Accusing Iran of turning a blind eye to hackers, the U.S. government today unsealed an indictment against three men affiliated with the Islamic Revolutionary Guard Corps, accusing them of ransomware attacks on hundreds of victims in the United States and globally.
The indictment doesn’t accuse the trio – Mansour Ahmadi, 34; Ahmad Khatibi, 45; and Amir Hossein Nickaein, 30 – of acting at Tehran’s behest. One senior Department of Justice official speaking on condition of anonymity suggested to reporters the hackers were engaged in a financially motivated side project.
The Department of Treasury separately sanctioned the three Iranian men plus seven others and two companies affiliated with the Islamic Revolutionary Guard Corps. U.S. authorities say their attacks affected components of critical infrastructure including healthcare centers, transportation services and utility providers.
“It’s our position that this activity exists because of lack of neutral law enforcement oversight and interest in this activity,” on the part of Iranian authorities, the senior Justice official said.
Ahmadi, Khatibi and Nickaein are believed to be at liberty in Iran but federal authorities said the indictment will stop them from leaving the country for fear of arrest. “By publically naming them, we are stripping their anonymity away. They cannot operate anonymously from the shadows anymore. We have put a spotlight on them,” said Philip Sellinger, U.S. attorney for the District of New Jersey, during a press conference this morning. The Department of State’s Rewards for Justice program offered a $10 million reward for information leading to the location of any one of the three.
“The United States will not tolerate malicious cyber activities victimizing the backbone of the U.S. economy and critical infrastructure,” said Secretary of State Antony Blinken.
The indictment and sanctions come amid heightened diplomatic pressure on Tehran by the U.S. that include additional sanctions imposed Friday on Iran’s Ministry of Intelligence and Security for its role in a July cyberattack on Albania. Iran violated peacetime norms of cyberspace by attacking that country’s critical infrastructure, American officials said (see: US Sanctions Iranian Spooks for Albania Cyberattack).
The United States hopes to revive a 2015 deal limiting Iran’s nuclear weapon aspirations but Tuesday said it lacks “a willing partner in Iran.” Sellinger said he would not comment on the question of whether the indictment was timed with the arrival in the Newark, N.J., airport of Iranian diplomats headed to the United Nations.
Among the group’s alleged victims was a township in Union County, N.J., whose systems were infected with ransomware in February 2021. It also allegedly attacked an accounting firm based in Morris County, N.J. The defendants face charges including conspiracy to commit fraud in connection with computers, intentional damage to a protected computer and transmitting a ransomware demand that carry a combined maximum sentence of 20 years. Ahmadi faces an additional count of intentionally damaging a protected computer and another possible five years in prison.
Other victims include regional electric companies in Mississippi and Indiana – power delivery was unaffected – a domestic violence shelter in Pennsylvania, entities in the United Kingdom and Israel, and companies within Iran itself. Law enforcement has not frozen cryptocurrency wallets that may be associated with the gang.
The group’s activities are similar to those of named threat actors dubbed by researchers as APT35, Charming Kitten and Phosphorus, Treasury says. A cybersecurity advisory from the U.S. government and allies shows the group exploiting known bugs including ones in Fortigate appliances, Microsoft Exchange and the Log4j vulnerability in VMware Horizon systems.
The victims were targets of opportunity that happened to have a vulnerability in their network, a senior FBI official told reporters.
Once inside, the hackers deployed tools including Fast Reverse Proxy, software that exposes to the internet local servers kept behind a firewall. They also used Microsoft’s own data-at-rest encryption program BitLocker to maliciously lock up files. They left ransom notes as a text file or by using printers on the local network to produce a physical copy.