Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare

The recent cybersecurity advisory from the U.S. FBI, Department of Treasury, and Israel National Cyber Directorate has linked an Iranian group known as Emennet Pasargad to a series of cyber operations targeting the 2024 Summer Olympics. This group, tracked by cybersecurity researchers under names such as Cotton Sandstorm, Haywire Kitten, and Marnanbridge, conducted these attacks to promote anti-Israel messaging.

One major aspect of the operation involved breaching a French commercial dynamic display provider to broadcast messages condemning Israel’s participation in the Olympics. This attack is part of a broader campaign in which the group used a variety of tradecraft and digital tools to amplify its influence. Among the tactics employed, ASA leveraged AI tools—such as Remini AI for photo enhancement, Voicemod and Murf AI for voice modulation, and Appy Pie for generating propaganda images. Additionally, the group is reported to have accessed and extracted content from IP cameras, furthering its reach in information operations.

The advisory reveals that the Iranian threat group ASA, associated with the Islamic Revolutionary Guard Corps (IRGC), is intensifying its cyber and influence activities using a variety of covert tactics and multiple online identities. The group operates under various aliases, such as Al-Toufan, Anzu Team, Cyber Cheetahs, Cyber Flood, and others, to mask its operations.

A recently identified tactic involves ASA’s creation of fictitious hosting resellers, allowing it to control server infrastructure more discreetly. These resellers, named Server-Speed and VPS-Agent, have been used since mid-2023 to establish server resources that support its own activities and provide hosting to groups like Hamas in Lebanon, including Hamas-affiliated sites like alqassam[.]ps. ASA uses these cover companies to rent server space from European providers, including BAcloud (Lithuania) and Stark Industries Solutions/PQ Hosting (United Kingdom and Moldova), to further conceal its infrastructure and activities.

Technical Details:

  1. Common Vulnerabilities and Exposures (CVE):
  • CVE-2023-23397 and CVE-2023-23416: Known vulnerabilities in widely used messaging and collaboration platforms have been exploited by similar groups for credential theft and privilege escalation. Vulnerabilities like these enable actors to execute commands remotely, steal credentials, and exfiltrate data.
  • CVE-2023-23748: A vulnerability affecting PHP-based content management systems (CMSs) or web applications. Attackers could use it to exploit dynamic display providers to show manipulated content, as seen in the Summer Olympics incident.
  1. Common Weakness Enumeration (CWE):
  • CWE-200 (Exposure of Sensitive Information): This weakness is relevant given ASA’s exfiltration of content from IP cameras and sensitive infrastructure. Poorly secured IP cameras can be exploited.
  • CWE-284 (Improper Access Control): This CWE covers misconfigured or weak access controls on server infrastructure and hosting environments, often leading to unauthorized access.
  • CWE-311 (Missing Encryption of Sensitive Data): Poor encryption practices in data transmission, especially for CMS platforms and API communications, could have allowed ASA to intercept or alter display messages.
  1. CVSS (Common Vulnerability Scoring System):
  • The CVSS scores for vulnerabilities leveraged in these campaigns would likely be in the 7-9 (High) range, as they directly impact data confidentiality, integrity, and availability. CVSS scoring reflects the significant risk of remote exploitation, privilege escalation, and data exfiltration that ASA’s tactics suggest.
  1. Other Technical Tactics and Tools:
  • AI Tools for Propaganda: Using applications like Remini AI, Voicemod, Murf AI, and Appy Pie, ASA demonstrated a sophisticated use of image and voice manipulation for influence operations. Although these tools themselves are not vulnerabilities, they represent a threat vector when used maliciously.
  • Fictitious Hosting Providers: ASA set up “cover” hosting providers like Server-Speed and VPS-Agent to obtain infrastructure. These companies acquired resources from European vendors like BAcloud and Stark Industries Solutions/PQ Hosting. This infrastructure management tactic increases operational obfuscation.
  1. Observed Tactics, Techniques, and Procedures (TTPs):
  • 001 (Application Layer Protocol: Web Protocols): ASA’s use of dynamic display providers and IP cameras leverages HTTP/HTTPS protocols to exfiltrate and manipulate information.
  • 001 (Phishing: Spearphishing Attachment): ASA often relies on phishing attacks for initial access, followed by infrastructure compromise and information operations.
  • T1574 (Hijack Execution Flow): Manipulation of application flows and unauthorized access to CMS displays indicates possible flow hijacking to insert propagandist messages.

