State-sponsored actors from Iran have often been linked to various cyberespionage campaigns targeting organizations globally. In a recent development, security experts from Flashpoint recently discovered another state-sponsored ransomware operation from Iran active since July 2020.
Flashpoint stated that Iran’s Islamic Revolutionary Guard Corps (IRGC) was operating a ransomware campaign via an Iranian contracting company – Emen Net Pasargard (ENP). The ransomware campaign titled “Project Signal” likely began its operation between late July 2020 and early September 2020, with ENP’s internal research organization, putting together a list of unspecified target websites.
“Iran has a history of attempting to use cybercriminal TTPs to blend in with non-state-sponsored malicious cyber activity to avoid attribution and maintain plausible deniability. It’s largely assumed that Iran has been behind multiple destructive and disruptive attacks in recent years; most notably the 2012 Shamoon attacks against Saudi Aramco and the 2012 Operational Ababil DDoS attacks against the U.S. financial institutions,” Flashpoint said.
Flashpoint’s researchers validated three documents that were leaked between March 19 and April 1, 2021, which indicated that IRGC was operating a state-sponsored ransomware campaign through ENP (which is also known as Imannet Pasargad, Iliant Gostar Iranian, and Eeleyanet Gostar Iranian).
“A leaked internal ENP spreadsheet showed that during this time, the group was researching three to four websites per day and that at the time the spreadsheet was written around twenty sites had been reviewed and analyzed by the Studies Center. Project Signal was also referenced in another spreadsheet showing that the project had been assigned to ENP’s Cyber Directorate, responsible for carrying out ENP’s offensive cyber operations. The transfer of the Signal project from the Studies Center to the Cyber Directorate demonstrated that the ransomware project had progressed from the research and planning phase to the operational phase,” Flashpoint added.
Link with Pay2Key Ransomware?
Flashpoint opined that the operators behind Project Signal have links with the infamous Iranian ransomware campaign Pay2Key, which targeted multiple Israeli firms across various sectors from November 2020. The researchers found financially motivated attributes in both Project Signal and Pay2Key campaigns. Flashpoint found over six Israeli companies that had leaked internal documents due to Pay2Key ransomware.