FBI warns of ‘hack-and-leak’ operations from group based in Iran

The FBI released an alert this week warning of hack-and-leak operations targeting organizations in the U.S. and Israel by a group based in Iran. 

The alert centers on Emennet Pasargad — an Iranian company U.S. law enforcement agencies have previously spotlighted for its role in efforts to interfere with the 2020 U.S. presidential election.

On Thursday, the FBI said the company — which has changed its name several time to avoid sanctions — has targeted entities in Israel since 2020 with attacks that involved the theft and leak of stolen data. The group would then amplify the stolen data on social media and online forums.  

“To avoid attribution, Emennet executed false-flag campaigns under the guise of multiple personas like hacktivist or cyber-criminal groups,” the FBI claimed. 

“Although Emennet’s latest attacks have primarily targeted Israel, the FBI judges these techniques may be used to target US entities as seen during Emennet’s cyber-enabled information operation that targeted the 2020 US Presidential election. Within the past year, the FBI has identified a destructive cyber attack against a US organization – indicating the group remains a cyber threat to the United States.”

The goal of the attacks is allegedly to “undermine public confidence in the security of the victim’s network and data” while other incidents are meant to embarrass companies or countries. 

Earlier this year, the FBI said Emennet hacked an organization based in the U.S. that had ties to Iranian opposition group The People’s Mujahedin (MEK) — a group that has previously been targeted by Iranian hackers during crippling ransomware attacks on the Albanian government this summer. 

During the attack on a U.S.-based organization, the group leaked personally identifiable information and had “destructive effects on victim infrastructure.” The FBI said any organization with affiliations to MEK is at “elevated risk of cyber exploitation or attack activities.”

The group also targets organizations with websites that run PHP code or those with externally accessible myssql databases. They typically use open source penetration testing tools to launch attacks, according to the FBI. 

In addition to hack-and-leak operations, Emennet has previously defaced websites and caused other damage to victim networks.  

“Emennet is likely more opportunistic in choosing victims rather than targeting specific entities. However, victim trends appear to show their preference for companies with significant traffic and a large customer base,” the FBI said.  

“In furtherance of Emennet’s information operations, the group often amplifies and promotes the theft and leaking of victim data on their own dedicated leak websites, Telegram, and online hacking and illicit access trading forums. The actors typically create social media accounts for each false-flag persona to generate additional attention to their activity. The FBI has also observed Emennet amplifying information operations through techniques such as contacting news media organizations and using email-marketing services.” 

Much of what is described in the alert are tactics the group previously used during the 2020 U.S. Presidential election. 

The FBI warned that the group will “likely” target commonly used content management systems like Drupal and Wordpress. Emennet has also been seen using the notorious Log4j vulnerability in attacks on at least one U.S. based organization. 

“Emennet cyber actors used destructive capabilities to take down the organization’s web server and associated websites,” the FBI said. 

Emennet allegedly masqueraded as a pro-Palestinian hacktivist group during its attacks on four organizations in Israel between 2020 and 2022, with the most recent attack taking place in April. 

It also used a cybercriminal persona in 2021 after a “lock-and-leak operation” targeting a call service center in Israel. That attack involved the encryption of victim computers and the leak of sensitive company information. The stolen data was sold on public forums and the attack was touted on a Telegram channel. 

In February, the U.S. State Department announced a $10 million reward for information about Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian — two Iranian contractors who worked for Emennet Pasargad and launched several operations designed to “sow discord and undermine voters’ faith in the U.S. electoral process.”

Kazemi and Kashian are still at large, believed to be located in Iran. The two were also added to the FBI’s cyber most wanted list.

The Department of Justice charged both men for the role in a variety of attacks and scams. The two are accused of hacking the voter websites for 11 U.S. states. They also used spoofed accounts from far-right hate group Proud Boys to contact Republican party members with fake videos of Democratic election fraud and sent threatening emails to Democratic voters in support of former President Donald Trump.

The Justice Department said the two also hacked a U.S. media company in the fall of 2020 and sought to leverage their access on November 4, right after the election.