Public records combined with leaked documents from Iranian anti-government groups suggest that several Middle Eastern cybersecurity firms are part of complex networks of government officials and cybersecurity specialists who have links to Iran’s Revolutionary Guard Corps.
Contracting companies, such as Emen Net Pasargad and Mahak Rayan Afraz (MRA), are responsible for – or have contributed to – attacks on democratic processes in Western countries, attacks on industrial control systems and critical infrastructure, and compromises at major financial institutions , Future recorded indicated in a recent report.
In the cybersecurity community, contractors are suspected of being linked to Cotton Sandstorm’s activities and Imperial kitten – also known as Crimson Sandstorm – threat actors respectively.
Overall, the leaked research and data highlight networks of contractors and individuals responsible for cyber operations that constitute “cyber centers” linked to Iranian military and intelligence organizations, Recorded Future says in the report.
“The leaks describe a long-standing relationship between intelligence and military organizations and contractors based in Iran,” the report said. “Public records indicate an ever-growing network of front companies linked through individuals known to serve various branches of the IRGC.”
The effort to expose Iranian cyber operations groups comes as the nation’s military and intelligence agencies step up attacks following Hamas’ terror attack on Israeli civilians and ongoing military operations in Gaza. Pro-Iranian hackers in December has violated several water systems in Western countries using Israeli-made programmable logic controllers and they targeted Israeli critical infrastructure. In mid-December, Israeli officials said Iran had breached a hospital, stealing 500 gigabytes of medical data.
The United States had already done this before sanctioned groups linked to Iranian intelligence, following cyber attacks on critical infrastructure in the United States and European countries. As a result of the sanctions, several contractors in Iran have closed their doors, but experts expect them to start up again under different names, says Rafe Pilling, director of threat research for Secureworks’ Counter Threat Unit (CTU).
“An organization like Emen Net Pasargad [has] basically renamed or changed identities multiple times,” he says, adding, “They [Iran] are increasingly leaning on the use of cybercrime and hacktivist personas in different parts of the world to protect and obfuscate their identities.”
Crimes and sanctions
The concept of a cyber center, which some anti-government groups call a “khyber center,” typically brings together multidisciplinary groups of hackers and cybersecurity specialists with Iranian government organizations. In some cases, they provide certain services, such as access to compromised networks, to other groups, according to members of Recorded Future’s Insikt threat intelligence group who asked to remain anonymous.
US government charges and sanctions against Iranian individuals and alleged threat actors have been an effective tool and have made business more difficult for cyber-offensive contractors, the Recorded Future report says. However, the international strategy is unlikely to dissuade Iran from continuing its cyber operations, according to the company’s researchers.
“With regards to the current conflict,…the Islamic Republic is almost certainly framing its support for Hamas and Gazans as a legitimate cause that justifies their involvement,” the researchers said. “We observed examples of people associated with the Iranian cyber program saying that sanctions would not deter their activities.”
The companies are likely considered legitimate business entities in Iran, Pilling says. “The operating model that Iran uses … is one where it uses contractors—some people call them front companies,” she says. “Maybe they do some other kind of quasi-legitimate work in Iran, but essentially they also do government work, which is probably also considered legitimate, and that work appears to simply be offensive cyber activity against Iran’s perceived adversaries.”
It is not a one-off trade deal
Iranian contractors are not the only ones to have deals with government officials. Russia’s cyber operations are often run by private companies, such as the Agency for Internet ResearchIncluded massive disinformation campaigns launched before – and continue during – the invasion of Ukraine.
Contractors highlighted in the report not only profit from operations in Iran, but also across the border by selling services to other nations, likely including Iraq, Syria and Lebanon, Recorded Future said.
“Research on these groups has also highlighted financially motivated activities outside Iran’s borders that formalize the export of information technologies,” the report said. “While public information is still limited on this front, the cases identified in this research suggest that contractors rely on the IRGCQF to penetrate the highest levels of government to engage in supposedly lucrative deals.”