Emennet Pasargad

10861060279?profile=RESIZE_400xThe FBI released an alert last week warning of hack-and-leak operations targeting organizations in the US and Israel by a group based in Iran.  The alert centers on Emennet Pasargad, an Iranian company US law enforcement agencies have previously spotlighted for its role in efforts to interfere with the 2020 US presidential election.  Last week, the FBI said the company, which has changed its name several times to avoid sanctions, has targeted entities in Israel since 2020 with attacks that involved the theft and leak of stolen data.  The group would then amplify the stolen data on social media and online forums. 

“To avoid attribution, Emennet executed false-flag campaigns under the guise of multiple personas like hacktivist or cyber-criminal groups,” the FBI claimed.  “Although Emennet’s latest attacks have primarily targeted Israel, the FBI judges these techniques may be used to target US entities as seen during Emennet’s cyber-enabled information operation that targeted the 2020 US Presidential election.  Within the past year, the FBI has identified a destructive cyber-attack against a US organization, indicating the group remains a cyber threat to the United States.”

The attacks allegedly aim to “undermine public confidence in the security of the victim’s network and data” while other incidents are meant to embarrass companies or countries.  Earlier this year, the FBI said Emennet hacked an organization based in the US that had ties to Iranian opposition group The People’s Mujahedin (MEK), a group that has previously been targeted by Iranian hackers during crippling ransomware attacks on the Albanian government this summer.

During the attack on a US-based organization, the group leaked personally identifiable information and had “destructive effects on victim infrastructure.”  The FBI said any organization affiliating to MEK is at “elevated risk of cyber exploitation or attack activities.”

The group also targets organizations with websites that run PHP code or those with externally accessible MySQL databases.  According to the FBI, they typically use open-source penetration testing tools to launch attacks.  In addition to hack-and-leak operations, Emennet has previously defaced websites and caused other damage to victim networks. 

“Emennet is likely more opportunistic in choosing victims rather than targeting specific entities.  However, victim trends appear to show their preference for companies with significant traffic and a large customer base,” the FBI said.  “In furtherance of Emennet’s information operations, the group often amplifies and promotes the theft and leaking of victim data on their dedicated leak websites, Telegram, and online hacking and illicit access trading forums.  The actors typically create social media accounts for each false-flag persona to generate additional attention to their activity.  The FBI has also observed Emennet amplifying information operations by contacting news media organizations and using email-marketing services.”

Much of what is described in the alert are tactics the group previously used during the 2020 US Presidential election.  The FBI warned that the group will “likely” target commonly used content management systems like Drupal and WordPress.  Emennet has also been seen using the notorious Log4j vulnerability in attacks on at least one US-based organization.  “Emennet cyber actors used destructive capabilities to take down the organization’s web server and associated websites,” the FBI said.

Emennet allegedly masqueraded as a pro-Palestinian hacktivist group during its attacks on four organizations in Israel between 2020 and 2022, with the most recent attack in April.  It also used a cybercriminal persona in 2021 after a “lock-and-leak operation” targeting a call service center in Israel.  That attack involved the encryption of victim computers and the leak of sensitive company information.  The stolen data was sold on public forums, and the attack was touted on a Telegram channel.

In February, the US State Department announced a $10 million reward for information about Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian, two Iranian contractors who worked for Emennet Pasargad and launched several operations designed to “sow discord and undermine voters’ faith in the US electoral process.”  Kazemi and Kashian are still at large, believed to be in Iran.  The two were also added to the FBI’s cyber most wanted list.

The Department of Justice charged both men with the role in a variety of attacks and scams.  The two are accused of hacking the voter websites for 11 US states.  They also used spoofed accounts from far-right hate group Proud Boys to contact Republican party members with fake videos of Democratic election fraud and sent threatening emails to Democratic voters in support of former President Donald Trump.

The Justice Department said the two also hacked a US media company in the fall of 2020 and sought to leverage their access on 4 November, right after the US election.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, don't hesitate to get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com      

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!