US accuses three Iranians of running cyber-attacks scheme on companies

Three Iranian nationals carried out a scheme to hack hundreds of organizations in the US and around the world, in some cases extorting them for personal monetary gain, the US Department of Justice alleged in an indictment released Wednesday.

The alleged victim organizations ranged from a domestic violence shelter in Pennsylvania, an energy company in Mississippi and a county in Union County, New Jersey, according to charges filed in federal court in New Jersey.

The complaint does not accuse the Iranians of carrying out these specific hacks on behalf of the Iranian government. However, in penalizing the three Iranian men, the Treasury Department accused them of working for IT companies affiliated with the Iranian Revolutionary Guard Corps (IRGC).

In some cases, Iranian hackers have demanded hundreds of thousands of dollars in ransom payments to unlock computers, a Justice Department official told reporters Wednesday.

Iran’s Permanent Mission to the UN did not immediately respond to a request for comment on the Justice Department’s allegations.

For US officials, it is the latest example that Iran tolerates or conducts reckless behavior in cyberspace that has cost US companies, government agencies and NATO allies. In a test of the Biden administration’s ability to help defend a NATO ally against hackers, the Albanian government has twice accused Iran since July of carrying out hacks that brought down Albanian government services.

The White House condemned Tehran for the initial attack in July and said US officials had been in Albania helping with the recovery. Iran has denied the allegations.

The recently indicted Iranians – Mansour Ahmadi, Ahmad Khatib Aghda and Amir Hossein Nickaein Ravari – are believed to reside in Iran, according to a Justice Department official. The chances of the three Iranians being detained by the US are slim unless they travel to a country with which the US has an extradition agreement.

“These three individuals are among a group of cybercriminals whose crimes represent a direct attack on the critical infrastructure and public services we all depend on,” FBI Director Christopher Wray said in a video statement Wednesday. .

As part of Wednesday’s crackdown on alleged Iranian hackers, the Treasury Department legally sanctioned Ahmadi, Aghda and Ravari, as well as seven other Iranians, and accused them of working for Iranian IT companies affiliated with the Islamic Revolutionary Guard Corps. The State Department offered a $10 million reward for Ahmadi, Aghda and Ravari.

The Treasury announcement accused Iranian hackers of carrying out a series of ransomware attacks – a type of data-hijacking malware – including one at Boston Children’s Hospital in June 2021. FBI officials say they were able to thwart the hackers and none damage was caused in the care of patients.

Wray called the incident “one of the most despicable cyberattacks I’ve ever seen.” Tehran has denied involvement in the incident.

To try to mitigate the impact of future hacks linked to the IRGC, the US and allies such as Canada and the UK released a warning on Wednesday about defending against the hackers’ tactics and techniques.

The Justice Department’s accusations highlight the often blurred lines between the government and cybercriminal actors in countries like Iran, according to some analysts.

“Recent announcements from US government agencies reinforce our understanding of Iran’s cyber operations ecosystem, which relies heavily on contract third parties for both the IRGC and the Ministry of Intelligence and Security,” said Saher Naumaan, principal threat intelligence analyst at Iran. BAE Systems, which closely tracks alleged Iranian hackers. “Companies are often fronts for intelligence agencies, where individuals are directly involved in operations or may be on the periphery in support roles such as training academies.”

This story has been updated with additional developments and context.