The United States Department of Justice (DOJ) has indicted three Iranian hackers for a campaign of attacks dating back to 2020. The hackers hit targets throughout the US as well as in other countries, and went after a broad range of organizations including critical infrastructure companies and government agencies.
Iranian hackers not state-backed, but allowed to act with impunity
The DOJ notes that the Iranian hackers do not appear to be linked to the Islamic Revolutionary Guard Corps, but accuses Iran of adopting a position similar to that of Russia in ignoring the actions of its criminal hackers so long as they stick to attacking enemy or rival nations.
The three hackers (Mansur Ahmadi, 34; Ahmad Khatibi Aghda, 45; and Amir Hossein Nickaein, 30) appear to have been acting on their own for personal gain, but included critical infrastructure companies and government agencies among their targets. The Iranian hackers were reportedly not successful in disrupting any critical infrastructure but did target public utility companies as part of their campaign, along with local municipal government offices in several states.
The hackers appear to be based in Iran, and the complete lack of diplomatic ties between the nations (along with recent military tensions) means that the indictments are unlikely to come to anything, but they will at least severely limit the ability of the attackers to travel outside of the country. If caught the men could each face as much as 20 years in prison on the assorted charges brought by the DOJ.
The hacking campaign took place from October 2020 to August 2022 and included hundreds of targets across the world, including dozens in the US. The Iranian hackers appeared to be seeking targets of opportunity with relatively simple or poor cyber defenses, and did not have any moral compunctions about who they attacked. One example of a US victim presented by the DOJ was a domestic violence shelter that had its systems compromised in December 2021. The shelter ended up having to pay a $13,000 ransom in bitcoin to restore its ability to function. The Iranian hackers also attacked a local housing authority in Washington state and threatened to leak stolen data, which presumably would include information on residents of public or subsidized housing.
Other victims of the Iranian hackers include a township in New Jersey, a state bar association, a county government in Wyoming, and several accounting firms across the country. In terms of critical infrastructure, the threat actors attacked at least two regional electric utility companies in two different states and a Washington construction company that had been contracted to work on critical infrastructure in the state.
It is also possible that the group played some role in the June 2021 attack on Boston Children’s Hospital. A US Treasury press release indicates that the group penetrated the hospital network around that time and were able to steal data and encrypt at least one device with the BitLocker ransomware.
In addition to issuing indictments for the Iranian hackers, the DOJ announced sanctions on two companies they are affiliated with: Najee Technology and Afkar System. These companies appear to have been part of the attacks on critical infrastructure companies, and have also individually targeted U.S. and Middle Eastern defense and government personnel. The DOJ announced $10 million in bounties for information leading to 10 individuals associated with these companies.
Edward Liebig, Global Director of Cyber-Ecosystem at Hexagon Asset Lifecycle Intelligence, notes that these hackers sometimes went after smaller fish than ransomware groups usually focus on: “The charges coming down on the Iranian hackers that exploited hundreds of computers in the US critical infrastructure space is just another stark reminder that cyber hygiene is critical to our defense against attacks. These attacks are focused on exploiting known vulnerabilities rather than targeting specific sectors, which advances asset and vulnerability management and remediation to the frontlines. Victims in the U.S. reportedly span from power companies to nonprofits, all of which must have detailed visibility into their assets in order to effectively protect them from threat actors … Unfortunately, critical infrastructure entities often rely on dated technology that’s extremely vulnerable to these types of attacks. Put simply: it’s not that hard for cybercriminals to compromise critical infrastructure systems. The Biden Administration’s crackdown on Iranian cybercriminal groups is working and should continue to be a focus, as should urging operators of critical infrastructure to shore up their cyber hygiene quickly and effectively.”
Attacks involving critical infrastructure prove quick to trigger sanctions
These Iranian hackers are not the first targeted by the DOJ for operating in the US, nor the first to draw sanctions. Involving critical infrastructure increasingly seems to guarantee this response as the Biden administration has aggressively moved to shore up national defenses since taking office.
The DOJ has periodically handed down indictments against Iranian hackers since 2016, when a team of seven went on a run of attacking US banks. In 2018, a hacking and espionage ring was charged with stealing research and confidential information from over 100 universities and government agencies. And in 2021, two Iranian hackers were charged with orchestrating a disinformation campaign meant to disrupt the 2020 election.
The US has also found itself involved in a recent spat between Iran and Albania that involves the former hacking the latter. After Iranian hackers caused widespread damage in government systems as part of a campaign to locate and attack dissidents, Albania called on NATO allies to help with the investigation and ultimately severed diplomatic ties with the country. The Treasury Department announced new sanctions on Iran’s intelligence agencies as a result of that investigation.
Austin Berglas, Global Head of Professional Services for BlueVoyant, suggests that businesses of all types and sizes should take note of the fact that the attackers followed vulnerabilities instead of targeting the most lucrative organizations: “These indictments highlight a major gap in security common to multiple sectors and organizations. Unpatched infrastructure is equivalent to leaving your house key under your doormat when you leave for vacation. Allowing cyber criminals to exploit publicly available vulnerabilities prevents them from having to spend time and resources developing new ways to compromise your environment. BlueVoyant’s threat intelligence confirms that hackers can start exploiting new vulnerabilities quickly, sometimes in a matter of days. For this reason, starting late 2021, the U.S.’s Cybersecurity & Infrastructure Security Agency (CISA) now requires that regulated government agencies patch new vulnerabilities within two weeks, and sometimes sooner if there is a grave risk. Despite the risk, BlueVoyant has found that some organizations are slow to patch, many taking weeks, leaving them vulnerable.”
“The number one concern for enterprises is to secure their data and credentials to ensure business continuity. The best way to have strong cybersecurity is several layers of defense, which should be systematically implemented over time. The first step is understanding what is critical in the environment and building walls of protection around, and rules for access to, this information. Multi-factor authentication (MFA) needs to be implemented across all accounts as the vast majority of account compromises will be prevented with this addition. Next, develop a baseline and establish alerting for users’ login patterns in order to understand what is abnormal or anomalous. Then, organizations should employ e-mail protection and continuously educate the user base on phishing and other common cyber threats,” suggested Berglas.
