The FBI this week issued a private industry notification to warn organizations about the malicious activities conducted by an Iranian cyber company named Emennet Pasargad.
The agency has described their tactics, techniques and procedures (TTPs) and it has shared several recommendations for preventing and detecting attacks.
In November 2021, the U.S Treasury Department announced sanctions against six Iranian nationals and a company involved in a campaign whose goal was to influence the 2020 presidential election.
The company in question is Emennet Pasargad, previously known as Eeleyanet Gostar and Net Peygard Samavat — the company has regularly rebranded to evade U.S. sanctions. Emennet has provided cybersecurity services within Iran, including to government organizations.
On the day the Treasury announced the sanctions, the Justice Department announced charges against two of Emennet’s employees, who were allegedly responsible for hacking and misinformation activities related to the presidential election.
In the alert issued this week, the FBI noted that in addition to its election-focused operation, the Emennet threat actor conducted “traditional cyber exploitation activity,” targeting sectors such as news, shipping, travel, oil and petrochemical, telecoms, and financial. They targeted the United States, Europe and the Middle East.
The hackers leveraged various VPNs to hide their location, and used several open source and commercial tools in their operations, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan.
In the reconnaissance phase of their hacking operations, the threat actor chose potential victims by searching the web for major organizations representing various sectors. They would then try to find vulnerabilities in their software for initial access.
“In some instances, the objective may have been to exploit a large number of networks/websites in a particular sector as opposed to a specific organization target. In other situations, Emennet would also attempt to identify hosting/shared hosting services,” the FBI said.
The hackers were also observed targeting popular content management systems such as WordPress and Drupal, as well as exposed databases. In many cases they attempted to use default passwords to gain access to a targeted system.
“FBI information indicates the group has attempted to leverage cyber intrusions conducted by other actors for their own benefit. This includes searching for data hacked and leaked by other actors, and attempting to identify webshells that may have been placed or used by other cyber actors,” the FBI said.
Related: U.S., U.K. and Australia Warn of Iranian APTs Targeting Fortinet, Microsoft Exchange Flaws
Related: U.S. Imposes Sanctions on ‘APT39’ Iranian Hackers
Related: Twitter Removes Iran-Linked Accounts Aimed at Disrupting U.S. Presidential Debate

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
