."
Governments, Businesses Should Take Stock
The changing tactics underscore that organizations need to continually adjust their defenses to head off threat groups. Companies and government agencies should only buy technology and software from trusted vendors, and should make sure that those vendors have their own supply chain validation and vulnerability-remediation processes.
Related:BlankBot Trojan Targets Turkish Android Users
The Joint Cybersecurity Advisory called for organizations to review any successful authentications to network or cloud services that come from virtual private network services, such as Private Internet Access, ExpressVPN, and NordVPN. In addition to regularly applying updates and creating a resilient backup process, companies should consider deploying a "demilitarized zone" (DMZ) between any internet-facing assets and the corporate network, validating user input, and implementing least-privilege policies across their networks and applications.
SafeBreach has encountered attackers regularly scanning LinkedIn for workers who update their profiles with a new position, sending a spear-phishing text or email as a company administrator requesting that they log into a corporate system. The attackers then capture the victim's credentials through a malicious link.
Trellix's Fokker also stressed that companies should focus on their connected devices, applying patches for cameras and other hardware, using network segmentation to protect them, and regularly scanning their own IP space, before an attacker does.
"More and more governments are exploring the proactive scanning of IP spaces and notification of domestic organizations as an additional layer on top of stronger manufacturer requirements," he says. "First and foremost, it should be the responsibility of the organization itself. However, it will help if the government assists in this process and alerts unknowing organizations of their vulnerable cameras."