The Digital Tactics of Iran: Artificial Intelligence, Fake Hosting, and Psychological Warfare

An advisory released by U.S. and Israeli cybersecurity agencies has linked an Iranian cyber group to activities aimed at disrupting the 2024 Summer Olympics and influencing a French commercial display provider with anti-Israel messages.

Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare

Referred to as Emennet Pasargad, the group, operating under the alias Aria Sepehr Ayandehsazan (ASA), has been engaging in such activities since mid-2024. It is recognized in the cybersecurity realm as Cotton Sandstorm, Haywire Kitten, and Marnanbridge.

According to the advisory, the group utilized various tactics, including the use of artificial intelligence tools such as Remini AI Photo Enhancer, Voicemod, Murf AI for voice adjustments, and Appy Pie for propaganda dissemination during and after the 2024 Summer Olympics.

The threat actor believed to be associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) has been identified by several aliases such as Al-Toufan, Anzu Team, and Cyber Cheetahs, engaging in various cyber and influence operations.

Of particular note is their use of false hosting resellers to establish server infrastructure for their operations and to provide hosting services to affiliates, as seen in the case of Hamas-linked websites hosted by an entity in Lebanon.

Specifically, the group exploited providers like ‘Server-Speed’ and ‘VPS-Agent’ to conceal their activities and manage their infrastructure effectively.

In July 2024, the French commercial display provider was targeted by the group using VPS-agent infrastructure to disseminate disparaging content against Israeli athletes participating in the 2024 Olympic Games.

Moreover, ASA’s attempts to reach out to Israeli hostage families post Israeli-Hamas conflict in October 2023, under the guise of Contact-HSTG, raised concerns over psychological manipulation.

A persona known as Cyber Court was also associated with promoting cover-hacktivist groups’ activities via a Telegram channel and a dedicated website named “cybercourt[.]io”.

Both domains, vps-agent[.]net and cybercourt[.]io, have been seized in a joint law enforcement operation led by the U.S. Attorney’s Office for the Southern District of New York (SDNY) and the FBI.

In the wake of the conflict, ASA made efforts to gather information from IP cameras in Israel, Gaza, and Iran, with a specific focus on Israeli fighter pilots and UAV operators through various online platforms.

The U.S. Department of State has announced a reward of up to $10 million for information leading to the identification or location of individuals linked to an IRGC-associated hacking group named Shahid Hemmat, known for targeting U.S. critical infrastructure.

According to the announcement, Shahid Hemmat has been involved in cyber attacks against U.S. defense and transportation sectors, alongside other individuals and entities affiliated with IRGC-CEC.