The Department of Justice (DoJ) charged three Iranian nationals who allegedly have targeted hundreds of victims - including critical infrastructure organizations - in the U.S., the UK, Israel and Iran since October 2020.
The three individuals - Mansour Ahmadi, 34; Ahmad Khatibi Aghda, 45; and Amir Hossein Nickaein Ravari, 30, who all reside in Iran - were allegedly behind a number of cyber-theft and extortion attacks that victimized healthcare centers, transportation services and utility providers, as well as small businesses, government agencies, non-profit organizations and educational and religious entities.
The DoJ’s charges are part of a broader wave of actions against Iran-linked threat actors by multiple agencies across the U.S. government on Wednesday, coming on the heels of the White House promising “further action to hold Iran accountable” after a July cyberattack on Albania. Ahmadi, Aghda and Ravari were added by the U.S. Treasury Department to the specially designated nationals (SDNs) list along with seven other Iranian nationals and two companies “for their roles in conducting malicious cyber acts, including ransomware activity.” The U.S. government also said that all sanctioned individuals and entities are affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) along with multiple other global security center organizations released further information on the trademark tactics used by the threat actors.
“They were looking to steal information, encrypt networks, and sell private data, all in the hopes of persuading victims to pay sizable ransoms,” said FBI Director Christopher Wray in a Wednesday statement. “In addition to targeting victims here in the U.S. the defendants also targeted companies and entities around the world, including in their own country of Iran, demonstrating that few targets were off-limits. These three individuals are among a group of cybercriminals whose attacks represent a direct assault on the critical infrastructure and public services we all depend on.”
The three allegedly targeted a number of companies including an accounting firm in New Jersey, regional electric utility companies in Mississippi and Indiana, a shelter for domestic violence victims in Pennsylvania and more. The goal of these attacks was to either exfiltrate data or launch ransomware.
“To these sorts of actors, nothing is off-limits,” said Wray. “Not even, for example, Boston Children’s Hospital, which they set their sights on in the summer of 2021. Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted. And working closely with the hospital, we were able to identify and defeat the threat protecting both the network and the sick children who depend on it. I’m very proud of our success thwarting that attack.”
The tactics allegedly used by Ahmadi, Aghda and Ravari - including exploiting known vulnerabilities in popular network devices and software applications - are indicative of broader Iran-linked APT trends, highlighted in a Thursday advisory by CISA. CISA linked previous security alerts of Iranian government-sponsored APT actor activity with IRGC affiliates, and said these threat actors have continued to exploit Fortinet and Microsoft Exchange flaws - as well as VMware Horizon Log4j vulnerabilities - for initial access in ransomware operations. These actors have often operated under the names Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. Both entities were sanctioned on Thursday.
The charges and sanctions follow a previous round of sanction designations on Friday, with the Treasury Department designating the Iran Ministry of Intelligence and Security (MOIS) and the Iranian minister of intelligence. Last week, Albania cut off diplomatic relations with Iran and expelled Iran’s diplomats from the country after saying a July cyberattack had been orchestrated by Iranian actors and sponsored by the Iranian government. The U.S. also condemned the attack, saying it would hold Iran accountable for threatening the security of a U.S ally.
The cluster of malicious activity higlighted by U.S. government agencies on Wednesday has also previously been analyzed by Mandiant researchers, which have tracked the operations under the categorization UNC2448 since 2020. Mandiant said that UNC2448 is known for widespread scanning of various flaws and the use of the Fast Reverse Proxy tool.
“The indictment is focused on the criminal activity of Iranian actors Mandiant has tracked for some time,” said John Hultquist, VP with Mandiant Intelligence, in a statement. "We believe these organizations may have been moonlighting as criminals in addition to their status as contractors in the service of the IRGC. The IRGC leans heavily on contractors to carry out their cyber operations.”