Indicators of Compromise (IOCs):

  1. Domain and IP-based IOCs
  • Domains Used for Hosting and Infrastructure:
    • server-speed[.]com
    • vps-agent[.]net
    • alqassam[.]ps (Hamas-affiliated site)
  • Other Possible Domains: ASA may have registered other domains with similar naming patterns, often using terms related to “hosting,” “server,” “VPN,” or “reseller” to blend into legitimate services.
  • IP Addresses:
    • IPs associated with hosting providers where ASA rents or resells server space, primarily based in:
      • Lithuania (e.g., BAcloud infrastructure)
      • United Kingdom and Moldova (e.g., Stark Industries Solutions/PQ Hosting)
      • Any IPs tied to VPS providers or low-cost, offshore hosting services known for minimal KYC (know your customer) requirements.
  1. Malicious Files and File Hashes
  • Malicious Scripts or Executables: ASA’s campaigns may include phishing attachments or malware payloads with custom scripts that:
    • Alter display content (for compromising dynamic displays)
    • Capture or exfiltrate images/videos from IP cameras
    • Hashes of known scripts or malware binaries, which can be captured from ongoing threat intelligence and shared within intelligence communities.
  • File Hash Examples:
    • Any identified hashes associated with malicious images or videos altered via Remini AI or Appy Pie
    • Hashes of documents or files used in spearphishing attachments targeting specific Olympic-associated organizations.
  1. Email Addresses and Phishing Artifacts
  • Email Addresses:
    • Email addresses connected to ASA’s aliases (e.g., Al-Toufan, Anzu Team, Cyber Cheetahs, etc.) might show patterns in email metadata, such as sender IPs or domain markers.
    • Look for domains linked to spoofed or seemingly legitimate email addresses that are close replicas of official Olympic or governmental communication channels.
  • Phishing Lures:
    • Email subjects and lures might reference the Olympics, Israeli participation in global events, or topics of political sensitivity.
    • Common keywords in subject lines may include “URGENT,” “Olympics,” “Israel,” or “participation update.”
  1. Network Traffic Patterns and Behaviors
  • HTTP/S Traffic:
    • Unusual HTTP/HTTPS requests to compromised display servers or CMS systems (potentially injecting propaganda messages).
  • Traffic to/from AI Manipulation Tools:
    • Potential anomalous traffic from legitimate services like Remini AI or Voicemod, if accessible through ASA-controlled infrastructure.
    • Any unusual data flow patterns, especially to/from IPs associated with image or voice processing, could indicate propagation of modified multimedia content.
  • Command and Control (C2) Patterns:
    • C2 channels established via spoofed domains or low-cost VPS servers with unusual connection patterns, often reflecting short-term or one-time use IPs.
  1. Host-Based IOCs
  • Registry and File System Changes:
    • Hosts compromised by ASA’s malware might show modified registry entries for persistence.
    • Unusual files in directories associated with CMS or dynamic display software.
  • Processes and Services:
    • Background processes related to screenshotting, video capturing, or C2 connections.
    • Suspicious executables potentially masquerading as legitimate system processes to capture IP camera feeds or alter display content.
  1. AI-Generated Propaganda Artifacts
  • Modified Images and Audio Files:
    • AI-generated images that may lack metadata or show uniform compression artifacts due to processing by tools like Appy Pie or Remini AI.
    • Audio files with altered voice signatures indicative of synthesis via Voicemod or Murf AI (specific spectrogram or waveform patterns may show signs of synthetic alteration).

