This Private Industry Notice provides a historical overview of Iran-based cyber company Emennet Pasargad’s tactics, techniques, and procedures (TTPs) to enable recipients to identify and defend against the group’s malicious cyber activities. On 20 October 2021, a grand jury in the US District Court for the Southern District of New York indicted two Iranian nationals employed by Emennet Pasargad (formerly known as Eeleyanet Gostar) for computer intrusion, computer fraud, voter intimidation, interstate threats, and conspiracy offenses for their alleged participation in a multi-faceted campaign aimed at influencing and interfering with the 2020 US Presidential Election. In addition, the Department of the Treasury Office of Foreign Assets Control designated Emennet along with four members of the company’s management and the two indicted employees for attempting to influence the same election. The Department of State’s Rewards for Justice Program also offered up to $10 million for information on the two indicted actors.
Starting in August 2020, Emennet Pasargad actors conducted a multi-faceted campaign to interfere in the 2020 US presidential election. As part of this campaign, the actors obtained confidential U.S. voter information from at least one state election website; sent threatening email messages to intimidate voters; created and disseminated a video containing disinformation pertaining to purported but non-existent voting vulnerabilities; attempted to access, without authorization, several states’ voting-related websites; and successfully gained unauthorized access to a U.S. media company’s computer network. During the 2020 election interference campaign, the actors claimed affiliation with the Proud Boys in the voter intimidation and disinformation aspects of the campaign.
In addition to the 2020 U.S. election-focused operation in which the actors masqueraded as members of the Proud Boys, Emennet previously conducted cyber-enabled information operations, including operations that used a false-flag persona. According to FBI information, in late 2018, the group masqueraded as the “Yemen Cyber Army” and crafted messaging critical of Saudi Arabia. Emennet also demonstrated interest in leveraging bulk SMS services, likely as a means to mass-disseminate propaganda or other messaging.
FBI information indicates Emennet poses a broader cybersecurity threat outside of information operations. Since 2018, Emennet has conducted traditional cyber exploitation activity targeting several sectors, including news, shipping, travel (hotels and airlines), oil and petrochemical, financial, and telecommunications, in the United States, Europe, and the Middle East.
The FBI is providing a summary of the group’s past TTPs to recipients so they can better understand and defend against the group’s future malicious activity.
Emennet is known to use Virtual Private Network (VPN) services to obfuscate the origin of their activity. The group likely uses VPN services including TorGuard, CyberGhost, NordVPN, and Private Internet Access.
Over the past three years, Emennet conducted reconnaissance and chose potential victims by performing web searches for leading businesses in various sectors such as “top American news sites.” Emennet would then use these results to scan websites for vulnerable software that could be exploited to establish persistent access. In some instances, the objective may have been to exploit a large number of networks/websites in a particular sector as opposed to a specific organization target. In other situations, Emennet would also attempt to identify hosting/shared hosting services.
After the initial reconnaissance phase, Emennet typically researched how to exploit specific software, including identifying open source available tools. In particular, Emennet demonstrated interest in identifying webpages running PHP code and identifying externally accessible mysql databases (in particular, phpMyAdmin).