US DoJ Charges Three Iranians With Hack, Extortion Scheme

America charges three Iranian nationals for alleged scheme to hack and extort multiple US critical infrastructure providers

The United States has charged three Iranian nationals for hacking and ransomware-style extortion scheme against US critical infrastructure providers.

The announcement on Wednesday from the US Department of Justice (DoJ) and the FBI alleges that from October 2020 to present, Mansour Ahmadi (340; Ahmad Khatibi Aghda (45); and Amir Hossein Nickaein Ravari (30) gained unauthorised access to the computer systems of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere, causing damage and losses to the victims.

Iranian hackers have targetted Western infrastructure before. A cyber attack in December 2018 on the UK’s local government networks and the Post Office was later attributed to a nation-state attacker, identified by US security experts as Iran, or more accurately a group connected to the Iranian Revolutionary Guards.

Iran cyber - Shutterstock - © Duc Dao

Iranian hackers

That same group was also pinged for carrying out an attack on the UK’s parliamentary network in 2017.

And in November 2018 the US Justice Department indicated two Iranian men, it alleged were behind the destructive SamSam ransomware outbreak that affected hundreds of organisations around the world, including the City of Atlanta, a Los Angeles hospital and the Port of San Diego, and caused more than $30 million (£24m) in damage.

Now the US DoJ has alleged that the three Iranian nationals exploited known vulnerabilities in commonly used network devices and software applications to gain access and exfiltrate data and information from victims’ computer systems.

The DoJ said that Ahmadi, Khatibi, Nickaein and others also conducted encryption attacks against victims’ computer systems, denying victims access to their systems and data unless a ransom payment was made.

“The Government of Iran has created a safe haven where cyber criminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.

“This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals,” said Olsen.

The defendants apparently targetted a broad range of organisations, including small businesses, government agencies, non-profit programs and educational and religious institutions. Their victims also included multiple critical infrastructure sectors, including health care centres, transportation services and utility providers.

“Ransom-related cyberattacks – like what happened here – are a particularly destructive form of cybercrime,” noted US Attorney Philip R. Sellinger for the District of New Jersey.

“No form of cyberattack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security,” said Sellinger. 2Hackers like these defendants go to great lengths to keep their identities secret, but there is always a digital trail. And we will find it.”

Variety of victims

The court documents state that in February 2021, the defendants and their conspirators targeted a township in Union County, New Jersey. They exploited known vulnerabilities to gain control and access to the township’s network and data and used a hacking tool to establish persistent remote access to a particular domain that was registered to Ahmadi.

In or before February 2022, the defendants and their conspirators also targeted an accounting firm based in Morris County, New Jersey. They again exploited a known vulnerability to gain unauthorized access and then used a particular hacking tool to establish a connection to a server that was registered to Nickaein and to steal data.

In March 2022, the defendants launched an encryption attack against the accounting firm; after denying the firm access to some of its systems, Khatibi demanded payment of $50,000 in cryptocurrency and threatened to sell the data on the black market.

The defendants also compromised, and often encrypted and extorted, hundreds of other victims, including an accounting firm based in Illinois; a regional electric utility company based in Mississippi; a regional electric utility company based in Indiana; a public housing corporation in the State of Washington; a shelter for victims of domestic violence in Pennsylvania; a County government in Wyoming; a construction company located in the State of Washington that was engaged in work on critical infrastructure projects; and a state bar association.

Ahmadi, Khatibi and Nickaein, are each charged by indictment with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer.

Ahmadi is charged with one additional count of intentionally damaging a protected computer.

The conspiracy charge carries a maximum sentence of five years in prison. The intentional damage to protected computers charge carries a maximum sentence of 10 years in prison. The transmission of a ransom demand charge carries a maximum sentence of five years in prison. The offences also carry a potential maximum fine of $250,000 or twice the gross amount of gain or loss resulting from the offense, whichever is greatest.

Blurring lines

One security expert noted that online threats are continuing and must be faced head on by organisations.

“In today’s operating climate, while the lines between criminal actors and nation state actors may be blurred, it is clear that organisations don’t want to opt themselves in or out of the crosshairs,” said Tim Wade, deputy CTO at AI threat detection specialist Vectra.

“The effect of these threats roll downhill to individual, normal people who find essential services like critical utilities and health care under siege,” said Wade. “Fundamentally these threats must be engaged head on, and for this reason it is encouraging to see such an announcement emphasising the seriousness by which the FBI takes this mission.”