The Justice Department filed charges against Iranian nationals accused of conducting hacking attacks against hundreds of companies and organizations internationally, accusing them of encrypting computers associated with critical infrastructure, including electric utilities.
(Bloomberg) — The Justice Department filed charges against Iranian nationals accused of conducting hacking attacks against hundreds of companies and organizations internationally, accusing them of encrypting computers associated with critical infrastructure, including electric utilities.
The indictment charges Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari with carrying out attacks since October 2020 that included a municipality in Union County, New Jersey, power companies in Mississippi and Indiana, an accounting firm based in Illinois and a domestic violence shelter in Pennsylvania. Ransomware attacks also allegedly occurred in other countries, including the UK, Israel, Russia and Iran.
The hackers exploited known flaws in commonly used computer network devices and software applications to access and exfiltrate data and information, according to a 20-page indictment unsealed on Wednesday.
The department said the three defendants are likely still in Iran and haven’t been arrested.
FBI special agent James Dennehy said in a briefing on Wednesday that the US government would be offering a reward of $10 million for information leading to the arrest of the men, who he said were affiliated with companies operating in Iran that were “engaging in cybercrimes on a global scale.” A statement from the US Treasury identified those companies as Najee Technology Hooshmand Fater LLC and Afkar System Yazd Company.
According to prosecutors, the defendants hacked data in local networks and demanded payment in Bitcoin of as much as $500,000. Several attacks cited in the indictment demanded ransoms for tens of thousands of dollars. In one message to an accounting firm in March 2022, according to the indictment, the hackers said, “Are you ready to pay?”
The hackers were separately named by the Treasury as having links to Iran’s Islamic Revolutionary Guard Corps. However, there was no evidence that the alleged hacking operations featured in the indictment were sponsored by the Iranian government, according to a senior Justice Department official. Rather, the official said, the hacks had been carried out “on the side” for personal gain. The official added that hackers were able to operate with “impunity” in Iran due to “neutral law enforcement” that turned a blind eye.
John Hultquist, vice president of intelligence at the cybersecurity firm Mandiant, said his firm has been tracking the hackers for some time. “We believe these organizations may have been moonlighting as criminals in addition to their status as contractors in the service of the IRGC,” he said in a statement. “The IRGC leans heavily on contractors to carry out their cyber operations.”
At least two of the men featured in the indictment — Aghda and Ahmadi – were in July publicly identified by an anonymous online group named Lab Dookhtegan, which is known for exposing alleged Iranian government hackers. The group alleged that the men were involved with a cyber unit of the IRGC and have used hacking tools in cyberattacks in the US and Europe with the aim of extorting money.
The indictment doesn’t specify how much money the hackers earned. In one case, it states, they received a payment of £13,000 from the domestic violence shelter in Pennsylvania after hacking its computers and encrypting its files.
Philip Sellinger, US attorney for the district of New Jersey, said the men had carried out “a massive global computer hacking and ransomware scheme.”
“Hackers like these three Iranian nationals go to great lengths to keep their identities secret, but they always leave a digital trail, and we will find it,” he said.
(Updates with additional information throughout.)
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.