Iranian Disinformation Privatized

How a Small IT Company Wound up at the Crossroads of Tehran's Cyber and Disinformation Narratives

Think back to the run-up to the 2020 U.S. presidential election. Whether you watched the news or not, you probably heard that state-backed actors were yet again trying to influence who would become president. First in 2016 and then in 2020, the Russians used hack-and-leaks and social media manipulation to support candidates favorable to the Kremlin’s interests. Because of this, whenever the words “election” and “disinformation” are used in the same sentence, only the Russians seem to come to mind. But that’s wrong.  

Iran has largely managed to evade international attention for its attempted interference in the 2020 election. In the run-up to that election, the Iranians hacked voting records, ran disinformation campaigns, and directly targeted U.S. government officials, illustrating a level of technical sophistication we hadn’t previously seen from Tehran. According to the U.S. Directorate of National Intelligence (DNI), Iran didn’t necessarily have a preferred candidate in 2020, but was rhetorically opposed to former President Trump, likely because of his strident opposition to the Joint Comprehensive Plan of Action (JCPOA) nuclear deal and his “maximum pressure” sanctions against Iran. More than anything, Tehran sought to create panic, sow division, and broadly undermine Americans’ faith in their institutions. And by those metrics, Iran’s efforts didn’t fare too badly.

Background: Caught in the Act

Figure 1: A fake Proud Boys email produced by Emennet Passargad threatening potential voters. Source: Proofpoint.

On November 18th, 2021, the U.S. Treasury Department sanctioned Iranian IT company Emennet Pasargad for interfering in the 2020 presidential election. Treasury said it had evidence the company had impersonated the far-right extremist group The Proud Boys in emails threatening thousands of prospective voters in Florida. In an attempt to lend further credence to this scheme, the company also created a fake Proud Boys hacking video. Ultimately, the video led to the discovery that Iran was responsible after Iranian hackers failed to fully obscure their IP address. In the video, an Emmennet Pasargad operator impersonates a supposed Proud Boys-affiliated hacker to the tune of Metallica's "Enter Sandman." The operator then (falsely) demonstrated how one could easily hack into U.S. voting machines.

Figure 2: Fake Proud Boys hacking video created by Emennet Pasargad. Source: Iranian dissident Telegram channel, Lab Dookhtegan.

Although the fake proud Proud Boys emails garnered a lot of media attention, the company was also seeking to undermine the 2020 elections in a number of other parallel schemes. Around the same time, Emmennet Pasargad also targeted elections infrastructure in 11 states and reportedly successfully stole 100,000 “voting records” from Alaska. They also attempted to hack Lee Enterprises, one of the U.S.'s largest newspaper publishers, along with several U.S. senators' email accounts. It is possible that Emmennet Pasargad may have tried to hack these entities to use their digital assets as vehicles for disseminating fake articles, editorials, and letters. 

Figure 3: (Top), Fake letter from Senators Mike Crapo and Todd Young designed by Emennet Pasargad. (Bottom), Fake news story designed by Emennet Pasargad. Source: Iranian dissident Telegram channel, Lab Dookhtegan.

Election 2020: Not Emennet Pasargad’s First Rodeo 

While Emennet Pasargad’s 2020 foray was a major escalation in Iranian influence operations, there are some indications the company has been actively targeting the U.S. since at least 2014. In 2019, the U.S. sanctioned Emennet Pasargad under its old name, Net Peygard Samavat. Also sanctioned were Net Peygard Samavat senior manager Mohammad Bagher Shirinkar and the company’s CEO Behzad Mesri, both in connection with hacks that targeted the coworkers of ex-Air Force intelligence officer—and defector to Iran—Monica Witt. Witt herself was indicted in 2019 for her role in assisting the company, then operating under its previous name.

Net Peygard Samavat’s CEO Behzad Mesri also appears to have a history of freelancing. In 2017, the Southern District of New York announced Mesri (or those working on his behalf) had hacked HBO, stole unreleased episodes of “Game of Thrones,” and demanded $6 million worth of Bitcoin as ransom. Multiple cybersecurity research firms have postulated that Mesri was, and may still be, linked to the hacking group APT35 (Charming Kitten or Phosphorus). If this is indeed the case, a slew of prior operations previously linked to APT35 may in fact have been the work of Net Peygard Samavat, or—as we know the company now—Emennet Pasargad. 

Emennet Pasargad’s Longstanding Connections to Iranian Hackers and the IRGC 

Figure 4: Organizational diagram of Emennnet Pasargad, the IRGC and its sub-units in question, and known Iran-linked hacking groups.

