3 Iranian citizens charged in broad hacking campaign in US

Iranian cyber actors Khatibi, Mansour Ahmadi, and Amir Hossein Nickaein Ravari wanted for their alleged involvement. (AFP/State Department)
1 / 2
Iranian cyber actors Khatibi, Mansour Ahmadi, and Amir Hossein Nickaein Ravari wanted for their alleged involvement. (AFP/State Department)
The flags of Iran flutter during a sandstorm in the south of the capital Tehran on July 4, 2022. (AFP)
2 / 2
The flags of Iran flutter during a sandstorm in the south of the capital Tehran on July 4, 2022. (AFP)
Short Url
Updated 15 September 2022
Follow

3 Iranian citizens charged in broad hacking campaign in US

The flags of Iran flutter during a sandstorm in the south of the capital Tehran on July 4, 2022. (AFP)
  • Mansour Ahmadi, Ahmad Khatibi and Amir Hossein Nikaein are citizens of Iran who own or are employed by private technology companies in the country
  • Treasury Department also sanctioned 10 individuals and two entities affiliated with Iran’s Islamic Revolutionary Guard

WASHINGTON: The Justice Department said Wednesday that three Iranian citizens have been charged in the United States with ransomware attacks that targeted power companies, local governments and small businesses and nonprofits, including a domestic violence shelter.
The charges accuse the hacking suspects of targeting hundreds of entities in the US and around the world, including inside Britain, Australia, Iran, Russia and the US, encrypting and stealing data from victim networks, and threatening to release it publicly or leave it encrypted unless exorbitant ransom payments were made. In some cases, the victims made those payments, the department said.
But a separate US Treasury announcement of sanctions said the three were part of a larger hacking group tied to Iran’s powerful Islamic Revolutionary Guard Corps (IRGC), and the US State Department has offered a $10 million reward for information on them.
The indictment identified the three as Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nikaeen Ravari.
It said that between October 2020 and August 2022, the men used known vulnerabilities in computer systems to attack multiple targets in the United States, stealing their data and demanding up to hundreds of thousands of dollars to have it returned.
Those included local governments, a shelter for victims of domestic violence, a children’s hospital in Boston, accounting firms and electricity generating companies.
The victims were not methodically chosen but were “targets of opportunity” whose computer systems were vulnerable to hacking, officials said.
“The indictment does not allege that these actors undertook these actions on behalf of the Government of Iran,” a senior Justice Department official told reporters.
The three “engaged in a pattern of hacking, cyber-theft, and extortion largely for personal gain,” FBI Director Chris Wray said in a separate statement.
But a concurrent announcement by the US Treasury said the three were part of a group of 10 Iranian hackers targeted with sanctions that was backed by the Revolutionary Guards.
“This IRGC-affiliated group is known to exploit software vulnerabilities in order to carry out their ransomware activities, as well as engage in unauthorized computer access, data exfiltration, and other malicious cyber activities,” the Treasury said.
Their actions align with those of known Iranian cyberattack operations which private cybersecurity groups have dubbed “APT35,” “Charming Kitten” and “Phosphorous,” Treasury added.
The Biden administration has tried to go after hackers who have held US targets essentially hostage, often sanctioned or sheltered by adversaries. The threat gained particular prominence in May 2021 when a Russia-based hacker group was accused of conducting a ransomware attack on Georgia-based Colonial Pipeline, which disrupted gas supplies along the East Coast.
Iran-based hackers have also been a focus over the last year, with the FBI last year thwarting a planned cyberattack on a children’s hospital in Boston that was to have been carried out by hackers sponsored by the Iranian government.
“The cyber threat facing our nation is growing more dangerous and complex every day,” FBI Director Christopher Wray said in a statement accompanying the indictment unsealed Wednesday. “Today’s announcement makes clear the threat is both local and global. It’s one we can’t ignore and it’s one we can’t fight on our own, either.”
the Treasury Department’s Office of Foreign Assets Control sanctioned 10 individuals and two entities affiliated with Iran’s Islamic Revolutionary Guard Corps who it says have been involved in malicious cyber activities, including ransomware. The Treasury Department identified the three defendants in the Justice Department case as employees of a technology firm it says is affiliated with the Revolutionary Guard.
John Hultquist, vice president for threat intelligence at the cybersecurity firm Mandiant, said his team has been tracking the Iranian actors for some time and assessed they are contractors for the Revolutionary Guard who have been moonlighting as criminal hackers.
The actions come amid an apparent stalemate in talks between the US and Iran over the possible revival of a 2015 nuclear deal. Israel and some US lawmakers of both parties are pushing the Biden administration to get tougher on Iran, calling the negotiations on Iran’s nuclear program a failure.
The three accused hackers are thought to be in Iran and have not been arrested, but the Justice Department official said the pending charges make it “functionally impossible” for them to leave the country.
(With AFP and AP)