U.S. and Israeli cybersecurity agencies have issued a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial digital signage provider to display messages denouncing Israel’s participation at the sporting event.
The activity was pinned to an entity known as Emennet Pasargadwhich, according to agencies, has been operating under the name Aria Sepehr Ayandehsazan (ASA) since mid-2024. It is followed by the broader cybersecurity community such as Cotton Sandstorm, Haywire Kitten and Marnanbridge.
“The group demonstrated new expertise in its efforts to conduct cyber information operations through mid-2024 using a myriad of cover characters, including multiple cyber operations that took place during and targeting the 2024 Summer Olympics – including the compromise of a French commercial digital signage provider,” according to the. advisory.
ASA, the US Federal Bureau of Investigation (FBI), the Treasury Department and the Israeli National Cybercrime Directorate also stole content from IP cameras and used artificial intelligence (AI) software such as Remini AI Photo Enhancer, Voicemod and Murf AI for voice modulation and Appy Pie for image generation for spread propaganda.
Believed to be part of Iran’s Islamic Revolutionary Guard Corps (IRGC), the threat actor is known for its cybersecurity and influence operations under the characters Al-Toufan, Anzu Team, Cyber Cheetahs, Cyber Flood, For Humanity, Menelaus and Market of Data, among others.
One recently observed tactic involves the use of fictitious hosting resellers to provide operational server infrastructure for its own purposes as well as an actor in Lebanon for hosting websites affiliated with Hamas (e.g. alqassam(.)ps).
“Since approximately mid-2023, ASA has used multiple coverage hosting providers for infrastructure management and obfuscation,” the agencies said. “These two providers are ‘Server-Speed’ (server-speed(.)com) and ‘VPS-Agent’ (vps-agent(.)net).”
“ASA established its own resellers and purchased server space from European-based providers, including Lithuania-based BAcloud and Stark Industries Solutions/PQ Hosting (located in the UK and Moldova respectively). ASA then operates these cover sellers to provide operational servers to its own cyber actors for malicious cyber activities.
The attack against the French anonymous commercial display provider took place in July 2024 using VPS agent infrastructure. He sought to post photo montages criticizing the participation of Israeli athletes in the 2024 Olympic and Paralympic Games.
In addition, ASA allegedly attempted to contact family members of Israeli hostages following the war between Israel and Hamas in early October 2023 under the name Contact-HSTG and send messages that could “cause additional psychological stress and inflict additional trauma.”
The threat actor has also been linked to another figure known as Cyber Court, who promoted the activities of several cover hacktivist groups run by himself on a Telegram channel and a dedicated website created at this effect (“cybercourt(.)io”). .
The two domains, vps-agent(.)net and cybercourt(.)io, were seized following a joint law enforcement operation undertaken by the US Attorney’s Office for the Southern District of New York (SDNY) and the FBI.
That’s not all. After the outbreak of war, the ASA reportedly continued its efforts to enumerate and obtain the content of IP cameras in Israel, Gaza and Iran, as well as to collect information on Israeli fighter pilots and aerial vehicle operators. unmanned aerial vehicle (UAV) through sites like Knowem.com, facecheck.id, socialcatfish.com, ancestry.com and familysearch.org.
The development comes as the US State Department announced a reward of up to $10 million for information leading to the identification or location of individuals associated with an IRGC-associated hacking group nicknamed Shahid Hemmat, for targeting US critical infrastructure.
“Shahid Hemmat has been linked to malicious cyber actors targeting the US defense industry and international transportation sectors,” it says. said.
“As a component of the CEC-IRGC (Cyber-Electronic Command), Shahid Hemmat is connected to other individuals and organizations associated with the CEC-IRGC, including: Mohammad Bagher Shirinkar, Mahdi Lashgarian, Alireza Shafie Nasab and the front company Emmennet Pasargad, Dadeh Afzar (DAA) and Mehrsam Andisheh Saz Nik (MASN).”
