Iranian nationals charged with ransomware-style extortion against US critical infrastructure providers

According to the US Department of Justice (DOJ), an indictment was unsealed today charging three Iranian nationals with allegedly orchestrating a scheme to hack into the computer networks of multiple US victims.

The government of Iran has created a safe haven where cyber criminals acting for personal gain flourish, according to Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division, noting that defendants like these are able to hack and extort victims, including critical infrastructure providers.

"This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals," Olsen said.

As alleged in the indictment, from October 2020 through the present, Mansour Ahmadi, aka Mansur Ahmadi, 34; Ahmad Khatibi Aghda, aka Ahmad Khatibi, 45; and Amir Hossein Nickaein Ravari, aka Amir Hossein Nikaeen, aka Amir Hossein Nickaein, aka Amir Nikayin, 30, engaged in a scheme to gain unauthorised access to the computer systems of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere, causing damage and losses to the victims.

The defendants' hacking campaign exploited known vulnerabilities in commonly used network devices and software applications to gain access and exfiltrate data and information from victims' computer systems. Ahmadi, Khatibi, Nickaein and others also conducted encryption attacks against victims' computer systems, denying victims access to their systems and data unless a ransom payment was made.

The defendants victimised a broad range of organisations, including small businesses, government agencies, non-profit programs and educational and religious institutions. Their victims also included multiple critical infrastructure sectors, including health care centres, transportation services and utility providers.

No form of cyber attack is acceptable, US Attorney Philip R. Sellinger for the District of New Jersey asserted, noting ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to national security.

"Ransom-related cyber attacks — like what happened here — are a particularly destructive form of cyber crime.

VIEW ALL

"Hackers like these defendants go to great lengths to keep their identities secret, but there is always a digital trail.

"And we will find it."

According to court documents, in February 2021, the defendants and their conspirators targeted a township in Union County, New Jersey. They exploited known vulnerabilities to gain control and access to the township’s network and data and used a hacking tool to establish persistent remote access to a particular domain that was registered to Ahmadi.

In or before February 2022, the defendants and their conspirators targeted an accounting firm based in Morris County, New Jersey. They again exploited a known vulnerability to gain unauthorised access and then used a particular hacking tool to establish a connection to a server that was registered to Nickaein and to steal data. In March 2022, the defendants launched an encryption attack against the accounting firm. After denying the firm access to some of its systems, Khatibi demanded payment of $50,000 in cryptocurrency and threatened to sell the data on the black market.

The defendants also compromised, and often encrypted and extorted, hundreds of other victims, including an accounting firm based in Illinois; a regional electric utility company based in Mississippi; a regional electric utility company based in Indiana; a public housing corporation in the State of Washington; a shelter for victims of domestic violence in Pennsylvania; a county government in Wyoming; a construction company located in the state of Washington that was engaged in work on critical infrastructure projects; and a state bar association.

Ahmadi, Khatibi and Nickaein, all residents of Iran, are each charged by indictment with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi is charged with one additional count of intentionally damaging a protected computer. All defendants remain at large abroad.

Assistant director Bryan Vorndran of the FBI’s Cyber Division asserted the FBI remains steadfast in their commitment to work with US government partners for the purpose of imposing cost on their adversaries.

"This indictment, when coupled with other disruptive operational activities, demonstrates what’s possible when we team up with our domestic and international partners and take a whole-of-government approach."

"We, along with our partners, remain dedicated to protecting the United States of America and the victims affected by these egregious crimes," Vorndran said.

The conspiracy charge carries a maximum sentence of five years in prison. The intentional damage to protected computers charge carries a maximum sentence of 10 years in prison. The transmission of a ransom demand charge carries a maximum sentence of five years in prison. The offences also carry a potential maximum fine of $250,000 or twice the gross amount of gain or loss resulting from the offence, whichever is greatest.

US Attorney Philip Sellinger credited special agents of the FBI, under the direction of Special Agent in Charge James E. Dennehy in Newark, with the investigation leading to the charges.

Assistant US Attorneys David E. Malagold and Matthew Feldman Nikic for the District of Newark, and Trial Attorney Andrew D. Beaty of the National Security Division’s Counterintelligence and Export Control Section are prosecuting the case.

However an indictment is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

[Related: North Korean hackers target US, Canada and Japan energy sectors via Log4j exploit]