The tension was ratcheted up last week in the latest round of cyberwar with the unsealing of an indictment in the United States District Court, Southern District of New York, charging four Iranian nationals with carrying out a malicious cyber campaign targeting federal government agencies, Pentagon contractors handling classified information and more than a dozen companies. And the U.S. Department of the Treasury simultaneously announced sanctions against two front companies linked to the Iranian Islamic Revolutionary Guard cyber command.

1. Introduction

On April 23, 2024, the U.S. Attorney’s Office, Southern District of New York, announced the unsealing of a superseding indictment charging four Iranian nationals with conspiracy to commit computer intrusions, conspiracy to commit wire fraud and aggravated identity theft for their involvement in a sprawling cyber campaign to compromise U.S government and private entities. (here) The targets of the hacking organization included the U.S. Department of the Treasury, the U.S. Department of State, defence contractors and two companies based in New York. (here) The group allegedly used spearphishing – tricking an email recipient into clicking on a malicious link – to infect victim computers with malware. The hackers also used social engineering which involved impersonating others to obtain the confidence of victims. “Today’s charges pull back the curtain on an Iran-based company that purported to provide ‘cybersecurity services’ while in actuality scheming to compromise U.S. private and public sector computer systems,” said Assistant Attorney General Matthew Olsen.

2. The Defendants

The indictment alleges the hacking campaign carried out computer intrusions into more than a dozen American companies. The private sector targets were primarily defence contractors granted security clearances by the U.S. Department of Defense to access, receive and store classified information for the purpose of conducting activities in support of U.S. Defense Department programs. Other private sector victims included a New York accounting firm where more than 200,000 employee accounts were compromised and a hospitality company, also based in New York, where more than 2,000 employee accounts were targeted. The indictment alleges the defendants worked for private technology companies based in Iran and played the following roles in the conspiracy:

• Hossein Harooni was responsible for “procuring, administering, and managing the online network infrastructure” including computer servers and customized software used to facilitate computer intrusions. Mr. Harooni also used the identity of a real person, identified by the pseudonym “Individual-1”, including the use of that person’s passport, to conceal his role in procuring online infrastructure to facilitate computer intrusions.
• Reza Kazemifar was responsible for testing the tools deployed in the cyber campaigns. He was “involved in testing spearphishing emails” and “in developing malware utilized […] in social engineering initiatives.” From 2014 to 2020, Mr. Kazemifar worked for the Iranian Organization for Electronic Warfare and Cyber Defense (EWCD). EWCD is a component of the Islamic Revolutionary Guard Corps (IRGC) which is part of the Iranian Armed Forces. The IRGC is responsible for Iran’s offensive cyber capabilities and has been designated as a foreign terrorist organization by the United States.
• Komeil Baradaran Salmani was responsible for testing spearphishing tools including the campaign against the hospitality company. Mr. Salmani was also involved in maintaining infrastructure used by the defendants.
• Alireza Shafie Nasab was responsible for procuring infrastructure particularly for social engineering campaigns. He also used Individual-1’s identity to register server and email accounts used during cyber campaigns.

None of the defendants have been arrested. Concurrently with the unsealing of the indictment, the U.S. Department of State’s Rewards for Justice program offered a reward of up to $10 million for information leading to the identification or location of the group and the defendants. (here)

3. Spearphishing and Social Engineering

The defendants allegedly created an application dubbed “Dandelion” to manage the spearphishing campaigns. The application enabled them to obtain a report of various target email accounts for different campaigns (including whether a particular target email account clicked the malicious hyperlink in spearphishing emails as well as the victim internet protocol (IP) address, victim location, the web browser used by the victim, and the victim’s operating system). Dandelion also allowed the defendants to select which email accounts to target before launching attacks. In some instances, the defendants registered domains that mimicked the domains of the targets to trick recipients into believing the spearphishing emails came from a trusted source. In other cases, the defendants leveraged compromised accounts to use them to target additional victims.

The defendants also used social engineering to gain unauthorized access to victim accounts and networks. Social engineering is the use of deception to manipulate an individual into divulging confidential or personal information. (here) The indictment alleges that, generally, the defendants, “sent messages to victims from computer-created social media accounts with female personas.” The messages often contained links to a malicious domain or attached documents embedded with malware. Social engineering tactics are often used, specifically, to obtain login credentials, credit card numbers, bank account numbers and social security numbers. The information may then be used to facilitate identity theft. Social engineering is an attractive tool for cyberthieves because it enables them to get around cybersecurity controls. According to IBM reports for 2022 and 2023, breaches caused by social engineering tactics are among the most costly and are on the rise. (here and here)

4. Sanctions

In conjunction with the unsealing of the indictment, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC), sanctioned the four defendants and two companies involved in malicious cyber activity on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). “Iranian malicious cyber actors continue to target U.S. companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens,” said Brian Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence. “The United States will continue to leverage our whole-of-government approach to expose and disrupt these networks’ operations,” he added. (here)

The IRGC-CEC works through a “series of front companies” such as Mehrsam Andisheh Saz Nik (MASN) to target the U.S. and other countries. Formerly known as Mahak Rayan Afraz, MASN has has been associated with Iranian advanced persistent threat groups, including Tortoiseshell. According to Symantec, MASN has been active in the Middle East since 2018 and has been linked to cyberattacks against Saudi Arabian IT providers and Israeli companies. (here and here) The company is also associated with other malicious cyber activities, including a muti-year campaign targeting the Department of the Treasury, other U.S. government entities and over a dozen U.S. companies. Very little, however, is known about the second company, Dadeh Afzar Arman. The action by the Treasury Department was taken under the counterterrorism authority of Executive Order 13224. (here) On January 12, 2018, OFAC designated the IRGC-CEC, also known as the IRGC Electronic Warfare and Cyber Defense Organization, for being owned or controlled by the IRGC. On October 13, 2017, the IRGC itself had been designated under Executive Order 13224.

5. Conclusion

The U.S. Treasury Department has alleged that the IRGC-CEC works through “a series of front companies” to target the United States and other countries. “Although front company management and key personnel know their operations support the IRGC-CEC, much of the Iranian public is not aware that some companies in Iran, such as Mehrsam Andisheh Saz Nik, are used as front companies to support the IRGC-CEC,” the department said in a press release. By naming these companies publicly, the U.S. asserts that it wants to inform the Iranian public about the use of these companies for launching cyber attacks against international targets. But, as Professor Vasileios Karagiannopoulos said in a piece posted earlier today by The Conversation, “efforts by the U.S. government to deter state-backed hackers working for governments including Iran, China and Russia have yet to bear fruit.” (here)