FBI Issues Warning on Emennet Pasagard, A Threat Actor That Goes by Many Names
The Iranian cyber threat actor behind an attempt to disrupt the U.S. presidential election in 2020 remains an active threat, warns the FBI.
The hacking group, Iranian cybersecurity firm Emennet Pasargad, conducted a “destructive cyberattack” against a U.S. organization within the last year. It is behind ongoing network penetrations it later publicizes in order to embarrass organizations with leaked data, the agency alert states. Israeli organizations are the group’s main targets, but the FBI says it remains a cyber threat to the United States.
Emennet Pasargad goes by many names, including by adopting false-flag personas in a bid to obfuscate attribution. For several years, it posed as pro-Palestinian hacktivist group “Hackers of Savior” and as “Deus” in the cybercriminal underground in order to sell data stolen from an Israeli call service center.
When it attempted to disrupt the American 2020 election by obtaining confidential voter information from at least one state election website, it was known as Eeleyanet Gostar. A grand jury last November handed down a five count indictment against two company contractors who participated in the attempt, which included sending emails to Democratic voters in states including Florida and Alaska purportedly from the Proud Boys neo-fascist organization that threatened physical harm unless the recipients voted for then-President Donald Trump (see: 2 Iranians Charged With 2020 US Election Interference).
The Department of State on Wednesday offered up to $10 million for information on Emennet Pasargad or any individual linked to foreign interference in U.S. elections.
The FBI’s Emennet Pasargad warning supplies few details about the group’s recent activities in the U.S., but it notes an attack during early 2022 against a domestic organization with connections to the militantly anti-Tehran Mujahedin-e-Khalq. Hostility to MEK led Iran to launch a July cyberattack against Albania that resulted in Tirana severing diplomatic ties with Iran (see:Albania Cuts Diplomatic Ties With Iran After Cyberattack).
Emennet Pasargad has exploited CVE-2021-44228 – better known as Log4Shell – at least once to break into an U.S.-based organization’s web server, the FBI says.
Given its predilection for hack-and-leak operations, it also looks for vulnerabilities in content management systems, especially WordPress and Drupal.
The group have a preference for websites and online portals running PHP code or those with externally accessible mySQL databases. It uses open-source penetration testing tools such as SQLmap and Acunetix.