U.S. government takes sweeping action against Iranian hackers accused of ransomware spree
The U.S. government on Wednesday announced wide-ranging punitive actions against 10 Iranians and two Iranian companies — including sanctions, indictments and multiple $10 million rewards — related to a spree of breaches and ransomware attacks around the U.S. dating to October 2020.
All 10 people and the two companies are affiliated with Iran’s Islamic Revolutionary Guard Corps, the U.S. Treasury Department said in a statement.
The actions come less than a week after the U.S. government sanctioned Iran’s Ministry of Intelligence and Security and the Minister of Intelligence, Esmail Khatib, in response to Iranian-linked cyberattacks on Albania in July. The sanctions followed the Albanian government’s decision to cut diplomatic ties with Iran over the attacks, which included ransomware attacks and wiper attacks on multiple Albanian agencies.
A request for comment sent to the Permanent Mission of Iran at the United Nations was not immediately returned.
According to an indictment unsealed today, Mansour Ahmadi, Ahmad Khatibi and Amir Hossein Nickaein Raviri “engaged in a scheme to gain unauthorized access to the computer systems of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere, causing damage and losses to the victims,” according to a Department of Justice statement.
Each face charges of conspiring to commit computer fraud and related activity in connection to computers, intentionally damaging a protected computer and transmitting a demand in relation to damaging a protected computer. Ahmadi faces an additional count of intentionally damaging a protected computer, the DOJ said.
The State Department’s Rewards for Justice announced rewards of up to $10 million each for information on the suspects’ location, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released a detailed breakdown of technical indicators associated with the activity.
The scheme, outlined in a 20-page indictment, targeted “hundreds” small businesses, government agencies, nonprofit organizations, religious institutions and “multiple critical infrastructure sectors, including healthcare centers, transportation services, and utility providers,” the DOJ said. Specific victims include a regional electric utility company in Mississippi and an electric utility company in Indiana, a public housing corporation in Washington and a shelter for victims of domestic violence in Pennsylvania.
“To these sorts of actors, nothing is off-limits,” FBI Director Christopher Wray said in a video message posted Wednesday. “Not even, for example, Boston Children’s Hospital, which they set their sights on in the summer of 2021. Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted.”
“While indictments such as these may not have a significant impact, they nonetheless help,” said Brett Callow, a threat analyst at cybersecurity firm Emsisoft. “There’s no silver bullet to ransomware. Solving the problem requires action on multiple fronts to target threat actors, their infrastructures and their supply chains. While ransomware will not cease to be overnight, or possibly ever, we are now seeing more effective action being taken, and that’s a good thing.”
The three defendants — along with seven others — were also sanctioned in connection with the allegations. Afkar System Yazd Company, owned by Khatibi, and Najee Technology Hooshmand Fater LLC, owned by Mansour, were also sanctioned, and the FBI issued an official wanted notice:
Earlier Wednesday, researchers with the Secureworks Counter Threat Unit Research Team released an analysis discussing at least part of the ransomware activity confirmed by the U.S. government. The research showed that the name “ahmad khatibi” was included in the metadata in a ransom note created in December 2021, along with time zone data corresponding to Iran Standard Time.
Khatibi’s LinkedIn profile lists him as CEO of Afkar System, the Secureworks researchers said.
“We’ve seen first-hand the damage this group can wreak, how they’ve blurred the lines between e-crime and espionage,” Rafe Pilling, the senior security researcher with the Secureworks Counter Threat Unit, told CyberScoop Wednesday after the government’s news went public. “Oftentimes it can seem that threat groups can act without fear of any consequences. Indictments such as today’s are important in showing that’s not the case. I would caution that whilst the indictment is a welcomed step, it doesn’t dissolve the threat — companies need to remain vigilant.”
Secureworks noted that this summer, an anti-Iranian regime whistleblower persona, Lab_Dookhtegan, shared information on the company. On June 15, the Lab_Dookhtegan Telegram channel posted phone numbers and an address for Afkar System, and had previously shared information on Najee Technology.
A representative of the group told CyberScoop Wednesday in an online chat that “we sent information to the FBI,” but did not elaborate.
“Though the company says that it is a regular company (photos attached), this company is actually a cover company for the Intelligence Organization of Sepah,” the persona said in its Telegram post. “These two companies (Najee Technology and Afkar System) do cyber-attacks for the Intelligence Organization of Sepah,” referring to an internal IRGC unit.
The Treasury Department said in its statement that although the people named Wednesday do not “directly align” with a named threat group, some of the activity can be partially attributable to activity tracked by various private cybersecurity companies as known threat groups known as APT35, Charming Kitten, Nemesis Kitten, Phosophorus and Tunnel Vision.
John Hultquist, the vice president of Intelligence for cybersecurity firm Mandiant, said in a statement Wednesday that the indictments focus on “criminal activity of Iranian actors Mandiant has tracked for some time” under the designation of UNC2448.
“We believe these organizations may have been moonlighting as criminals in addition to their status as contractors in the service of the [Islamic Revolutionary Guard Corps],” Hultquist said. “The IRGC leans heavily on contractors to carry out their cyber operations.”
The group has carried out “brazen, widespread vulnerability scanning” against targets in the U.S., Canada, Israel, UAE and Saudi Arabia,” Hultquist said. “More often than not, they are monetizing their access, but their relationship to the IRGC makes them especially dangerous. Any access they gain could be served up for espionage or disruptive purposes.“
Update, 9/14/22: To include comments from FBI Director Christopher Wray and Lab Dookhtegan.