Miburo has examined a loosely connected professional and social network that emcompasses subsets of the Iran’s Islamic Revolutionary Guard Corps (IRGC), its subsidiaries, Emennet Pasargad, and the company’s possible cyber accomplices APT35 and TA456 (Tortoiseshell).

The company is connected to the IRGC through at least two different avenues: The first is through the IRGC’s Bonyad Taavon Sepah—also known as the IRGC Cooperative Foundation (IRGC-CF). The second is via the IRGC Electronic Warfare Cyber Defense Organization (IRGC-EWCD). Because Emennet Pasargad maintains multiple points of contact with the IRGC and was entrusted with a highly sensitive role in the 2020 U.S. elections, there is reason to believe it is also likely involved in other high-profile external-facing IRGC cyber operations. 

The IRGC-CF has likewise been linked to an Iranian IT company called Pazhooheshgaran Pooya Electronic Pardis Engineering Company (henceforth “Pazhooheshgaran”).¹ Several Pazhooheshgaran employees hold additional positions at organizations that have been previously sanctioned by the U.S. government. For example, Pazhooheshgaran board member Ismail Rahimi has held positions at two other Iranian IT companies of import: Ilia Net Gostar Atiq and Mahak Rayan Afraz. Ilia Net Gostar-Atiq is a subsidiary of Ilia Net Gostar as they are both owned by an Iranian named Mustafa Sarmadi. Ilia Net Gostar is, for all intents and purposes, the same company as Emennet Pasargad as the two companies share an address and appear to have significant staff overlap. In late 2021, Facebook identified another Rahimi-operated company, Mahak Rayan Afraz, as the supplier of hacking tools to TA456, which was actively targeting defense contractors with phishing emails. Further, according to the cyber firm IronNet, TA456 shows many similarities to APT35, the hacking group linked to Behzad Mesri, the CEO of Net Peygard Samavat.

Considering these links, Emennet Pasargad may be involved in a number of well-publicized hacks, including those targeting Middle Eastern states, medical researchers, academics, human rights activists, and even the Trump campaign itself. As such, Emennet Pasargad and its leadership may act as a key node for Tehran, tying its hacking initiatives to its disinformation campaigns.

Why Would the IRGC Invest in an IT Company? 

We know that Emennet Pasargad is connected to the IRGC. What we don’t know is why the IRGC is so interested in using what looks to be a relatively small IT company to facilitate some of Iran’s most aggressive cyber actions. 

While the IRGC is known as Iran’s preeminent fighting force—of late seizing oil tankers and facilitating weapons shipments to Iran's regional allies—it also plays a significant role in multiple sectors of the Iranian state. Beyond leading conventional military operations and usurping Iran's financial markets, the IRGC, alongside Iran’s Ministry of Intelligence and Security (MOIS), has become one of Iran's leading offensive cyber actors. 

The relationship between MOIS and the IRGC has long been a competitive one. Amid this struggle for control, the use of organizations like Emennet Pasargad may signal IRGC efforts to cultivate a parallel stable of hacking groups and information operations capabilities. The IRGC-Electronic Warfare and Cyber Defense Organization (IRGC-EWCD) likely maintains its connection with Emennet Pasargad so that Iran can have its cake and eat it too. By conducting influence operations through third-party private entities like Emennet Pasargad, Iran maintains plausible deniability when operations go awry and is also able to point these companies in specific directions to develop specific cyber tools or campaigns.

The 2022 Midterms and Beyond

​​With the 2022 U.S. Midterm elections just around the corner, Iran could again use Emennet Pasargad (or another company like it) to pursue Iranian strategic interests. And while U.S. sanctions will slow Iran's cyber influence operations, they are unlikely to halt them completely. Emennet Pasargad's management has already withstood sanctions. Each time, they’ve simply changed their company's name and seemingly continued business as usual. Moreover, its multiple connections to the IRGC—through both its foundation and cyber commands—have continued the flow of resources to what appear to be shell companies which effectively shield specific actors from any meaningful retribution.

Iran’s capacity to target and intimidate thousands of Americans should not be underestimated. With the backing of the state, a small cadre of influence operatives, and some tenacity, even small, modestly resourced firms have shown to be capable of successes.

1

 Changes announcement for Pouya Electronic Researchers Engineering Company, Pardis Private Joint Stock Company. Registration number 797, national ID: 10102438742. Iran Rooznameh Gazette. 2015-10-20.