Cybersecurity researchers from Flashpoint detected a new state-sponsored ransomware operation, according to a new analysis published on May 30.
“Iran’s Islamic Revolutionary Guard Corps (IRGC) was operating a state-sponsored ransomware campaign through an Iranian contracting company called ‘Emen Net Pasargard’ (ENP),” cybersecurity firm Flashpoint said in an article. Researchers have analyzed three documents leaked by an anonymous entity named Read My Lips (aka Lab Dookhtegan) between March 19 and April 1 on its Telegram channel.
Researchers say the campaign, dubbed “Project Signal,” started sometime between late July 2020 and early September 2020. Researchers say ENP’s internal research organization, named the “Studies Center,” had a special list of websites that the campaign would target. Names of targets haven’t been revealed.
In one spreadsheet seen by Flashpoint, it was explicitly said that the project was financially motivated and there were plans to launch the ransomware operations in late 2020 for a period of four days. Another document outlined the workflows. There were detailed instructions on how attackers were to receive Bitcoin payments from victims and decrypt the locked encrypted data.
It’s not known whether the planned attacks went ahead and who were the targets if any.
However, it is known who were the organizers of this campaign, as Flashpoint researchers write:
“ENP operates on behalf of Iran’s intelligence services providing cyber capabilities and support to Iran’s Islamic Revolutionary Guard Corps (IRGC), the IRGC Quds Force (IRGC-QF), and Iran’s Ministry of Intelligence and Security (MOIS).”
Despite the project’s ransomware themes, the researchers suspect the move could likely be a “subterfuge” to mimic the tactics, techniques, and procedures (TTPs) of other cybercriminal ransomware groups. The researchers believe the motive was to make attribution harder as the Project Signal would be similar to many other campaigns in the cybercrime landscape.
Researchers note that Project Signal coincided with another Iranian ransomware campaign called “Pay2Key” against Israeli companies in Nov. and Dec. 2020. ClearSky cybersecurity firm attributed the attacks to Fox Kitten. Given the lack of evidence, it’s unknown whether there is any connection between the two campaigns.