Full Report
State-sponsored attackers joined by Chinese snoops and hackers-for-hire in latest round of economic penalties The Council of the European Union sanctioned Emennet Pasargad on Monday, a company used as a front for a series of Iranian cyberattacks.…
Analysis Summary
# Threat Actor: Emennet Pasargad
## Attribution & Identity
* **Identification:** Emennet Pasargad (also known as Emennet Pasargad Engineering Company).
* **National State Affiliation:** Iran.
* **Known Aliases:** Anzu, Anzu Team.
* **Associated Groups:** Linked directly to the Islamic Revolutionary Guard Corps (IRGC).
## Activity Summary
Emennet Pasargad is a Tehran-based front company responsible for high-profile cyberattacks and "hack-and-leak" operations aimed at Western interests. Recent activities highlighted by the Council of the European Union include:
* **Psychological Operations (2023-2024):** Retaliatory cyberattacks against the French magazine *Charlie Hebdo* and SMS-based threats in Sweden.
* **Election Interference:** Attempted interference in the 2020 US elections and continued monitoring of US electoral systems.
* **Influence Operations (2024):** Compromising advertising infrastructure during the Paris Olympics to display propaganda.
## Tactics, Techniques & Procedures
* **Information Operations / Disinformation:** Creating spoofed media sites to spread anti-American propaganda and provoke heated political exchanges.
* **Hack-and-Leak:** Stealing sensitive subscriber databases (e.g., from *Charlie Hebdo*) and offering the data for sale on dark web forums to intimidate and harass.
* **Infrastructure Hijacking:** Compromising third-party SMS gateways to send mass threatening messages to a nation's citizenry.
* **Public Defacement:** Compromising digital advertising boards to display politically motivated propaganda.
* **Confidence Undermining:** Strategic targeting of election-related systems to reduce public trust in democratic security.
## Targeting
* **Sectors:** Media/Publishing, Government (Elections), Telecommunications (SMS services), and Public Information (Advertising/Signage).
* **Geography:** United States, France, Sweden, Israel, and various EU member states.
* **Victims:**
* *Charlie Hebdo* (Subscriber base)
* Sweden’s national SMS service infrastructure
* Paris 2024 Olympics advertising board operators
* United States 2020 election infrastructure and voters
## Tools & Infrastructure
* **Spoofed Domains:** Host fraudulent media outlets to disseminate propaganda (URLs not provided in source).
* **Dark Web Forums:** Utilized for leaking/selling stolen PII (Personally Identifiable Information).
* **SMS Gateways:** Hijacked Swedish service provider infrastructure used to send ~15,000 retaliatory messages.
## Implications
Emennet Pasargad represents a shift in Iranian cyber strategy toward "cognitive warfare." Their operations are not designed for traditional espionage (data theft for intelligence) but rather for public disruption, intimidation, and the undermining of democratic institutions. The actor's agility in responding to geopolitical events—such as religious protests or sports events—indicates a highly reactive and politically motivated operational mandate.
## Mitigations
* **Third-Party Risk Management:** Audit and secure third-party integration points, particularly for SMS and public-facing digital signage, to prevent unauthorized message distribution.
* **Election Security:** Implement rigorous monitoring of election-related infrastructure for reconnaissance or small-scale intrusions intended to damage public confidence.
* **Brand & Media Protection:** Media organizations should utilize heightened DDoS protection and robust database encryption/access controls to defend against hack-and-leak attempts.
* **Public Awareness:** Educate the public on "spoofed media" and disinformation tactics to build resilience against foreign influence operations.