U.S. and Israeli cybersecurity agencies have issued a new advisory that attributes an Iranian cyber group to the 2024 Summer Olympics and compromised a French commercial supplier of dynamic displays to show messages condemning Israel’s participation in the sporting event.
The activity was anchored to an entity known as Emenet Pasargadwhich the agencies say has been operating under the name Aria Sepehr Ayandehsazan (ASA) since mid-2024. The wider cyber security community tracks it down as Cotton Sandstorm, Haywire Kitten and Marnanbridge.
“The group demonstrated new prowess in its efforts to conduct cyber-enabled information operations through mid-2024 using multiple covert characters, including multiple cyber operations that took place during and targeted the 2024 Summer Olympics — including the compromise of French commercial dynamic display provider,” reports the advisory.
The ASA, the US Federal Bureau of Investigation (FBI), the Treasury Department and Israel’s National Cyber Directorate said they also stole content from IP cameras and used artificial intelligence (AI) software such as Remini AI Photo Enhancer, Voicemod and Murf AI for voice modulation and Appy Pie to generate the image spreading propaganda.
Assessed as part of Iran’s Islamic Revolutionary Guard Corps (IRGC), the threat actor is known for its cyber and influence operations within persons Others include Al-Toufan, Anzu Team, Cyber Cheetahs, Cyber Flood, For Humanity, Menelaus and Market of Data.
One recently noticed tactic involves the use of bogus hosting resellers to provide operational server infrastructure for their own purposes, as well as for an entity in Lebanon to host Hamas-related websites (such as alqassam(.)ps).
“Since approximately mid-2023, ASA has used multiple hosting providers for infrastructure management and obfuscation,” the agencies said. “These two providers are Server Speed (server-speed(.)com) and VPS-agent (vps-agent(.)net).”
“ASA has created its own resellers and purchased server space from European providers, including the Lithuanian company BAcloud and Stark Industries Solutions/PQ Hosting (located in the UK and Moldova, respectively). The ASA then uses these resellers as a front to provide operational servers to its own cyber actors for malicious cyber activities.”
An attack on an unnamed French commercial display vendor took place in July 2024 using a VPS agent infrastructure. He sought to show photo montages criticizing the participation of Israeli athletes in the 2024 Olympic and Paralympic Games.
In addition, the ASA is alleged to have attempted to contact family members of Israeli hostages following the Israel-Hamas war in early October 2023 under the persona Contact-HSTG and to send messages that could “cause additional psychological effects and cause further trauma.”
The threat actor was also linked to another entity known as Cyber Court, which promoted the activities of several self-managed hacktivist cover groups on a Telegram channel and a dedicated website created for the purpose (“cybercourt(.)io”) .
Both domains, vps-agent(.)net and cybercourt(.)io, were seized following a joint law enforcement operation by the US Attorney’s Office for the Southern District of New York (SDNY) and the FBI.
That’s not all. After the start of the war, the ASA is believed to have continued its efforts to count and obtain content from IP cameras in Israel, Gaza and Iran, and to collect information on Israeli fighter pilots and unmanned aerial vehicle (UAV) operators through sites such as knowem.com , facecheck.id, socialcatfish.com, ancestry.com and familysearch.org.
It comes after the US State Department announced a reward of up to $10 million for information leading to the identification or location of people linked to an IRGC-linked hacking group called Shahid Hemmat for attacking critical US infrastructure.
“Shahid Hemmat has been associated with malicious cyber actors targeting the US defense industry and the international shipping sector,” it said. said.
“As a component of the IRGC-CEC (Cyber Electronic Command), Shahid Hemmat is linked to other IRGC-CEC-linked individuals and entities, including Mohammad Bagher Shirinkar, Mahdi Lashgarian, Alireza Shafi Nasab and the front company Emenet Pasargad, Dade Afzar . Arman (DAA) and Mehrsam Andishe Saz Nik (MASN)”.
