US charges three Iranians over CNI cyber attacks

Three Iranian nationals, named as Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari, have been indicted in the US over their alleged involvement in a campaign of cyber attacks targeting multiple victims in the US, UK, Israel and Iran, including operators of critical national infrastructure (CNI).

The three are accused of exploiting known vulnerabilities in commonly used networking hardware and software to gain access to their targets’ systems, exfiltrate data and other information from them, and conduct a number of ransomware attacks.

Besides organistions in the government, healthcare, transport and utility sectors, the trio also targeted educational institutions, non-profits, religious bodies, and small and medium-sized enterprises (SMEs).

“Ransom-related cyber attacks – like what happened here – are a particularly destructive form of cyber crime,” said US attorney Philip Sellinger.

“No form of cyber attack is acceptable, but ransomware attacks that target critical infrastructure services, such as healthcare facilities and government agencies, are a threat to our national security. Hackers like these defendants go to great lengths to keep their identities secret, but there is always a digital trail. And we will find it.”

Assistant attorney general Matthew Olsen added: “These defendants may have been hacking and extorting victims – including critical infrastructure providers – for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the government of Iran has created and is responsible for.

“According to the indictment, even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals.”

The specific charges in the indicments, which were unsealed on 14 September in the state of New Jersey (NJ), relate to two incidents in the state over the course of a year.

In the first incident, the defendants and their co-conspirators are accused of targeting a township in Union County, New Jersey, in February 2021, exploiting known vulnerabilities to gain access to and control of local government networks, and establish remote access to a domain registered to Ahmadi.

A year later, in February 2022, they are accused of targeting an accounting firm in nearby Morris County, again gaining access and establishing a connection to a server controlled by Nickaein, which was used to exfiltrate data and subsequently, to launch a double extortion ransomware attack, in which they demanded the sum of $50,000 in cryptocurrency.

The group’s other victims are believed to number in the hundreds, and are known to have included another accountancy firm in Illinois, a county government in Wyoming, a construction company in Washington, a domestic violence shelter in Pennsylvania, electrical utilities in Indiana and Mississippi, a public housing corporation in Washington, and an undisclosed state bar association.

The indictment charges all three with one count of conspiracy to commit computer fraud and related activity, one count of intentionally damaging a protected computer, and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi is additionally charged with an extra count of intentionally damaging a protected computer.

Cumulatively, the charges carry a maximum sentence of 20 years in prison, and fines of up to $250,000, but as all three men are resident in Iran, barring significant geopolitical changes in the region, it is unlikely that they will ever be extradited to stand trial.

Mandiant vice-president John Hultquist said that he had been tracking the group, which Mandiant links to a cluster of threat activity known as UNC2448, which is also tracked by others as DEV-0270 and Cobalt Mirage, for some time. The group is known for its widespread scanning of various vulnerabilities, the use of the Fast Reverse Proxy tool, and ransomware activity using BitLocker.

It is linked with some degree of confidence to the Iranian Revolutionary Guards Corps. However, said Hultquist, the activities with which the men are charged may not have been ordered by Tehran.

“We believe these organisations may have been moonlighting as criminals in addition to their status as contractors in the service of the IRGC. The IRGC leans heavily on contractors to carry out their cyber operations,” he said.

“This group has been carrying out a brazen, widespread vulnerability scanning operation against targets in the US, Canada, Israel, UAE, and Saudi Arabia, seeking vulnerabilities in VPNs and MS Exchange among others.

“More often than not, they are monetising their access, but their relationship to the IRGC makes them especially dangerous. Any access they gain could be served up for espionage or disruptive purposes,” said Hultquist.

“For most people, this actor will probably be a criminal problem, but if you’re the right target, they will turn you over for espionage or disruption,” he warned.