Iranian Cyber Group Targets 2024 Olympics

U.S. and Israeli cybersecurity agencies have released a new advisory linking an Iranian cyber group to malicious activities targeting the 2024 Summer Olympics and compromising a French commercial display provider to broadcast anti-Israel messages during the event. The cyber group in question is identified as Emennet Pasargad, which has been operating under the alias Aria Sepehr Ayandehsazan (ASA) since mid-2024. The wider cybersecurity community recognizes this entity by various names, including Cotton Sandstorm, Haywire Kitten, and Marnanbridge.

The advisory highlights the group’s innovative methods in conducting cyber-enabled information operations throughout mid-2024, including multiple campaigns targeting the 2024 Summer Olympics. One significant incident involved the breach of a French commercial dynamic display provider in July 2024 using infrastructure provided by VPS-Agent, a cover hosting service. This breach was utilized to display images denouncing the participation of Israeli athletes in the Olympic and Paralympic Games.

ASA’s activities, attributed to Iran’s Islamic Revolutionary Guard Corps (IRGC), extend beyond Olympic disruptions. Under a number of identities, including Al-Toufan, Anzu Team, Cyber Cheetahs, Cyber Flood, For Humanity, Menelaus, and Market of Data, they have been connected to influence operations. One of their notable tactics involves creating fictitious hosting resellers to set up operational server infrastructure. This strategy has also supported actors in Lebanon hosting websites affiliated with Hamas, such as alqassam[.]ps.

According to the agencies, ASA has employed cover hosting services, including ‘Server-Speed’ and ‘VPS-Agent,’ since mid-2023. The group secured server space from Europe-based providers like Lithuania’s BAcloud and the UK/Moldova-based Stark Industries Solutions/PQ Hosting. These cover resellers facilitated ASA’s malicious cyber operations.

A joint law enforcement operation led by the U.S. Attorney’s Office for the Southern District of New York (SDNY) and the FBI resulted in the seizure of domains such as vps-agent[.]net and cybercourt[.]io. The advisory also revealed ASA’s use of its ‘Cyber Court’ persona, which promoted hacktivist activities on Telegram and hosted content on a dedicated website.

Beyond targeting the Olympics, ASA conducted operations aimed at amplifying psychological effects after the Israeli-Hamas conflict in October 2023. The group, under the persona ‘Contact-HSTG,’ reached out to family members of Israeli hostages with messages intended to cause distress.

ASA’s intelligence-gathering efforts included monitoring and acquiring footage from IP cameras in Israel, Gaza, and Iran, as well as collecting data on Israeli fighter pilots and UAV operators using various online platforms, including knowem.com, facecheck.id, socialcatfish.com, ancestry.com, and familysearch.org.

This development coincides with the U.S. Department of State’s announcement of a reward of up to $10 million for information on individuals linked to Shahid Hemmat, another IRGC-affiliated cyber group targeting U.S. critical infrastructure. Shahid Hemmat has previously been associated with attacks on the U.S. defense sector and international transport industries and is connected to figures like Mohammad Bagher Shirinkar, Mahdi Lashgarian, Alireza Shafie Nasab, and front companies such as Emennet Pasargad, Dadeh Afzar Arman (DAA), and Mehrsam Andisheh Saz Nik (MASN).