Iranian nationals charged in alleged ransomware conspiracy

Law enforcement agencies issued a memo warning U.S. companies to be vigilant.

September 14, 2022, 12:55 PM

Three Iranian nationals attempted to hack into hundreds of computers in the U.S. and around the world, demanding, and sometimes getting, a ransom, according to an indictment unsealed Wednesday.

The four-count grand jury indictment returned in Newark federal court charged the trio with hacking conspiracy, two counts of computer hacking and a count of computer extortion over an alleged ransomware conspiracy that targeted a range of organizations and critical infrastructure sectors such as healthcare centers, power companies and transportation services inside the U.S. and abroad.

Mansour Ahmadi, Ahmad Aghda, and Amir Ravari hacked into hundreds of computers inside the U.S. and around the world by often exploiting known vulnerabilities in network devices or software programs, the indictment said.

Once they gained access to an organization or company's software, they would use a program known as BitLocker to encrypt data on their victims' systems and demand a ransom either by threatening to release stolen data or keeping the data encrypted unless they were paid -- at times making demands for hundreds of thousands of dollars, according to the court filing.

The three men would often send their demands to office printers. Prosecutors detailed some of the correspondence they had with their victims. Some of those targeted include a domestic violence center, which Khatibi is alleged to have extorted $13,000 from, a housing authority, which he demanded $500,000 ransom from, and the computer systems of a U.S. township and county, the indictment said.

The indictment did not allege involvement by the government of Iran. Instead, the three demanded the money be paid to themselves, it said, although a U.S. official told reporters the Iranian government's lax laws could share the blame for failing go after actors who engage in this type of alleged conspiracy. The official said all three men are still believed to be within Iran and have not been arrested, and acknowledged it's unlikely any will see the inside of a U.S. courtroom.

Accompanying the announcement of the indictment, the FBI will release a new joint cybersecurity bulletin with international partners that will identify the tactics, techniques and procedures of advanced cyber threat actors believed to be affiliated with the Iranian government's Iranian Revolutionary Guard Corps, or IRGC.

The hackers are believed to be "actively targeting" a broad range of entities across multiple critical infrastructure sectors inside the U.S., Australia, Canada and the U.K., the bulletin will say, and have even targeted victims within Iran. Specifically in the U.S, the IRGC-affiliated actors carried out ransomware attacks against a police department, a regional transportation system, a municipal government and a U.S. aerospace company.

On the heels of this indictment, U.S. law enforcement agencies and international partners are warning of "continued malicious cyber activity" by accounts associated with the Iranian Government's Islamic Revolutionary Guard Corps (IRGC).

"The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations," the advisory said, noting the specific alleged hacking group, Najee Technology Hooshmand Fater LLC. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. "The IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data."

In addition to the charges unsealed by the Justice Department and warnings by law enforcement, the Biden administration has rolled out new sanctions targeting ten individuals and two entities associated with the Islamic Revolutionary Guard Corps, which the U.S. classifies as a foreign terrorist organization.

“Ransomware incidents have disrupted critical services and businesses globally. Ransomware actors and other cybercriminals target businesses and critical infrastructure and threaten the physical security and economy of the United States and other nations. The United States is taking actions today to combat and deter ransomware threats,” Secretary of State Antony Blinken said in a statement, adding the country “will not tolerate malicious cyber activities victimizing the backbone of the U.S. economy and critical infrastructure.”

The targets of the sanctions include the three individuals charged by the Justice Department Wednesday as well as two companies they allegedly utilized to accomplish their nefarious aims. The State Department’s Rewards for Justice program is also now offering $10 million for information leading to the identification or location of the three or “any other person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure.”

Related Topics