Iranians accused of attacking US computer systems, demanding ransom

The Justice Department has charged three Iranian men who work for the country’s Islamic Revolutionary Guard Corps with hacking into computer systems and demanding hundreds of thousands of dollars in ransom from entities in the United States and other countries. other countries, according to an unsealed federal grand jury indictment. Wednesday in New Jersey.

Victims include a Pennsylvania-based domestic violence shelter, city governments in New Jersey and Wyoming, and a public housing company in Washington state.

Justice Department officials said the suspects – who are not charged with disrupting a power supply or critical infrastructure – also allegedly targeted entities in Iran and Russia.

The men — Mansur Ahmadi, 34; Ahmad Khatibi Aghda, 45; and Amir Hossein Nickaein, 30 – were acting on their own and not on behalf of the Iranian government, Justice Ministry officials said. But officials said they believed the Revolutionary Guard Corps (IRGC) continued to ignore this type of malicious activity, allowing it to happen again and again.

The United States has undertaken a cyber operation against Iran as part of efforts to secure the 2020 elections

Ahmadi, Aghda and Nickaein are believed to be living in Iran, making it highly unlikely that the United States can arrest them. But Justice Department officials say the indictment would prevent suspects from easily leaving their country and limit their career prospects – a consequence that officials say could deter others from committing similar crimes. .

The federal government also said the Treasury Department would sanction 10 individuals and two entities affiliated with the Revolutionary Guard Corps for their role in the cyberattacks. As part of the sanctions, all US assets affiliated with these individuals would be frozen.

“We are not going to sit quietly,” a Justice Department official said.

According to an unsealed indictment on Wednesday, the three Iranians illegally accessed hundreds of computer systems in the United States, Russia, the United Kingdom, Iran, Israel and elsewhere between October 2020 and August 2022. They would have taken control of these systems and demanded ransoms in exchange to allow the victims to regain access to their computers. Some of the victims, according to the indictment, paid the ransoms.

In December 2021, for example, the suspects allegedly gained access to the computer system of a shelter for victims of domestic violence and then blocked the shelter’s access to some of its systems and data. They then allegedly used their access to print a note on a printer at the domestic violence shelter that read, “Hi. Do not take any recovery action. Your files may be corrupted and unrecoverable. Contact us.

The hackers then demanded $13,000 paid in bitcoins so that the shelter could restore access to its systems. The shelter sent the payment.

Cyberattack on Maryland Health Department was ransomware, officials say

A month later, hackers gained access to the computer system of a housing authority in Washington State. They stole data from the authority and, similar to what they allegedly did at the domestic violence shelter, launched an encryption attack that blocked the authority from accessing some of its data and systems. .

In February, the accused hackers allegedly emailed housing authority officials and threatened to sell their data if they did not pay them.

“I want this to end,” Aghda reportedly wrote in an email, “and if you don’t want to pay let me know so I can make money selling data.”

The FBI did not specify how much ransom was paid in these attacks in total and said he did not freeze any paid bitcoins.

John Hultquist, vice president of intelligence analysis for Mandiant, a cybersecurity firm, warned that even if the suspects are not charged with carrying out the cyberattacks for the Revolutionary Guard Corp, the Iranian military group could still benefit online access of alleged perpetrators.

“It’s not just a ransomware problem. It’s Iranian contractors moonlighting their skills but ultimately becoming associated with a dangerous state security organization,” Hultquist said. access they get is used for the crime, but the IRGC will likely also try to use it for its own interests, perhaps for a disruptive attack.”

FBI seizes Mike Lindell’s phone in investigation into Colorado voting machine breach

Several U.S. government agencies and offices issued a notice on Wednesday advising individuals and organizations on how to protect against cyberattacks. Some tips include managing offline backups of data, creating a cyber attack response plan, running available software updates, implementing multi-factor authentication when logging in, and more. .

This note was sent jointly with the governments of Canada, Australia and the United Kingdom.

“This advisory identifies specific instances in which IRGC-affiliated cyber actors used publicly known vulnerabilities to gain access to US critical infrastructure networks,” said David Luber, deputy director of cybersecurity at the National Security Agency, in a press release. “We implore our network advocates and partners to detect and mitigate this threat before your organization is the next victim of ransomware.”

This is not the first time the United States has accused Iranians of deploying cyberattacks on the country’s systems.

In November 2021, the Justice Department indicted two Iranians accused of a brazen hacking and disinformation campaign that targeted American voters in the run-up to the 2020 U.S. presidential election. Prior to those indictments, the Cyber U.S. Command and the National Security Agency had taken steps to ensure that Iran and other foreign actors did not interfere in the 2020 elections.

Overall, the Treasury Department reports that the amount US victims pay for cyberattacks has risen from $416 million in 2020 to $590 million in 2021. The government estimates that these payments represent only a fraction the economic cost of cyberattacks.


A previous version of this article misspelled John Hultquist’s name. The article has been corrected.

Comments are closed.