The US Department of Justice (DOJ) unsealed an indictment that charged three Iranian cybercriminals with orchestrating a series of attacks from October 2020 to the present, that resulted in the three being able to access the computer networks of multiple US entities. The three, Mansour Ahmadi, a.k.a. Mansur Ahmadi, 34; Ahmad Khatibi Aghda, a.k.a. Ahmad Khatibi, 45; and Amir Hossein Nickaein Ravari, a.k.a. Amir Hossein Nikaeen, a.k.a. Amir Hossein Nickaein, a.k.a. Amir Nikayin, 30, not only attacked hundreds of victims in the United States, but also entities in Israel, the United Kingdom, Russia, and Iran itself.
The five-count indictment filed on August 10, 2022, and unsealed on September 14 claims that the trio garnered access to victims’ networks and denied them access unless they paid a ransom payment. They successfully targeted infrastructure entities including healthcare, transportation, and utilities, in addition, they “victimized a broad range of organizations including small businesses, government agencies, non-profit organizations, and educational and religious institutions.” The identified goals included:
- Control of victim’s systems
- Theft of victim’s data
- Damage victim’s computers (by encrypting data)
- Extortion – demanding ransom payments in exchange for decrypting or maintaining the confidentiality of the victim’s stolen data
The indictment continued to describe how the criminals would create fictitious entities whose name looked or sounded like legitimate companies, create the requisite domains, and then leverage the similarity to spoof the target and garner access to the network. Once into the network, they would use the resident Bitlocker application to encrypt their victim’s data. In at least one instance, the cybercriminals used a novel means to deliver their ransom notes: They printed the note on their victim’s network printer:
“A. You read this text because your network is accessible to us.”
“B. We can block re-hacking. You are constantly at risk.”
“C. If you want to secure your network against any hacking and get your encryption codes, Contact us.”
One of the victims that paid the requisite ransom was a domestic violence shelter. The group contacted the victim via email demanding contact by email or a messaging platform that the trio controlled. The shelter paid $13,000 in ransom and was provided the encryption keys to their data.
FBI Director Christopher Wray in his statement highlighted another attack, which occurred in the summer of 2021 and targeted Boston’s Children’s Hospital:
“Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted. And working closely with the hospital, we were able to identify and defeat the threat protecting both the network and the sick children who depend on it. I’m very proud of our success in thwarting that attack. This indictment, and the cybersecurity advisory we’re releasing, show what’s possible when federal and international partners work together and place a priority on close collaboration with victims. The cyber threat facing our nation is growing more dangerous and complex every day. Today’s announcement makes clear the threat is both local and global. It’s one we can’t ignore and it’s one we can’t fight on our own, either.”
Additionally, such is the knowledge obtained by the DOJ of the trio’s activities, the DOJ obtained emails in which “individual timesheets reflecting the hours worked” were exchanged with an unidentified (to us) individual. Indicating a chain of command for tasks and funding exists.
Assistant Director Bryan Vorndran of the FBI’s Cyber Division noted, “The FBI remains steadfast in our commitment to work with our US government partners for the purpose of imposing cost on our adversaries. This indictment, when coupled with other disruptive operational activities, demonstrates what’s possible when we team up with our domestic and international partners and take a whole-of-government approach. We, along with our partners, remain dedicated to protecting the United States of America and the victims affected by these egregious crimes.”
Cybersecurity and Infrastructure Security Agency issues alert
The US Cybersecurity and Infrastructure Security Agency (CISA) alert, Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (Alert: AA22-257A), provided the modus operandi of the Iranian actors. Of particular note in the CISA alert is the alphabet soup of law enforcement, intelligence and security agencies from around the world that were involved in the analysis of the Iranian cyber activity and pinning attribution upon the Iranian IRGC. This included collaboration with Australian, UK and Canadian entities.
The Alert continues:
“The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple US critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.”
US Department of Treasury issues sanctions
While the indictment is clear on who the miscreants are, and of their nationality, the indictment is also circumspect in not connecting the criminal trio with the Iranian government. The US Treasury, however, connected the dots.
Contemporaneously with the unsealing of the indictment, the Department of Treasury’s Office of Foreign Assets Control, as part of the all-of-government response, levied sanctions on the trio, and noted their connection with Islamic Revolutionary Guard Corps (IRGC) affiliated entities.
Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said, “Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board—directly threatening the physical security and economy of the United States and other nations. We will continue to take coordination action with our global partners to combat and deter ransomware threats, including those associated with the IRGC.”
CISO actions regarding the Iranian threat
CISA highlights the most current Alert updates alerts from 2021, which discussed Iranian government advanced persistent threats (APT) exploiting Fortinet and Microsoft Exchange vulnerabilities. CISOs will be well served to take on board the technical analysis provided by Cybersecurity and Infrastructure Security Agency (CISA) and the suggested actions to lower the odds of being a victim of Iranian activities. In addition, for those unfamiliar with the Iranian cyber threat, CISA provides Iran Cyber Threat Overview and Advisories, which may serve as a useful primer.