Summary:
U.S. and Israeli cybersecurity agencies have recently linked the Iranian cyber group Emennet Pasargad, now operating under the alias Aria Sepehr Ayandehsazan, to sophisticated cyber operations targeting the 2024 Summer Olympics. Since mid-2024, ASA, also known in the cybersecurity community as Cotton Sandstorm, Haywire Kitten, and Marnanbridge, has engaged in a campaign that compromised a French dynamic display provider to broadcast anti-Israel messages during the Olympic Games, highlighting the group's complex approach to cyber-enabled influence operations.

ASA's tactics reveal a high level of sophistication, incorporating phishing schemes, AI-powered content manipulation, and IP camera access to propagate realistic propaganda. The group used tools like Remini AI Photo Enhancer, Voicemod, and Murf AI for voice modulation, as well as Appy Pie for image generation, which allowed them to enhance their disinformation materials with a level of realism that resonates with audiences. A distinctive part of ASA's tradecraft includes manipulating hosting infrastructure through fake resellers like Server-Speed and VPS-Agent, enabling the group to establish operational servers through European providers, such as BAcloud in Lithuania and Stark Industries Solutions/PQ Hosting in the U.K. and Moldova. This infrastructure facilitated ASA's own cyber operations and supported other actors, including Hamas-affiliated websites.

One of the more notable incidents involved ASA using the VPS-agent infrastructure to breach a French display provider in July 2024, where they displayed anti-Israel photo montages aimed at disrupting the Olympics and Paralympic Games. Following the Israel-Hamas conflict in October 2023, ASA intensified its psychological warfare tactics, reportedly using the persona Contact-HSTG to reach out to family members of Israeli hostages, likely with the intent of causing emotional distress and amplifying the psychological impact of their operations. ASA's cyber influence activities also included using a persona called Cyber Court, which promoted several pseudo-hacktivist groups under ASA's control. This effort was supported by the cybercourt[.]io website and an associated Telegram channel, both recently seized by law enforcement following a joint operation by the U.S. Attorney's Office for the Southern District of New York and the FBI.

Security Officer Comments:
These activities fit into a broader framework of IRGC-linked influence and cyber operations. ASA is part of a network of personas, including Al-Toufan, Anzu Team, Cyber Cheetahs, Cyber Flood, For Humanity, and Market of Data, each serving to amplify ASA's reach and provide cover for their activities. Beyond influencing global public opinion, ASA has also sought to gather intelligence on Israeli defense personnel, including UAV operators and fighter pilots, through popular public databases. In addition, the U.S. Department of State recently offered up to $10 million for information leading to the identification of members associated with another IRGC-linked group, Shahid Hemmat, which has been implicated in cyberattacks against critical U.S. infrastructure, particularly within the defense and transportation sectors.

Suggested Corrections:

The agencies set out a range of mitigation measures organizations should take in relation to Cotton Sandstorm's tactics. These include:

• Reviewing any successful authentications to your network or company accounts from Virtual Private Network services such as Private Internet Access, Windscribe, ExpressVPN, Urban VPN and NordVPN
• Put measures in place to ensure any previously compromised information cannot be exfiltrated to conduct further malicious activity against your network
• Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities
• Establish an offline backup of servers
• Employ user input validation to restrict local and remote file inclusion vulnerabilities
• Implement a least-privileges policy on the Webserver
• Consider deploying a demilitarized zone (DMZ) between your organization's web-facing systems and corporate network
• Use reputable hosting services for websites and content management systems (CMS)

Link(s):
PDF: https://www.ic3.gov/CSA/2024/241030.pdf