Iran's Cyber Playbook: Psychological Warfare, Fake Hosting, and AI

According to a new advisory released by U.S. and Israeli cybersecurity agencies, an Iranian cyber organization targeted the 2024 Summer Olympics and compromised a French commercial dynamic display provider to display messages criticizing Israel's involvement in the competition.

An organization called Emennet Pasargad has been implicated in the operation; according to the agencies, it has been conducting business since the middle of 2024 under the alias Aria Sepehr Ayandehsazan (ASA). The larger cybersecurity community keeps track of it under the names Cotton Sandstorm, Haywire Kitten, and Marnanbridge.

Using a variety of cover personas, the group demonstrated novel tradecraft in its attempts to carry out cyber-enabled information operations into mid-2024. Among them were several cyber operations that took place during and targeted the 2024 Summer Olympics, including the compromise of a French commercial dynamic display provider," according to the advisory.

According to the Israel National Cyber Directorate, the U.S. Federal Bureau of Investigation (FBI), the Department of Treasury, and ASA, they also used artificial intelligence (AI) tools like Appy Pie for image creation and Remini AI Photo Enhancer, Voicemod, and Murf AI for voice modulation and content theft from IP cameras.

Under the aliases Al-Toufan, Anzu Team, Cyber Cheetahs, Cyber Flood, For Humanity, Menelaus, and Market of Data, among others, the threat actor, who is believed to be a member of Iran's Islamic Revolutionary Guard Corps (IRGC), is well-known for its influence and cyber operations.

Using fake hosting resellers to supply operational server infrastructure for its own needs and to an actor in Lebanon to host Hamas-affiliated websites is one of the recently noticed strategies. "Since approximately mid-2023, ASA has used several cover hosting providers for infrastructure management and obfuscation," the agencies stated. "These two providers are 'Server-Speed' (server-speed[.]com) and 'VPS-Agent' (vps-agent[.]net)."

"ASA acquired server space from European providers, such as Stark Industries Solutions/PQ Hosting (based in the United Kingdom) and BAcloud (based in Lithuania), and established its resellers. ASA then uses these cover resellers to provide its own cyber actors access to operational servers for malevolent online activity. The unidentified French commercial display provider was the target of an attack in July 2024 that used VPS-agent infrastructure. It aimed to show photo montages that were critical of Israeli athletes' participation in the 2024 Olympic and Paralympic Games. 

Under the alias Contact-HSTG, ASA is also accused of attempting to get in touch with Israeli hostage families after the Israeli-Hamas conflict in early October 2023 and sending them texts that were expected to "cause additional psychological effects and inflict further trauma."

The threat actor has also been connected to another identity called Cyber Court, which used a Telegram channel and a website specifically created for this purpose ("cybercourt[.]io") to advertise the operations of multiple cover-hacktivist organizations that it operated. Following a collaborative law enforcement operation by the FBI and the U.S. Attorney's Office for the Southern District of New York (SDNY), both domains—vps-agent[.]net and cybercourt[.]io—were taken down.

But that's not all. It is thought that after the war broke out, ASA worked to gather information about Israeli fighter pilots and unmanned aerial vehicle (UAV) operators from websites such as knowem.com, and facecheck. id, socialcatfish.com, ancestry.com, and familysearch.org, as well as to count and acquire content from IP cameras in Israel, Gaza, and Iran.

This comes after the U.S. Department of State announced a reward of up to $10 million for information that could help identify or track down members of Shahid Hemmat, a hacker group affiliated with the IRGC that targets critical infrastructure in the United States. "Shahid Hemmat has been linked to malicious cyber actors targeting the U.S. defense industry and international transportation sectors," claimed the statement.

"As a component of IRGC-CEC [Cyber-Electronic Command], Shahid Hemmat is connected to other IRGC-CEC associated individuals and organizations including Mohammad Bagher Shirinkar, Mahdi Lashgarian, Alireza Shafie Nasab, and the front company Emennet Pasargad, Dadeh Afzar Arman (DAA), and Mehrsam Andisheh Saz Nik (MASN)."