A recent report released by Recorded Future suggests that several Middle Eastern cybersecurity firms are part of complex networks of government officials and cybersecurity specialists linked to the Iranian Revolutionary Guard Corps, based on public records and documents leaked by Iranian anti-government groups.
According to the report, contractor firms such as Emen Net Pasargad and Mahak Rayan Afraz (MRA) are said to have contributed to attacks on democratic processes in Western countries, targeted industrial control systems and critical infrastructure, and compromised major financial institutions. These firms are suspected to be linked to the activities of the Cotton Sandstorm and Imperial Kitten (also known as Crimson Sandstorm) threat actors in the cybersecurity community.
The leaked data highlights networks of contractors and individuals responsible for cyber operations that constitute “cyber centers” linking to Iran’s military and intelligence organizations, the report states. It was also found that there is a long-standing relationship between intelligence and military organizations and Iran-based contractors, as depicted in the leaked documents.
The revelation comes as Iran’s military and intelligence agencies ramp up cyberattacks following Hamas’s terrorist attack on Israeli civilians and Israel’s ongoing military operations in Gaza. In December, pro-Iran hackers breached multiple water facilities across Western countries and targeted Israeli critical infrastructure using Israeli-made programmable logic controllers. Israel officials also claimed that Iran had breached a hospital, stealing 500 gigabytes of medical data.
The US previously sanctioned groups connected to Iranian intelligence following cyberattacks on critical infrastructure in the US and European countries. As a result, several contractors in Iran have shut down, but experts expect them to restart under different names.
The report sheds light on the concept of “cyber centers,” which bring together multi-disciplinary groups of hackers and cybersecurity specialists with Iran’s government organizations. These centers provide certain services, such as access to compromised networks, to other groups.
US government indictments and sanctions of Iranian individuals and suspected threat actors have impacted the cyber-offensive contractors, making business more difficult for them. However, the international strategy is unlikely to deter Iran from continuing its cyber operations.
The companies identified in the report are likely considered to be legitimate commercial entities in Iran, possibly engaging in quasi-legitimate work while also conducting offensive cyber activity against perceived adversaries of Iran.
The report also highlights financially motivated activities outside of Iran’s borders, formalizing the exportation of cyber technologies by these contractors. This situation mirrors Russia’s use of private companies for cyber operations, such as the Internet Research Agency, which ran massive disinformation campaigns during the invasion of Ukraine.
Overall, the leaked data, combined with public records, has unveiled the extent to which Iranian contractor firms are part of a complex network with links to the Iranian Revolutionary Guard Corps, and their involvement in cyber operations targeting Western countries. The report also demonstrates that US sanctions have impacted the operations of these firms but are unlikely to completely deter their activities in the future.