Researchers at Flashpoint has discovered a new state-sponsored ransomware operation backed by the Islamic Revolutionary Guard Corps (IRGC) of Iran through an Iranian contracting company called “Emen Net Pasargard” (ENP) (aka “Imannet Pasargad,” “Iliant Gostar Iranian,” “Eeleyanet Gostar Iranian”). While Iran has been associated with various state-sponsored threat actors in the past, however, this time around, it will be their second state-sponsored ransomware operation based on the analysis of Flashpoint.
The operation goes by the moniker "Project Signal" as per the summarization of three documents that likely leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel, translating that IRGC was operating a state-sponsored ransomware campaign through ENP (which is also known as Imannet Pasargad, Iliant Gostar Iranian, and Eeleyanet Gostar Iranian). It is currently believed to have started between late July 2020 and early September 2020, with ENP’s internal research organization putting together a list of unspecified target websites.
Iran has a history of attempting to use cybercriminal TTPs to blend in with non-state-sponsored malicious cyber activity to avoid attribution and maintain plausible deniability. It’s largely assumed that Iran has been behind multiple destructive and disruptive attacks in recent years, most notably the 2012 Shamoon attacks against Saudi Aramco and the 2012 Operational Ababil DDoS attacks against the U.S. financial institutions, Flashpoint said.
Flashpoint also goes by saying about the second spreadsheet ascertains the financial angle of this ransomware operation followed by the plans to start with the ransomware operations in late 2020 for a period of four days between Oct. 18 and 21. Besides, outlines of the entire workflows documented which, includes steps for receiving Bitcoin payments from ransomware victims and decrypting the locked data. While the target wasn't confirmed at the moment behind this ransomware operation.
* A leaked internal ENP spreadsheet showed that during this time, the group was researching three to four websites per day and that at the time the spreadsheet was written, around twenty sites had been reviewed and analyzed by the Studies Center. Project Signal was also referenced in another spreadsheet showing that the project had been assigned to ENP’s Cyber Directorate, responsible for carrying out ENP’s offensive cyber operations. The transfer of the Signal project from the Studies Center to the Cyber Directorate demonstrated that the ransomware project had progressed from the research and planning phase to the operational phase, * added by Flashpoint.
ENP operates on behalf of Iran's intelligence services providing cyber capabilities and support to Iran's Islamic Revolutionary Guard Corps (IRGC), the IRGC Quds Force (IRGC-QF), and Iran's Ministry of Intelligence and Security (MOIS),
Researchers were also sensing the attempt to execute the ransomware operation is more likely to be a "subterfuge technique" to mimic the tactics, techniques, and procedures (TTPs) of other financially driven ransomware groups.
As is true for ENP’s Project Signal, if Pay2Key is sponsored by Iran, it’s possible the appearance of financial motivation could have been an obfuscation technique designed to mimic a cybercriminal group. At this point in time, Flashpoint can neither confirm any attributes of Project Signal targets nor if there is any link between ENP’s Project Signal and Pay2Key. concluded in the analysis by Flashpoint.