DOJ Charges 3 Iranian Nationals Over Critical Infrastructure Ransomware Attacks

September 15, 2022 - The US Department of Justice (DOJ) charged three Iranian nationals with allegedly executing multiple ransomware attacks and other extortion schemes against US critical infrastructure entities, including healthcare organizations.

A newly unsealed indictment filed in the US District Court for the District of New Jersey and an accompanying DOJ press release detailed the elaborate schemes used to hack into the computer networks of “hundreds of victims” from the US, the UK, Israel, and Iran.

From October 2020 to the present, Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari, all of whom go by other by multiple other names, allegedly engaged in multiple schemes by exploiting known vulnerabilities in network devices and software applications.

“Ahmadi, Khatibi, Nickaein, and others, also conducted encryption attacks against victims’ computer systems, denying victims access to their systems and data unless a ransom payment was made,” the press release stated.

The three individuals may have also played a role in an attempted June 2021 cyberattack on Boston Children's Hospital. The US Treasury said that the group was able to compromise the network, create unauthorized accounts, exfiltrate data, and encrypt at least one device with BitLocker.

READ MORE: FBI Blocked Iranian-Backed Cyberattack on Boston Children’s Hospital Last Year

The US government notified the hospital of the attack before it could impact patient care or medical services.

An accompanying speech by Federal Bureau of Investigation (FBI) director Christopher Wray shed additional light on the Boston Children's Hospital attack.

“To these sorts of actors, nothing is off-limits. Not even, for example, Boston Children’s Hospital, which they set their sights on in the summer of 2021. Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted. And working closely with the hospital, we were able to identify and defeat the threat protecting both the network and the sick children who depend on it,” Wray stated.

“I’m very proud of our success thwarting that attack. This indictment, and the cybersecurity advisory we’re releasing, show what’s possible when federal and international partners work together and place a priority on close collaboration with victims. The cyber threat facing our nation is growing more dangerous and complex every day. Today’s announcement makes clear the threat is both local and global. It’s one we can’t ignore and it’s one we can’t fight on our own, either.”

In addition to healthcare centers, the three individuals targeted small businesses, government agencies, non-profit organizations, educational and religious institutions, transportation services, and utility providers.

In February 2021, the defendants targeted a township in Union County New Jersey and used a hacking tool to establish remote access to a domain registered to Ahmadi. In 2022 and beyond, the defendants launched attacks again an Illinois accounting firm, a domestic violence shelter in Pennsylvania, a county government in Wyoming, and others.

“Ransom-related cyberattacks — like what happened here — are a particularly destructive form of cybercrime,” US Attorney Philip R. Sellinger said.

READ MORE: CISA: Iranian Government-Sponsored Threat Actors Targeting Healthcare

“No form of cyber-attack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security. Hackers like these defendants go to great lengths to keep their identities secret, but there is always a digital trail. And we will find it.”

All three individuals are each charged with one count of intentionally damaging a protected computer, one count of conspiring to commit computer fraud, and one count of transmitting a demand in relation to damaging a protected computer.

The charges are just allegations, and the defendants are presumed innocent unless proven guilty, the DOJ noted. The offenses add up to significant prison time and a maximum potential fine of $250,000.

US Treasury Sanctions 10 Individuals and 2 Entities

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) also took action against individuals affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) this week. OFAC sanctioned ten individuals (including the three mentioned in the unsealed indictment) and two entities, all of which are allegedly affiliated with the IRGC.

“Ransomware incidents have disrupted critical services and businesses globally, including schools, government offices, hospitals and emergency services, transportation, energy, and food companies,” the US Treasury stated.

READ MORE: FBI Warns of Patient Safety, Security Risks Associated With Legacy Medical Devices

“Reported ransomware payments in the United States reached over $590 million in 2021, compared to a total of $416 million in 2020. The U.S. government estimates that these payments represent just a fraction of the economic harm caused by malicious cyber activities.”

The sanctioned individuals have been tied to cyber exploits carried out by a variety of threat groups, including APT 35, Charming Kitten, Nemesis Kitten, Phosphorus, and Tunnel Vision.

Security Firms Continue to Track Threats

Mandiant researchers have also been tracking the threats carefully. The indictments are linked to a collection of threat activities that the firm tracks as UNC2448.

“The indictment is focused on the criminal activity of Iranian actors Mandiant has tracked for some time. We believe these organizations may have been moonlighting as criminals in addition to their status as contractors in the service of the IRGC. The IRGC leans heavily on contractors to carry out their cyber operations,” John Hultquist, VP, Mandiant Intelligence, said in a statement sent to HealthITSecurity.

“This group has been carrying out a brazen, widespread vulnerability scanning operation against targets in the U.S., Canada, Israel, UAE, and Saudi Arabia, seeking vulnerabilities in VPNs and MS Exchange among others. More often than not, they are monetizing their access, but their relationship to the IRGC makes them especially dangerous. Any access they gain could be served up for espionage or disruptive purposes.”

The indictments and sanctions come at a time when healthcare cyberattacks are continuing to skyrocket. The thwarted attack on Boston Children’s Hospital provided an example of how the healthcare sector and other critical infrastructure entities can get caught in the crossfire of geopolitical tensions.