Introduction
The Iranian state-sponsored threat actor known as Cotton Sandstorm [1], also referred to as Emennet Pasargad and operating under the alias Aria Sepehr Ayandehsazan (ASA), has been actively engaging in sophisticated cyber operations. Utilizing advanced tactics, including generative AI tools [3], the group has expanded its targets from primarily Israeli organizations to a broader international scope, affecting countries such as Israel, France [3], Sweden [3], and the United States. This escalation includes activities related to the upcoming US Presidential Election and the 2024 Paris Olympics.
Description
Iranian state-sponsored threat actor Cotton Sandstorm [3], also known as Emennet Pasargad and operating under the alias Aria Sepehr Ayandehsazan (ASA) [5], is employing advanced tactics [5], including generative AI tools [3], to target networks [3]. The group has shifted from ‘hack and leak’ operations primarily against Israeli organizations to a broader range of attacks affecting multiple countries [3], including Israel [1] [3] [4] [5], France [3], Sweden [3], and the US [3]. This includes scouting US election-related websites and media outlets in preparation for potential influence operations as the Presidential Election approaches [3]. Cotton Sandstorm has also targeted the 2024 Paris Olympics [3], compromising a French commercial dynamic display provider to disseminate anti-Israel messages and harvesting content from IP cameras.
Since mid-2024 [3] [4], ASA has utilized various AI software [4], such as Remini AI Photo Enhancer for image enhancement [4] [5], Voicemod and Murf AI for voice modulation [4] [5], and Appy Pie for image generation to spread propaganda [4] [5]. The online persona “Cyber Court” has been leveraged to promote the activities of various hacktivist groups protesting the Israel-Hamas conflict through a Telegram channel and a dedicated website, cybercourt.io [4]. The FBI has identified that since April 2024, Cotton Sandstorm has been linked to these hacktivist activities. Additionally, the group has established fictitious hosting resellers [1] [5], including VPS-Agent and Server-Speed [5], to provision operational server infrastructure for its own activities and for an associated actor in Lebanon involved in website hosting [1].
Cotton Sandstorm is assessed to be part of Iran’s Islamic Revolutionary Guard Corps (IRGC) [5], which conducts offensive cyber operations on behalf of Tehran [3]. Following the outbreak of the Israeli-Hamas war [5], ASA attempted to contact family members of Israeli hostages to inflict psychological trauma [5]. The group has also initiated a data-stealing campaign characterized by a unique approach of offering to remove individual victims’ data from their repository for a fee, marking a notable shift in tactics compared to previous operations [2]. Microsoft’s Digital Defense Report 2024 connects Cotton Sandstorm to the IRGC [3], highlighting its role in various malicious cyber operations. The US Department of State has also offered a reward for information on individuals associated with another IRGC-linked hacking group [5], Shahid Hemmat [5], which targets US critical infrastructure [5].
Conclusion
The activities of Cotton Sandstorm underscore the evolving nature of cyber threats posed by state-sponsored actors. The group’s use of advanced AI tools and its expansion into international targets highlight the need for robust cybersecurity measures and international cooperation to mitigate these threats. As geopolitical tensions continue to influence cyber operations, understanding and countering such threats will be crucial for safeguarding critical infrastructure and maintaining global security.
References
[1] https://thecyberwire.com/newsletters/daily-briefing/13/208
[2] https://assured.co.uk/2024/trouble-squared-what-happens-when-nation-states-and-cyber-criminals-work-together/
[3] https://www.infosecurity-magazine.com/news/us-israel-iran-new-tradecraft/
[4] https://thehackernews.com/2024/11/inside-irans-cyber-playbook-ai-fake.html
[5] https://www.ihash.eu/2024/11/ai-fake-hosting-and-psychological-warfare/