Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Iran Hackers Behind Attempt on US Election Are Still ActiveFBI Issues Warning on Emennet Pasargad - A Threat Actor That Goes by Many Names
The Iranian cyber threat actor behind an attempt to disrupt the U.S. presidential election in 2020 remains an active threat, warns the FBI.
See Also: Critical Infrastructure Cybersecurity & Risk Monitoring: Elections Infrastructure
The hacking group, Iranian cybersecurity firm Emennet Pasargad, conducted a "destructive cyberattack" against a U.S. organization within the last year. It is behind ongoing network penetrations it later publicizes in order to embarrass organizations with leaked data, the agency alert states. Israeli organizations are the group's main targets, but the FBI says it remains a cyberthreat to the United States.
Emennet Pasargad goes by many names and has adopted false-flag personae in a bid to obfuscate attribution. For several years, it posed as pro-Palestinian hacktivist group "Hackers of Savior" and as "Deus" in the cybercriminal underground in order to sell data stolen from an Israeli call service center.
When it attempted to disrupt the American 2020 election by obtaining confidential voter information from at least one state election website, it was known as Eeleyanet Gostar. A grand jury last November handed down a five-count indictment against two company contractors who participated in the attempt, which included sending emails to Democratic voters in states including Florida and Alaska, purportedly from the Proud Boys neo-fascist organization, that threatened physical harm unless the recipients voted for then-President Donald Trump (see: 2 Iranians Charged With 2020 US Election Interference).
The Department of Treasury sanctioned the company in 2019 when it operated as Net Peygard Samavat Company, a designation it renewed in tandem with the indictment's November unsealing.
The Department of State on Wednesday offered up to $10 million for information on Emennet Pasargad or any individual linked to foreign interference in U.S. elections.
The FBI's Emennet Pasargad warning supplies few details about the group's recent activities in the U.S., but it says it conducted an attack during early 2022 against a domestic organization with connections to the militantly anti-Tehran Mujahedin-e-Khalq. Hostility to MEK led Iran to launch a July cyberattack against Albania that resulted in Tirana severing diplomatic ties with Iran (see: Albania Cuts Diplomatic Ties With Iran After Cyberattack).
Emennet Pasargad has exploited CVE-2021-44228 - better known as Log4Shell - at least once to break into a U.S.-based organization's web server, the FBI says.
Given its predilection for hack-and-leak operations, it also looks for vulnerabilities in content management systems, especially WordPress and Drupal.
The group has a preference for websites and online portals running PHP code or those with externally accessible mySQL databases. It uses open-source penetration testing tools such as SQLmap and Acunetix.