AI, Fake Hosting, and Psychological Warfare

U.S. and Israeli cybersecurity agencies have released a joint advisory linking an Iranian cyber group known as Emennet Pasargad to a series of cyber threats aimed at the 2024 Summer Olympics. This group reportedly compromised a French commercial dynamic display provider to broadcast messages opposing Israel’s involvement in the event. Operating under the alias Aria Sepehr Ayandehsazan (ASA) since mid-2024, this entity is associated with wider activities tracked by cybersecurity professionals under various names, including Cotton Sandstorm and Haywire Kitten.

The advisory emphasizes that the ASA employed advanced techniques in its cyber-enabled information operations that escalated around the time of the Olympics, indicating a strategic effort to manipulate public perception through targeted propaganda. The FBI and Israel National Cyber Directorate noted that ASA employed artificial intelligence tools, such as Remini AI Photo Enhancer and Voicemod, for image and voice manipulation to distribute its messages effectively.

The Advisory’s context reveals that ASA is affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and operates under various personas that include Cyber Cheetahs and Market of Data. Notably, Microsoft pointed out that the group had engaged in reconnaissance of election-related websites across U.S. swing states and targeted major media publications, highlighting its ongoing focus on influence operations.

A new tactic attributed to ASA involves utilizing fictitious hosting resellers to facilitate operational server infrastructure. The advisory details that ASA has used two providers, Server-Speed and VPS-Agent, as well as leasing server space from Europe-based providers to obfuscate its malicious activities effectively. This approach not only supports its cyber operations but also enables the group to provide hosting services for actors associated with organizations like Hamas.

The incident concerning the French display provider occurred in July 2024, utilizing alleged assets from VPS-Agent to publicly showcase images criticizing Israeli athletes ahead of the Olympic and Paralympic Games. In a disturbing follow-up to ongoing conflicts, ASA is said to have made attempts to reach out to Israeli hostage families amid recent hostilities, likely intending to exacerbate trauma through psychological manipulation.

Additionally, ASA has ties to a persona dubbed Cyber Court, promoting various hacktivist fronts on platforms like Telegram and a dedicated website. Following a concerted law enforcement effort, domains associated with ASA, specifically vps-agent.net and cybercourt.io, have been seized, curtailing some of its operational capabilities.

In the aftermath of escalating tensions, ASA reportedly pursued information-gathering initiatives targeting IP cameras in Israel, Gaza, and Iran, as well as collecting intelligence on Israeli air force personnel. This indicates a strategic move to enhance its cyber and psychological warfare tactics against Israel.

Adding to the security landscape, the U.S. Department of State has announced a monetary reward for information that leads to the identification of individuals linked to an IRGC-associated hacking group known as Shahid Hemmat, which has been implicated in attacks on U.S. critical infrastructure. This reflects ongoing concerns regarding the IRGC’s cyber capabilities.

Shahid Hemmat is pointedly tied to malicious cyber activities aimed at the U.S. defense sector and international transportation networks, signifying broader implications of Iranian cyber threats on critical infrastructure. The entities associated with Shahid Hemmat include several figures within the IRGC’s Cyber-Electronic Command, linking them to a network of hacking initiatives targeting U.S. interests.

The advisory represents a critical indication of the evolving cyber threat landscape, marked by state-sponsored actors leveraging sophisticated tactics for geopolitical objectives. By highlighting the collaboration between U.S. and Israeli agencies, the report underscores the urgent need for global vigilance against the increasingly coordinated cyber operations from hostile state actors.