Impact

  1. Security Impact
  • Compromise of Critical Infrastructure: ASA’s focus on breaching display servers, CMS systems, and IP cameras demonstrates the vulnerability of public information systems. Unauthorized access to these systems can undermine the integrity and availability of services at large events, creating a cascading effect on other connected infrastructures.
  • Data Exfiltration and Privacy Violations: With ASA reportedly accessing and extracting content from IP cameras and servers, sensitive data—possibly including personal information and surveillance footage—could be exposed or used for malicious purposes. This compromises individual privacy and could expose officials and participants to additional risks.
  • Infrastructure Trust Erosion: The manipulation of public displays to spread propaganda can lead to a loss of trust in digital infrastructure. This may prompt concerns among event organizers, attendees, and the general public regarding the reliability of information presented at major events.
  1. Political and Psychological Impact
  • Undermining International Relations: ASA’s operations are heavily politicized, aiming to broadcast anti-Israel or anti-Western sentiments at global events. This can create tension between nations, as targeted states may interpret these actions as aggressive and state-sponsored, potentially fueling political conflicts or retaliatory actions.
  • Psychological Impact on the Public: The use of AI-enhanced content to spread propaganda can sway public opinion and create confusion, fear, or resentment. The psychological impact of displaying manipulated or politically charged content at international events can lead to social unrest, and ASA’s tactics suggest an intention to disrupt public morale and international solidarity.
  • Diplomatic Fallout: Attacks tied to a government-backed entity like Iran’s IRGC could escalate diplomatic strain between Iran and affected nations (e.g., France, Israel, and the U.S.). Such campaigns could lead to diplomatic protests, sanctions, or increased cybersecurity cooperation among targeted states in response.
  1. Economic Impact
  • Financial Losses for Event Organizers and Partners: Cyber disruptions at events like the Olympics can lead to reputational damage, impacting ticket sales, sponsorships, and partnerships. There are also direct financial costs associated with remediating the security incidents, restoring systems, and compensating affected parties.
  • Increased Security and Insurance Costs: High-profile events are likely to face increased security and insurance premiums in response to such targeted attacks. Event organizers and supporting vendors will need to allocate additional resources to cybersecurity measures, staff training, and real-time monitoring solutions.
  • Operational Downtime and Recovery Costs: ASA’s actions can cause downtime for systems managing public displays, IP cameras, or other essential services, leading to lost revenue, resource diversion, and potential penalties if service-level agreements are not met.
  1. Reputational Impact
  • Erosion of Public Confidence: Recurring cyber incidents, especially during globally visible events like the Olympics, can reduce public confidence in digital platforms and security measures. Viewers and attendees may question the reliability of event information or the safety of engaging in future large-scale events.
  • Brand and Image Damage for Associated Entities: Brands, sponsors, and other commercial partners linked to the Olympics may face image damage if propaganda is shown on screens associated with their products or services. For example, seeing anti-Israel messaging on commercial displays could impact the public perception of the companies managing those displays.
  • Impact on Future Partnerships and Hosting Opportunities: Countries and companies that experience cyberattacks at high-profile events may be less likely to secure future partnerships, as other organizations could view these vulnerabilities as risks to their own operations or image.
  1. Long-Term Impact on Cybersecurity Strategy
  • Shift in Cybersecurity Standards and Policy: The actions of ASA highlight the importance of securing infrastructure against information operations and influence campaigns. This will likely lead to strengthened cybersecurity policies at national and organizational levels, as governments and companies adopt stricter measures to protect against state-sponsored influence operations.
  • Increased Cybersecurity Collaboration: ASA’s tactics could drive affected nations, particularly those in the West and the Middle East, to enhance information-sharing frameworks, increase joint cybersecurity exercises, and develop more stringent cybersecurity protocols for international events.
  • Escalation in Cyber Warfare: ASA’s use of sophisticated, AI-driven tools signals an evolution in cyber warfare tactics. In response, targeted states may ramp up their own offensive cybersecurity capabilities, potentially fueling an arms race in cyber warfare capabilities among nations.

