September 23, 2022
The US Justice Department has filed charges against three Iranian men living in Iran for hacking hundreds of organizations internationally, locking up their computers and demanding ransom payments to unlock them.
They even attacked a women’s shelter in Pennsylvania, which paid a ransom of one Bitcoin, then worth about $13,000, to get back its computer records, the Justice Department said September 14.
The indictment charges Mansour Ahmadi, 34, Ahmad Khatibi-Aghda, 45, and Amir-Hossein Nickaein-Ravari, 30, with carrying out attacks at least since October 2020 that included a Boston children’s hospital, a municipality in Union County, New Jersey, power companies in Mississippi and Indiana, a county government in Wyoming and an accounting firm based in Illinois as well as the domestic violence shelter in Pennsylvania.
Ransomware attacks also targeted organizations in other countries, including Britain, Israel, Russia and Iran.
The Justice Department said the victims numbered in the “hundreds.”
The hackers exploited known flaws in commonly used computer network devices and software applications to access and exfiltrate data, according to the 20-page indictment.
The department said the three defendants are likely still in Iran and haven’t been arrested.
FBI special agent James Dennehy said in a press briefing that the US government was offering a reward of $10 million for information leading to the arrest of the men, who he said were affiliated with companies operating in Iran that were “engaging in cybercrimes on a global scale.” A statement from the US Treasury Department identified those companies as Najee Technology Hooshmand Fater LLC and Afkar System Yazd Company.
According to prosecutors, the defendants hacked data in local networks and demanded payment in Bitcoin of as much as $500,000.
The hackers were named by the Treasury as having links to the Pasdaran. However, there was no evidence the alleged hacking operations were sponsored by the Iranian government, according to a senior Justice Department official. Rather, the official said, the hacks had been carried out “on the side” for personal gain. The official said the Iranian government does not discourage Iranians from hacking, as long as the targets are outside Iran. But the indictment did say these three had attacked targets inside Iran, though it named none of the victims there. The Pasdaran may not have known their contractors were attacking Iranians—but they do now.
John Hultquist, vice president of intelligence at the cybersecurity firm Mandiant, told Bloomberg News his firm has been tracking the hackers for some time. “We believe these organizations may have been moonlighting as criminals in addition to their status as contractors in the service of the IRGC,” he said in a statement. “The IRGC leans heavily on contractors to carry out their cyber operations.”
The indictment doesn’t specify how much money the hackers extracted from those it attacked. The Treasury Department says it knows of victims paying $590 million in ransom in 2021 to multiple hacking groups from all around the world, and knows that isn’t the full total.
Separately, the Treasury Department applied sanctions to the three men, their two companies and seven other employees of the two firms. The sanctions are the usual token actions—all property in the US owned by those sanctioned are blocked and US citizens are banned from doing any business with those sanctioned.
And the Department of State offered a reward of up to $10 million for information leading to the location of those sanctioned.
Officials said that by indicting, sanctioning and offering the reward they hope to discourage future attacks. They said the Iranian group was still operating when the indictments were handed down. And they issued a document citing the vulnerabilities the hackers exploited, including the Microsoft Exchange email program, in hopes that more organizations would protect themselves.
In Tehran, the Foreign Ministry said it “strongly condemns” the US actions, adding that “resorting to baseless campaigns and propagating false data are part of a failed Iranophobic plot hatched by the US Administration.”
This is the third time the US Justice Department has indicted members of Iranian hacking groups in Iran.
In 2016, it charged seven Iranian hackers for cyberattacks against US financial institutions and a US dam just north of New York City, though the hackers may not have known the dam and reservoir were very small and a dam failure would not have done damage to New York City.
In 2018, it charged another hacking ring that prosecutors said spent years pilfering research documents from more than 100 American universities and government agencies.