New Tradecraft of Iranian Cyber Group

Global Attacks

October 31, 2024

The Federal Bureau of Investigation (FBI), US Department of Treasury, and Israel National Cyber Directorate released this Joint Cybersecurity Advisory to warn network defenders of new cyber tradecraft of the Iranian cyber group Emennet Pasargad, which has been operating under the company name Aria Sepehr Ayandehsazan (ASA) and is known by the private sector terms Cotton Sandstorm, Marnanbridge, and Haywire Kitten. The group exhibited new tradecraft in its efforts to conduct cyber-enabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that targeted and occurred during the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider. ASA has also undertaken a project to harvest content from IP cameras and used online resources related to Artificial Intelligence.

Since 2023, the group has exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting. Recently released reporting from Microsoft indicates this group has demonstrated interest in election-related websites and media outlets, suggesting preparations for future influence operations.

This advisory provides the threat group’s tactics, techniques, and procedures (TTPs), including its leveraging of online resources related to Artificial Intelligence, and indicators of compromise (IOCs). The advisory also highlights similar activity from a previous FBI advisory that was published on October 20, 2022. This new advisory’s information and guidance are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against US and foreign organizations and engagements with numerous entities impacted by this malicious activity.

The authoring agencies recommend all organizations follow guidance provided in the mitigations section to defend against the Iranian cyber group’s activities.

If you suspect your organization has been targeted or compromised by the Iranian cyber actors, the authoring agencies recommend immediately contacting your local FBI field office for assistance.

For more information on Iranian state-sponsored malicious cyber activity, see the Cybersecurity and Infrastructure Security Agency’s (CISA) Iran Cyber Threat webpage.