The FBI is warning enterprises about ongoing attacks by a private Iranian threat group that is using hack-and-leak operations against companies in the United States and Israel in an effort to embarrass the victims and support the political aims of the Iranian government.
The warning, published Thursday, cites Emennet Pasargad as an ongoing threat to U.S. companies, and says that the organization is using a variety of tactics, including exploiting known vulnerabilities and deploying wiper malware in some cases. Emennet Pasargad is a known threat group and has been on the radar of U.S. authorities and researchers for several years. The Department of the Treasury’s Office of Foreign Asset Control designated the company along with four of its employees in 2021, and a grand jury in New York indicted two of the company’s employees for computer crimes and other offenses.
The FBI has warned about Emennet Pasargad’s activities in the past, as well, most recently in January when it detailed the group’s activities aimed at influencing the 2020 presidential election and other operations. This week’s advisory specifically says that the group uses network intrusions along with information operations and fake personas that exaggerate and amplify the group’s operations.
“Although Emennet’s latest attacks have primarily targeted Israel, the FBI judges these techniques may be used to target US entities as seen during Emennet’s cyber-enabled information operation that targeted the 2020 US Presidential election. Within the past year, the FBI has identified a destructive cyber attack against a US organization – indicating the group remains a cyber threat to the United States,” the advisory says.
“Although Emennet personas may exaggerate their level of access to a victim network or the volume of victim data stolen, the FBI judges that each of these campaigns likely start with some level of cyber intrusion.”
Emennet Pasargad doesn’t typically use any fancy tools or unusual tactics, but instead favors off-the-shelf and open source tools. The group also makes extensive use of social media and other public channels in an effort to embarrass victim companies and publicize their operations, the FBI said.
“In furtherance of Emennet’s information operations, the group often amplifies and promotes the theft and leaking of victim data on their own dedicated leak websites, Telegram, and online hacking and illicit access trading forums. The actors typically create social media accounts for each false-flag persona to generate additional attention to their activity,” the advisory says.
“The FBI has also observed Emennet amplifying information operations through techniques such as contacting news media organizations and using email-marketing services. This is a tactic previously observed during their campaign against the 2020 US Presidential election.”
Among the personas tied to Emennet are Deus and Hackers of Savior, which were used in separate operations in the past two years. The group used the Deus persona in an attack on an Israeli call center, and the Hackers of Savior persona in a number of separate operations since 2020.