FBI: Iranian cyber group targeted Summer Olympics with attack on French display provider
The FBI and other agencies accused Iranian cyber actors of targeting the 2024 Summer Olympics, including an attempt to take over display boards to denounce Israel.
The U.S. Department of Treasury and Israel National Cyber Directorate joined the FBI in publishing an advisory this week about the operations of Emennet Pasargad — a well-known Iranian cyber operation previously implicated in hacking attempts targeting Israel and the 2020 U.S. presidential election.
The group has been using a company named Aria Sepehr Ayandehsazan (ASA) as cover for operations that researchers have tagged under various names, including “Cotton Sandstorm” and “Haywire Kitten.”
“The group exhibited new tradecraft in its efforts to conduct cyber enabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider,” the advisory said.
ASA has also attempted to harvest content from IP cameras, commonly used to take surveillance videos, and used online artificial intelligence tools, the advisory said.
“Since 2023, the group has exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting.”
According to the FBI, the hackers used various tools to take over the unnamed French commercial dynamic display provider in July 2024. Their goal was to “display photo montages denouncing the participation of Israeli athletes in the 2024 Olympic and Paralympic Games.”
“This cyberattack was coupled with disinformation maneuvers including publication of a fake news article onto a French collaborative media website and the spread of threat messages to several Israeli athletes and their entourage under the banner of a fake French far-right group 'Regiment GUD', impersonating the real French far-right group 'GUD',” the FBI added.
Last year, the Justice Department and Microsoft implicated Emennet Pasargad in a cyber operation that targeted French satirical magazine Charlie Hebdo. The hackers stole the personal information of 200,000 Charlie Hebdo customers after hacking into one of the magazine’s databases.
Targeting Sweden and the U.S.
The advisory, which is based on FBI investigations and technical analysis, also cites recently released research from Microsoft indicating the group is interested in targeting election websites and media outlets for alleged influence operations.
The FBI first identified the actions of Emennet Pasargad in 2022, when they publicly reported on several hack-and-leak operations designed to embarrass organizations primarily in Israel.
The U.S. Department of Justice also charged two members of the group in 2021 for hacking into several election websites in 2020, sharing fake videos of election fraud with Republican party members and posing as members of the Proud Boys in emails threatening Democratic voters.
Like their actions in 2020, the FBI said the group’s “recent campaigns include a mix of computer intrusion activity and exaggerated or fictitious claims of access to victim networks or stolen data to enhance the psychological effects of their operations.”
FBI officials have also been able to compile information on Emennet Pasargad’s tradecraft from other incidents in France, Sweden and Israel.
In at least one operation, the FBI said it saw the group use generative AI to create a fake news anchor. The group also uses an AI photo enhancer, a voice changer and other image generators.
Swedish officials have published several notices about information operations and data breaches conducted by the group allegedly in response to Swedish citizens who have burned the Koran.
The FBI attributed several other recent operations to ASA, including the breach of a U.S. Internet Protocol Television (IPTV) streaming company. Several other hacktivist operations are promoted by ASA through social media accounts going by the name “Cyber Court.”
The FBI noted that it has seized several domains used by Emennet Pasargad for infrastructure management and obfuscation.
Israeli hostages
U.S. officials included several claims that members of ASA contacted family members of Israelis held hostage by Hamas in Gaza since October 7, 2023.
They shared photos of text messages sent by the group to the family members — which say Israel has been offered deals in exchange for the release of the hostages that have been repeatedly turned down.
The hackers urged the families to “keep in touch” in order to know the condition of the hostages.
Several other operations in Israel have been run through the organization since October 7, 2023 — including an effort to steal video from IP cameras in Israel. The group has attempted to identify Israeli fighter pilots, UAV operators and other soldiers involved in the Gaza invasion through ancestry websites and more.
In February 2022, the State Department announced a $10 million reward for information about Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian — two Iranian contractors who worked for Emennet Pasargad and launched several operations designed to “sow discord and undermine voters’ faith in the U.S. electoral process.”
The State Department sanctioned members of Emennet Pasargad last month alongside charges issued for the cyberattack on the campaign of former President Donald Trump.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.