Recommendations:

To mitigate the threats posed by ASA and its cyber operations, the following recommendations can be implemented across technical, procedural, and strategic levels:

  1. Network and Endpoint Security
  • Update and Patch Systems: Regularly apply patches for vulnerabilities in network infrastructure, CMS platforms, and IP cameras. Ensure that recent critical CVEs, especially those affecting content management systems and remote access tools, are addressed promptly.
  • Endpoint Detection and Response (EDR): Deploy EDR solutions that can identify suspicious activity, like unauthorized access to camera feeds or abnormal access patterns on servers.
  • Network Segmentation: Segment critical infrastructure, such as display servers, CMS systems, and IP camera networks, from internet-facing or publicly accessible zones to reduce the impact of compromise.
  • Traffic Filtering and IP Blacklisting: Block known malicious domains and IP addresses associated with ASA’s infrastructure, including domains like server-speed[.]com and vps-agent[.]net. Regularly update firewall and intrusion prevention system (IPS) rules with the latest threat intelligence feeds.
  1. Email and Phishing Protection
  • Enhanced Email Filtering: Configure email gateways to detect phishing attempts using AI and machine learning algorithms that analyze email patterns, subject lines, and attachments for signs of social engineering, especially for themes related to the Olympics or political topics.
  • DMARC, SPF, and DKIM: Implement these email authentication protocols to help prevent spoofed emails from reaching end-users, which is essential in preventing phishing campaigns that ASA might deploy.
  • Phishing Awareness Training: Conduct regular security awareness training, especially for individuals with access to high-value or public-facing resources (e.g., Olympic officials, display administrators), emphasizing phishing detection and response.
  1. Threat Intelligence and Monitoring
  • IOC Monitoring and Threat Intelligence Sharing: Subscribe to threat intelligence feeds focused on Iranian threat actors, and actively monitor for IOCs like IPs, domain names, and file hashes linked to ASA’s operations. Participate in threat-sharing communities to stay updated on ASA’s evolving tactics.
  • User Behavior Analytics (UBA): Implement UBA solutions to detect abnormal behavior indicative of account compromise or insider threats, as ASA might use compromised credentials for access.
  1. Access Control and Authentication
  • Multi-Factor Authentication (MFA): Enforce MFA for all remote access, privileged accounts, and VPNs, reducing the risk of unauthorized access if credentials are compromised.
  • Least Privilege Principle: Limit access permissions to only what is necessary for users’ roles, particularly for high-risk accounts and systems (e.g., display servers and CMS platforms).
  • Secure Third-Party Access: For third-party partners and vendors, enforce strong security policies and review their access permissions periodically. Consider VPN or secure remote access solutions for third-party services, ensuring access logging and auditing.
  1. Infrastructure and Hosting Security
  • Vet Hosting Providers and Resellers: For organizations with outsourced infrastructure, work only with reputable hosting providers that follow stringent identity verification and security standards, as ASA uses fictitious hosting resellers to conceal its operations.
  • Geolocation Restrictions: Restrict or monitor connections originating from geographic regions commonly associated with malicious infrastructure. This can help block or flag suspicious access attempts originating from high-risk regions.
  • Logging and Incident Response Preparation: Enable comprehensive logging for all servers, especially those used for public displays or sensitive data storage. Retain logs for a sufficient period to support investigation and forensic analysis.
  1. AI-Generated Content Detection
  • Image and Video Verification: For organizations at risk of AI-manipulated content being used against them (e.g., propaganda displayed on public screens), implement AI-based tools that detect manipulated media (deepfakes or AI-generated images). Train staff to identify inconsistencies in media as an additional layer of defense.
  • Digital Content Monitoring: Actively monitor digital content on display servers or social media for altered or unauthorized content. Automated tools can flag images or audio that deviate from expected formats, enabling rapid response.
  1. Incident Response and Preparedness
  • Develop and Regularly Test Incident Response Plans: Tailor response plans to address ASA-specific tactics, such as rapid shutdown and recovery of compromised display servers and immediate action steps for phishing attacks or unauthorized server access.
  • Run Tabletop Exercises: Conduct regular exercises simulating ASA’s attack scenarios, including data theft, website defacement, and information operations, to ensure the incident response team is prepared for real-world events.
  • Coordinate with Law Enforcement and Cybersecurity Agencies: Establish direct channels of communication with local law enforcement and national cybersecurity agencies. Reporting suspected ASA-related incidents may lead to timely assistance and additional threat intelligence.