Iranian cyber-operations group Emennet Pasargad, also known as Cotton Sandstorm, has expanded its targets beyond Israel and the United States, focusing on new IT assets like IP cameras, according to a recent advisory issued by the US Departments of Justice and Treasury, along with the Israel National Cyber Directorate (INCD).
The advisory highlighted the group’s shift in tactics, noting that Emennet Pasargad had started providing resources and infrastructure services to other Middle Eastern threat groups under the guise of a legitimate company called Aria Sepehr Ayandehsazan (ASA). The group has been actively scanning for IP cameras, targeting organizations in France and Sweden, and probing various election sites and systems since the beginning of the year.
The FBI, in evaluating the group’s recent campaigns, emphasized the use of computer intrusion activities and exaggerated or false claims of accessing victim networks or stolen data to amplify the psychological impact of their operations.
Iran’s increasing reliance on cyber operations to target its adversaries has been evident in recent years. Emennet Pasargad engaged in disinformation campaigns during the 2020 US presidential election and the midterm elections in 2022, posing as Proud Boys volunteers and sending fake videos to Republican lawmakers. The US Department of Justice indicted two Iranian nationals for these activities, which also included sending threats via email and attempting to hack election websites.
According to John Fokker, the head of threat intelligence at Trellix, a threat detection and response firm, Iran has ramped up its cyberattacks since the start of the Israeli-Palestine crisis in October 2023. The targets have included critical sectors such as government, energy, and finance, with Iran-linked actors engaging in activities like data theft, denial-of-service attacks, and deploying destructive malware such as ransomware and wiper strains like the Handala wiper.
Emennet Pasargad often operates by masquerading as a legitimate IT services company (ASA) to access large language model services and gather data on IP cameras. The group has utilized various hosting providers to manage infrastructure and obfuscate its activities, as outlined in a joint cybersecurity advisory.
Tomer Bar, vice president of security research at SafeBreach, noted that using a cover organization to conceal operations and appear legitimate is a common strategy for Iranian threat actors. This approach allows threat groups to leverage commercial services while hiding their malicious activities.
Furthermore, Fokker emphasized the need for organizations to continually adapt their defenses against evolving threats. Companies and government agencies are urged to purchase technology and software only from trusted vendors, ensuring that these vendors have robust supply chain validation and vulnerability mitigation processes in place.
The advisory also recommended organizations to review authentications to network or cloud services originating from VPN services like Private Internet Access, ExpressVPN, and NordVPN. Regularly applying updates, establishing resilient backup procedures, deploying a DMZ between internet-facing assets and corporate networks, validating user input, and implementing least-privilege policies were among the other suggested security measures.
SafeBreach has observed attackers scanning LinkedIn for employees who update their profiles with new positions, followed by spear-phishing attempts to capture credentials. Fokker advised companies to focus on securing connected devices, applying patches, using network segmentation, and regularly scanning their IP space to mitigate potential threats.
In conclusion, as Iranian cyber attackers broaden their targets and tactics, governments and businesses must remain vigilant and proactive in bolstering their cybersecurity defenses to fend off potential cyber threats effectively. By adopting robust security measures and staying abreast of emerging cyber threats, organizations can mitigate the risks posed by malicious threat actors like Emennet Pasargad.