By Al-Fassel | 2024-11-27

The Islamic Revolutionary Guard Corps (IRGC) is employing elaborate cyber tactics to exaggerate attacks, project support for Iranian regime narratives, and create an illusion of digital dominance, experts said.

Central to this campaign is Emennet Pasargad, an IRGC-affiliated company operating as Aria Sepehr Ayandehsazan (ASA), referred to by private-sector intelligence as Cotton Sandstorm, Marnanbridge or Haywire Kitten.

"Iranian cyber actors have been at the forefront of cyber-enabled influence operations (IO)," Microsoft Diƒpgital Threat Analysis Center general manager Clint Watts said in a May 2023 post on the company's website.

These combine "offensive cyber operations with multi-pronged influence operations to fuel geopolitical change in alignment with the regime's objectives."

ASA has leveraged hosting providers as covers to set up a network of seemingly legitimate resellers across Europe, per an October 30 cybersecurity advisory.

It has obtained server space from BAcloud in Lithuania and Stark Industries Solutions/PQ Hosting in the United Kingdom and Moldova, among others, to host websites for Hamas and pro-Hizbullah media.

ASA uses open-source intelligence tools like Shodan, IP2location and Subdomain Finder for reconnaissance, per the advisory, and relies on exploitation tools such as Masscan, Acunetix, Burp Suite and SQLMap to facilitate hacking.

Tactics range from password cracking to deploying malware for data theft and remote control, and mapping digital footprints via domain-linked email identification, social media verification and reverse image searches.

"ASA also uses specialized search engines to identify exposed internet-connected cameras to gather visual intelligence on sites," according to the Foundation for Defense of Democracies.

It described ASA as "one of Iran's most tenacious threat actors."

Shaping perceptions

After carrying out an initial cyber offensive, ASA attempts to shape public perceptions through a variety of cyber personas and AI-generated content.

These include the cyber persona "Cyber Court," which directs multiple seemingly independent hacktivist actors, among them "Cyber Av3ngers."

ASA targeted the 2024 Olympic and Paralympic Games by compromising a French display provider, publishing fake news, and impersonating a French far-right group to issue threats. "Anzu Team" meanwhile executed cyber-enabled information operations against Sweden.

"Most of these operations follow a predictable playbook," Watts, of Microsoft, said.

"Iran deploys a cyber persona to publicize and exaggerate a low-sophistication cyberattack," he explained.

"Subsequently, seemingly unrelated inauthentic online personas amplify and often further inflate the impact, carefully crafting messages in the target audience's language."

ASA also uses SMS messaging and victim impersonation to enhance the reach and effectiveness of such operations, he said.

The United States is offering $10 million rewards for information leading to the identification and location of key Emennet Pasargad operatives.

It seeks information on Seyyed Kazemi and Sajjad Kashian, six members of Cyber Av3ngers and actors affiliated with the IRGC Cyber Electronic Command.