Iranian hackers that tampered with 2020 election could once again target U.S., FBI warns

The group identified as Emennet Pasargad has been using "false-flag campaigns under the guise of multiple personas," the bureau said.
The Iranian national flag is seen outside the International Atomic Energy Agency (IAEA) headquarters during the agency's Board of Governors meeting in Vienna on March 1, 2021. (Photo by JOE KLAMAR/AFP via Getty Images)

An Iranian hacking group accused of attempting to interfere in the 2020 presidential election, and attacking an unnamed U.S. organization in early 2022, could once again be looking to infiltrate American targets, the FBI warned in a notice late Thursday.

The group identified as Emennet Pasargad has been using “false-flag campaigns under the guise of multiple personas” to target Israeli organizations in recent years and carry out hack-and-leak operations, the bureau said. The “FBI judges these techniques may be used to target US entities as seen during Emennet’s cyber-enabled information operation that targeted the 2020 US Presidential election.”

The warning comes as Iran faces dramatic internal protests raging for more than a month after the death of Mahsa Amini, who was detained by Iranian morality police over her public appearance, and subsequently died in police custody. Iranian leaders accuse the U.S. of using the crisis to destabilize the country, Reuters reported in September.

Thursday’s notice from the FBI included reference to “a destructive cyber attack against a U.S. organization” as evidence that “the group remains a cyber threat to the United States.”


The notice did not name the organization, but said the attack was a “means to target the Iranian opposition group The People’s Mujahedin (aka MEK).” That attack included the leaking of personally identifiable information and that the “activity resulted in destructive effects on victim infrastructure.”

The FBI on Friday declined to offer any additional detail related to this particular attack.

In late July, a hacktivist front group calling itself “Homeland Justice,” which researchers with Mandiant and then multiple governments have linked to Iran, attacked the government of Albania with destructive malware over its ongoing hosting of MEK members.

The government of Albania subsequently severed diplomatic ties with Iran over the affair, and the group continues to leak information stolen during the attack to its Telegram channel.

The Emennet Pasargad group has used at least two hacktivist personas to post and leak stolen information dating back to 2020, the FBI said. One, “Hackers of Savior,” posed as a pro-Palestinian hacktivist group “at several points” between May 2020 and April 2022, the FBI said. The other operated under a cyber-criminal persona known as “Deus” in 2021.


The FBI alert connected the front groups to Iran could help Israeli companies targeted by them receive compensation under the country’s compensation fund for damage sustained as a result of acts of hostility or war operations, said Omri Segev Moyal, a co-founder and CEO of Israeli incident response firm Profero Cyber Security.

“I think it’s amazing to see the FBI publicly attributing this attack group to Iran and Israeli entities can now use this fact requesting payback from the Israeli government,” he said in an online chat Friday, “as it’s now an act of terror or war.”

In November 2021, U.S. authorities unsealed indictments against two Iranian nationals, and announced sanctions against four more, as part of an Emennet Pasargad information operation during the 2020 U.S. presidential election.

During the operation, the Iranians gained access to confidential voter information from at least one state election website, and sent threatening emails to voters in Florida and Alaska purporting to be from the right-wing Proud Boys, the U.S. government said.

That operation included the Iranians’ plans to modify content on “dozens” of U.S. newspapers and other publications after the hackers gained access to the computer network of an unnamed media company that provides content management systems for “dozens” of other newspapers and other publications. The intrusion was detected and the hackers’ access revoked after the FBI notified the company of the breach, the U.S. government said.

Latest Podcasts