Context and Recommendations to Protect Against Malicious Activity by Iranian Cyber Group Emennet Pasargad
This Private Industry Notice provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures (TTPs) to enable recipients to identify and defend against the group’s malicious cyber activities. On 20 October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad (formerly known as Eeleyanet Gostar) for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a multi-faceted campaign aimed at influencing and interfering with the 2020 US Presidential Election. In addition, the Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the same election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors.
Starting in August 2020, Emennet Pasargad actors conducted a multi-faceted campaign to interfere in the 2020 US presidential election. As part of this campaign, the actors obtained confidential U.S. voter information from at least one state election website; sent threatening email messages to intimidate voters; created and disseminated a video containing disinformation pertaining to purported but non-existent voting vulnerabilities; attempted to access, without authorization, several states’ voting-related websites; and successfully gained unauthorized access to a U.S. media company’s computer network. During the 2020 election interference campaign, the actors claimed affiliation with the Proud Boys in the voter intimidation and disinformation aspects of the campaign. In addition to the 2020 U.S. election-focused operation in which the actors masqueraded as members of the Proud Boys, Emennet previously conducted cyber-enabled information operations, including operations that used a false-flag persona. According to FBI information, in late 2018, the group masqueraded as the "Yemen Cyber Army" and crafted messaging critical of Saudi Arabia. Emennet also demonstrated interest in leveraging bulk SMS services, likely as a means to mass-disseminate propaganda or other messaging. FBI information indicates Emennet poses a broader cybersecurity threat outside of information operations. Since 2018, Emennet has conducted traditional cyber exploitation activity targeting several sectors, including news, shipping, travel (hotels and airlines), oil and petrochemical, financial, and telecommunications, in the United States, Europe, and the Middle East.
Tactics, Techniques, and Procedures
The FBI is providing a summary of the group's past TTPs to recipients so they can better understand and defend against the group’s future malicious activity. Emennet is known to use Virtual Private Network (VPN) services to obfuscate the origin of their activity. The group likely uses VPN services including TorGuard, CyberGhost, NordVPN, and Private Internet Access. Over the past three years, Emennet conducted reconnaissance and chose potential victims by performing web searches for leading businesses in various sectors such as “top American news sites.” Emennet would then use these results to scan websites for vulnerable software that could be exploited to establish persistent access. In some instances, the objective may have been to exploit a large number of networks/websites in a particular sector as opposed to a specific organization target. In other situations, Emennet would also attempt to identify hosting/shared hosting services. After the initial reconnaissance phase, Emennet typically researched how to exploit specific software, including identifying open source available tools. In particular, Emennet demonstrated interest in identifying webpages running PHP code and identifying externally accessible mysql databases (in particular, phpMyAdmin). Emennet also demonstrated an interest in exploiting the below software applications:
- Wordpress (in particular the revslider and layerslider plugins)
- Apache Tomcat
- Ckeditor and Fckeditor (including the exploitation of Roxy Fileman)
Emennet also expressed interest in numerous specific vulnerabilities, outlined in Appendix A. When conducting research, Emennet attempted to identify default passwords for particular applications a target may be using, and tried to identify admin and/or login pages associated with those same targeted websites. It should be assumed Emennet may attempt common plaintext passwords for any login sites they identify. Emennet is known to use the open source penetration testing tools SQLmap and the commercially available tool Acunetix during operational activity. They also likely use the below tools or resources:
- DefenseCode Web Security Scanner
- Tiny mce scanner
- Wordpress security scanner (wpscan)
FBI information indicates the group has attempted to leverage cyber intrusions conducted by other actors for their own benefit. This includes searching for data hacked and leaked by other actors, and attempting to identify webshells that may have been placed or used by other cyber actors.
- Ensure anti-virus and anti-malware software is enabled and signature definitions are updated regularly in a timely manner. Well-maintained anti-virus software may prevent use of commonly deployed attacker tools that are delivered via spear-phishing.
- Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear-phishing attacks.
- If your organization’s information was previously compromised, the FBI recommends considering how any data exfiltrated could be leveraged to conduct further malicious activity against your network, and take appropriate measures to ensure security mechanisms are in place.
- If your organization is employing certain types of software and appliances referenced in the aforementioned CVEs, the FBI recommends patching for those vulnerabilities.
- Review the Tactics, Techniques, and Procedures in the referenced table and take steps to ensure you can identify and defend against malicious activity by this actor.
- Consider reputable hosting services for websites and content management systems (CMS), if you need assistance in configuring and maintaining your external facing applications.
- Consider employing a Web Application Firewall (WAF) to block inbound malicious traffic.
- Disable Content Management Systems features if they are not needed, and configure them to:
- Disable remote file editing
- Restrict file execution to specific directories
- Limit login attempts
- Review the logs generated by security devices for signs that your organizations external networks are being scanned for vulnerabilities.
The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office. Field office contacts can be identified at www.fbi.gov/contact-us/fieldoffices. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. The FBI also notes the Department of State’s Rewards for Justice Program is offering up to $10 million for information leading to the identification or location of Emennet-associated cyber actors Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian: https://rewardsforjustice.net/terrorist-rewards/seyyed-kazemi/ https://rewardsforjustice.net/terrorist-rewards/sajjad-kashian/