Full Report
Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi are accused of maintaining a close relationship planning and conducting cyberattacks of interest to the Iranian government. The post Officials offer $10M reward for information on IRGC-linked leader and close associate appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Shahid Shushtari (Associated Individuals: Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi)
## Attribution & Identity
* **Primary Affiliation:** Malicious cyber unit operating under Iran’s Revolutionary Guard Corps (IRGC) Cyber-Electronic Command.
* **Identified Individuals:** Mohammad Bagher Shirinkar (allegedly oversees the unit) and Fatemeh Sedighian Kashi. The US State Department is offering a $10M reward for information about them.
* **Known Aliases/Group Names (Successive Front Company Renames):**
* Shahid Shushtari (Current/Latest recognized name)
* Emennet Pasargad (Previous name, designated by Treasury in late 2021)
* Aria Sepehr Ayandehsazan
* Ayandeh Sazan Sepehr Arya
* Eeleyanet Gostar
* Net Peygard Samavat Co.
* **Other Tracking Designations:** UNC5866 (Google Threat Intelligence Group), Cotton Sandstorm, Haywire Kitten.
## Activity Summary
* The group has been active since 2018, demonstrating a consistent operational tempo since 2020.
* Allegedly involved in planning and conducting cyberattacks of interest to the Iranian government.
* Conducted a multi-faceted campaign targeting the U.S. presidential election, which began in August 2020.
* Engaged in cyberespionage operations, sometimes utilizing a false-flag persona.
* Exhibited new tradecraft in preparation for future influence operations in 2023.
## Tactics, Techniques & Procedures
* Phishing operations.
* Malware delivery operations.
* Cyberespionage (including false-flag techniques).
* Involved in influence operations (specifically regarding the 2020 US election).
* The group is described as being "more reactive in nature" than other Iranian entities, demonstrated by rapidly evolving tradecraft.
- Specific MITRE ATT&CK IDs were not detailed in the source text.
## Targeting
* **Sectors:** Multiple critical infrastructure operations, including news, shipping, travel, energy, financial, telecom, government, healthcare, and tech.
* **Geography:** Operations span the United States, Europe, and the Middle East.
* **Victims:** Businesses and government agencies suffering financial damage and disruption.
## Tools & Infrastructure
* Specific malware families or C2 infrastructure were not detailed in the provided article excerpt.
* The activity relies on the operations conducted through its various front company names (Emennet Pasargad et al.).
## Implications
* The group represents a persistent, state-sponsored threat linked directly to the IRGC Cyber-Electronic Command.
* Their evolution through multiple front companies highlights ongoing efforts to obfuscate their true identity and operational structure.
* The targeting scope is broad, focusing on both critical infrastructure disruption and sensitive political interference (US elections).
* The observed "rapidly evolving tradecraft" suggests an adaptive threat actor requiring continuous monitoring.
## Mitigations
* Enhanced vigilance against phishing and malware delivery campaigns originating from known Iranian-aligned threat activities.
* Security monitoring specific to targets identified in election interference operations, particularly during sensitive political periods.
* Reviewing threat intelligence feeds for indicators related to UNC5866, Cotton Sandstorm, and Haywire Kitten.
* Implementing segmentation and resilience measures for critical infrastructure sectors (Energy, Finance, Telecom) to mitigate damage from potential disruptive attacks.