Iran steps up its cybercrime game and Uncle Sam punches back

The US has issued indictments against three Iranians linked to the country's Islamic Revolutionary Guard Corps (IRGC) for their alleged roles in plotting ransomware attacks against American critical infrastructure, and also sanctioned multiple individuals and two entities.

The criminal charges come as Iran has apparently stepped up its malicious activity against America and its allies — exploiting well-known software vulnerabilities to conduct espionage, deploy ransomware, steal money, data and credentials and good old-fashioned election misinformation and meddling, according to the government and private security firms. 

US government agencies have responded in turn with finger-pointing, strong words, sanctions, and now, more sanctions, criminal charges and a $10 million bounty on the three of the Iranians.

Today's indictment cites charges against 34-year-old Mansour Ahmadi; 45-year-old Ahmad Khatibi Aghda, aka Ahmad Khatibi; and 30-year-old Amir Hossein Nickaein Ravari, aka Amir Nikayin. The trio are accused of conducting a hacking campaign to break into computer systems of "hundreds of victims" in the US, UK, Israel, Iran and other countries, according to court documents [PDF].

The three men allegedly breached victims' networks and stole data from a "broad range of organizations" including government agencies, nonprofits, education and religious institutions, as well as critical infrastructure sectors including health care, transportation and utility providers, according to the charges.

"As part of this scheme, Khatibi, Nickaein, and others profited by conducting encryption attacks against victims' computer systems and then denying victims access to their systems and data unless they made a ransom payment," the indictment says.

Ahmadi, Khatibi, and Nickaein are each charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. 

Ahmadi is also charged with one additional count of intentionally damaging a protected computer.

The conspiracy charge carries a maximum sentence of five years in prison, while the intentional damage to protected computers charge carries a maximum sentence of 10 years behind bars. Meanwhile, the transmission of a ransom demand charge carries a maximum of five years, plus the offenses carry a potential maximum fine of $250,000 or twice the gross amount of gain or loss resulting from the offense, whichever is greatest.

Ties to 'terrorist org'

The three men, according to the US government, are also linked to Iran's Islamic IRGC, which the US considers a terrorist organization and claims has plotted to murder US citizens, including former National Security Advisor John Bolton.

Earlier this month Mandiant named a new threat group, APT42, that it says functions as IRGC's cyberspy arm. 

The Google-owned threat intel firm's VP John Hultquist told The Register the indictment "focused on the criminal activity of Iranian actors Mandiant has tracked for some time. We believe these organizations may have been moonlighting as criminals in addition to their status as contractors in the service of the IRGC."

Hultquist cited the crooks' "brazen, widespread vulnerability scanning operation" against organizations in the US, Canada, Israel, UAE and Saudi Arabia and said, among other bugs, they seek out security flaws in VPNs and Microsoft Exchange.

"More often than not, they are monetizing their access, but their relationship to the IRGC makes them especially dangerous," he said. "Any access they gain could be served up for espionage or disruptive purposes. For most people this actor will probably be a criminal problem, but if you're the right target, they will turn you over for espionage or disruption." 

The alleged Iranian criminals, however, now also have a target on their heads. Also yesterday: The US government offered up to $10 million for information on Ahmadi, Khatibi and Nickaein.

REWARD! 💰Up to $10M 💰for information on Iranian malicious #cyber actors AHMADI, KHATIBI & NICKAEIN. They targeted U.S. critical infrastructure and compromised hundreds of computer networks across the U.S. and abroad. GOT A TIP? Contact RFJ today! https://t.co/jA8oZs6D2o pic.twitter.com/26isfc8fqx

— Rewards for Justice (@RFJ_USA) September 14, 2022

But wait, there's more

In addition to the criminal charges, the three Iranian residents are among 10 slapped with sanctions by the US Treasury Department for their alleged affiliation with Iran's IRGC and related criminal deeds — including facilitating ransomware attacks.

"Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board — directly threatening the physical security and economy of the United States and other nations," said under secretary of the Treasury for Terrorism and Financial Intelligence Brian E Nelson in a statement. 

The sanctions come less than a week after the US Treasury Department issued sanctions against a different group, Iran's Ministry of Intelligence and Security, and its Minister of Intelligence. The earlier sanctions were in response to a cyberattack against NATO-member Albania and other "cyber-enabled activities against the United States and its allies." 

With the latest action, the State Department bans US residents and businesses from conducting any business with or giving any money to 10 IRGC-linked individuals and two firms. 

This includes employees and associates of Najee Technology Hooshmand Fater LLC (Najee Technology), and Afkar System Yazd Company (Afkar System). Mansour Ahmadi is the owner, managing director, and chairman of the board of Najee Technology. Ahmad Khatibi Aghda is managing director and member of the board of Afkar System. 

Additional employees and associates of Najee Technology and/or Afkar System include: Ali Agha-Ahmadi, Mohammad Agha Ahmadi, Mo'in Mahdavi, Aliakbar Rashidi-Barjini, Amir Hossein Nikaeen Ravari, Mostafa Haji Hosseini, Mojtaba Haji Hosseini and Mohammad Shakeri-Ashtijeh.

According to the Feds, this IRGC-linked group has been hacking US networks since at least 2020, and their crimes have been tracked by various private security researchers as APT 35, Charming Kitten, Nemesis Kitten, Phosphorus and Tunnel Vision. 

• Uncle Sam sanctions Iran's intel agency over Albanian cyberattack
• Mandiant links APT42 to Iranian 'terrorist org'
• Iran-linked Cobalt Mirage extracts money, info from US orgs – report
• Who is exploiting VMware right now? Probably Iran's Rocket Kitten, to name one

This group, among other nefarious deeds, exploited a Fortinet vulnerability in February 2021 to attack a New Jersey municipality, breaching its network and moving laterally throughout it, creating phony accounts, escalating privileges, establishing persistent remote access, and deploying tools including Mimikatz and Filezilla "in furtherance of their malicious activity," the State Department claims. 

In March 2021, and continuing through August 2021, the criminals began their encryption and ransomware spree, although the Feds claim they were able to, in "many cases," warn victims before the attacks caused any harm.

"From September 2021 through the present, this group primarily gained unauthorized access to victim networks by exploiting Microsoft Exchange and related ProxyShell vulnerabilities, including an incident in October 2021 when they compromised the network of an electric utility company serving a rural area of the United States, and maliciously used BitLocker to disrupt operations."

Additionally, a joint cyber security advisory from the Department of the Treasury, FBI, NSA, USCYBERCOM, Australia's Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom's National Cyber Security Centre (NCSC) highlights "continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with IRGC." ®