U.S. indicts Iranian hackers for attacks on critical infrastructure
Groups impacted included health care, transportation and utility companies, along with a domestic violence shelter and state and county governments.
The Justice Department on Wednesday announced charges against three Iranian individuals alleged to have launched cyberattacks against U.S. and global critical infrastructure.
A senior Justice Department official told reporters that the individuals — Mansur Ahmadi, Ahmad Khatibi and Amir Hossein Nickaein — are alleged to have carried out attacks against hundreds of computers in both the United States, Russia, Israel, the United Kingdom and organizations in Iran beginning at least in October 2020. Groups impacted included health care, transportation and utility companies, along with a domestic violence shelter and state and county governments.
The charges were unveiled Wednesday by the District of New Jersey U.S. Attorney’s Office at a press conference. Victims in the U.S. listed in the indictment include an unnamed township and accounting firm in New Jersey, along with unnamed power companies in Mississippi and Indiana. A county government in Wyoming, a construction company in Washington, and the Bar Association for a U.S. state were also targeted.
According to the Justice department, several of these victims paid ransoms to Ahmadi, Khatibi and Nickaein following ransomware attacks they perpetrated.
The Iranian individuals are still at-large and believed to be in Iran, according to the Justice Department official, who also stressed that while the individuals did not carry out attacks on behalf of the Iranian government, the government allowed the attacks to take place. One senior official described these state-affiliated actors as up to something on the side. They were indicted by the Justice Department on four counts, including intentionally damaging protected computers and transmitting ransom demands.
When the group hacked the New Jersey accounting firm, it then taunted the company with ransom demands. “Are you ready to pay?” Khatibi asked in a March 8 email to a representative of the accounting firm, according to the indictment. The next day, he demanded $50,000. A week later, in a third email, he wrote, “If you don’t want to pay, I can sell your data on the black market.”
The FBI added all three to its most wanted list ,and the State Department is offering a $10 million reward for information on these individuals as part of its Rewards for Justice program.
“These three individuals are among a group of cyber criminals whose attacks represent a direct assault on the critical infrastructure and public services we all depend on,” FBI Director Christopher Wray said in a video released Wednesday.
Even if they are never apprehended, the indictment makes the three defendants fugitives and limits their ability to travel outside of Iran.
“We are stripping their anonymity away, they cannot operate anonymously from the shadows anymore,” said Philip Sellinger, the U.S. Attorney for the District of New Jersey.
It’s not clear from the indictment how much information may have been stolen or how it was used.
In addition, the Treasury Department’s Office of Foreign Assets Control announced sanctions against 10 individuals and two groups affiliated with the Iranian Islamic Revolutionary Guard Corps. The sanctioned individuals, who include the three Iranians charged by the Justice Department, and groups are alleged to have carried out ransomware and other cyberattacks since at least 2020.
“We are not going to sit quietly by and let them harass victims like state governments, county governments, violence shelters and the like,” the Justice Department official said.
A joint cybersecurity advisory was released by agencies in the United States, the United Kingdom, Australia and Canada, including the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, warning of Iranian-affilated hackers exploiting cyber vulnerabilities to carry out ransomware attacks. According to a senior Justice Department official, the new advisory refers to the same hackers alleged in a November 2021 advisory to have been exploiting vulnerabilities in the Microsoft Exchange system to target U.S. critical infrastructure groups in association with the government of Iran.
The actions by the Justice Department came a week after the White House condemned Iran for allegedly carrying out widespread cyberattacks in July on the Albanian government, and after the Treasury Department sanctioned Iran’s intelligence agency and its leader in connection to the attacks.
This is far from the first legal action related to Iranian-based or Iranian-led cyberattacks. In 2016, a criminal indictment charging seven Iranian hackers for cyberattacks against U.S. financial institutions and a New York dam was returned just a few days after the U.S. and Iran implemented a high-profile nuclear deal. In 2018, the DOJ revealed charges against an Iranian hacking ring that prosecutors say spent years pilfering research and documents from over 100 American universities and government agencies.