Overview of Iranian Cyber Operations Targeting 2024 Summer Olympics
In a recent advisory, U.S. and Israeli cybersecurity agencies have linked an Iranian cyber group to a targeted cyber campaign against the 2024 Summer Olympics, using advanced techniques to influence public opinion and destabilize the event’s reputation. The advisory attributes this activity to Emennet Pasargad, a group operating under the alias Aria Sepehr Ayandehsazan (ASA) since mid-2024. Known in the cybersecurity community by names such as Cotton Sandstorm, Haywire Kitten, and Marnanbridge, ASA has been engaged in a range of cyber operations that extend beyond the Olympics and include influence campaigns targeting French companies and Israeli individuals.
Emerging Tactics and Technology
Compromising Display Systems for Political Messaging
ASA’s most recent activities include compromising a French commercial dynamic display provider in July 2024, where it used the display infrastructure to project anti-Israel messages during the Olympic Games. This operation represents a shift in the group’s tactics, using public-facing systems to disseminate its messaging. ASA utilized infrastructure from VPS-Agent, one of its cover hosting providers, to execute the attack, showing a heightened capability to manage and control hostile narratives on prominent platforms.
Leveraging AI for Psychological Warfare
ASA has adopted a variety of AI-enhanced tools to increase the impact of its campaigns. These tools include Remini AI Photo Enhancer, Voicemod, and Murf AI for generating realistic photos and voice modulation, alongside Appy Pie for image creation. This AI-powered media manipulation allows ASA to create convincing personas and spread propaganda across social media and other digital channels. The goal is to stir public sentiment and manipulate perceptions on a large scale, both domestically and internationally.
Psychological Manipulation Targeting Families of Hostages
In one of its most disturbing moves, ASA attempted to contact the families of Israeli hostages following the Israeli-Hamas conflict in October 2023. Operating under the alias Contact-HSTG, the group is believed to have sent messages aimed at intensifying psychological distress among families. By personalizing its messages and using AI tools to enhance realism, ASA has refined its ability to inflict targeted emotional trauma, a tactic that has been increasingly observed among IRGC-affiliated cyber actors.
Infrastructure and Obfuscation Techniques
Using Fictitious Hosting Resellers
To mask its activities and remain operational, ASA has been leveraging fictitious hosting providers since mid-2023. The group set up its own cover hosting services, “Server-Speed” (server-speed[.]com) and “VPS-Agent” (vps-agent[.]net), which were used to provision server infrastructure for ASA’s cyber operations and for other entities, such as Hamas-affiliated websites. The infrastructure behind these hosting providers is further obscured by reselling server space from legitimate European companies like Lithuania-based BAcloud and Stark Industries Solutions in the UK and Moldova. By using these resellers, ASA manages to bypass detection, making it challenging for law enforcement to track down its primary servers.
Cyber Court and Cover-Hacktivist Groups
Operating through various personas such as Cyber Court, ASA has set up a Telegram channel and website (cybercourt[.]io) to promote activities under several hacktivist names, including Al-Toufan, Anzu Team, Cyber Cheetahs, and Menelaus. This layered strategy allows ASA to conduct influence operations while maintaining plausible deniability, as the activities appear to be the work of disparate groups rather than a single, IRGC-linked entity. However, the seizure of the cybercourt[.]io domain by U.S. law enforcement highlights efforts to curb these influence campaigns.
Information-Gathering Operations on Israeli Military Personnel
Alongside its psychological warfare and influence operations, ASA is also engaged in intelligence-gathering activities targeting Israeli defense personnel. Leveraging resources such as knowem.com, facecheck.id, socialcatfish.com, ancestry.com, and familysearch.org, ASA has been actively collecting information on Israeli fighter pilots and UAV operators. This information is likely used to bolster ASA’s strategic advantage in psychological operations and may also serve as a data reserve for future targeted attacks or disinformation efforts.
Additional Measures Taken Against IRGC-Affiliated Cyber Groups
In response to escalating cyber operations by groups like ASA, the U.S. Department of State has increased its rewards program, now offering up to $10 million for information leading to the identification or capture of members of IRGC-affiliated hacking groups. One such group, Shahid Hemmat, has been implicated in targeting critical U.S. infrastructure, including the defense industry and transportation sectors. Shahid Hemmat, like ASA, is part of the IRGC’s Cyber-Electronic Command and shares connections with other entities, including Emennet Pasargad and front companies Dadeh Afzar Arman (DAA) and Mehrsam Andisheh Saz Nik (MASN).
Conclusion
Iran’s ongoing cyber campaigns, notably through entities like ASA, showcase a sophisticated strategy of psychological warfare, influence operations, and infrastructure obfuscation. The group’s capabilities in AI-driven media manipulation, strategic use of fictitious hosting, and psychological targeting underscore the multifaceted nature of modern cyber threats. The joint advisory from U.S. and Israeli cybersecurity agencies signals a coordinated approach to countering these threats and raises awareness of the evolving tactics used by cyber actors with connections to state entities like the IRGC.