The State Department is seeking help to locate a pair of hackers allegedly working for Shahid Shushtari, a malicious cyber unit operating under Iran’s Revolutionary Guard Corps Cyber-Electronic Command. Officials are offering a reward up to $10 million for information about Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi.
“Help us take the smile off their faces,” the State Department’s Rewards for Justice program posted in a bulletin about the reward on social media last week.
Shahid Shushtari has targeted multiple critical infrastructure operations, causing financial damage and disruption to businesses and government agencies spanning the news, shipping, travel, energy, financial and telecom sectors in the United States, Europe and the Middle East, officials said.
The pair are accused of maintaining a close relationship planning and conducting cyberattacks of interest to the Iranian government.
“Shahid Shushtari is the latest name for Emennet Pasargad which has undergone several front company renames over the last few years,” said Josh Atkins, tech leader of Middle East threat operations at Google Threat Intelligence Group, which tracks the group as UNC5866.
The unit, which is allegedly overseen by Shirinkar, was also previously known as Aria Sepehr Ayandehsazan, Ayandeh Sazan Sepehr Arya, Eeleyanet Gostar and Net Peygard Samavat Co.
Members of the unit allegedly targeted the U.S. presidential election with a multi-faceted campaign that got underway in August 2020, officials said. The unit has also conducted cyberespionage operations, including attacks that used a false-flag persona, the State Department said.
“Target industries are typically government but we’ve seen them target finance, healthcare, tech and generally anything of interest to the regime,” Atkins said.
The Treasury Department previously designated Emennet, which it was known as at the time, and six of its members in late 2021 for sanctions related to the group’s efforts to influence the 2020 U.S. presidential election.
The group, which is also tracked as Cotton Sandstorm and Haywire Kitten, has been active since 2018 and exhibited new tradecraft in preparation for future influence operations in 2023, the FBI, Treasury Department and Israel National Cyber Directorate said in a joint cybersecurity advisory in late 2024.
“Operational tempo from UNC5866 is consistent with the last few years. They’ve been active in both phishing and malware delivery operations at a fairly consistent pace since 2020,” Atkins said.
“There are several groups like this,” he added “The Iranian regime operates a number of contractors and while we believe that some elements of the regime operate under priorities with a longer horizon, IRGC and its contractors tend to be more reactive in nature, demonstrated by their rapidly evolving tradecraft.”