The United States Department of Justice unsealed an indictment yesterday charging three Iranian nationals with carrying out cyber attacks against global critical infrastructure. The targets included government entities, accounting firms and power companies. The alleged goal of the campaign was to gain unauthorized access to computers, steal data and demand ransom in cryptocurrency in exchange for keeping the data confidential or decrypting it. The U.S. State Department has issued a $10m reward for information leading to the location of the defendants. It is all so familiar.

1. Introduction

On September 14, 2021, the U.S. Department of Justice unsealed the indictment in the United States District Court, District of New Jersey, charging Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari with conspiracy to commit fraud and commit damage to a protected computer. (here) The attacks are alleged to have been carried out against hundreds of computers in at least five countries including the United States and the United Kingdom over a two-year time frame dating back to 2020. The defendants have not been arrested and are believed to be living in Iran. While it has not been asserted that the attacks were carried out on behalf of the Iranian government, various U.S. officials claim that Iranian indifference allows international cyber attacks to take place outside the country’s borders. Even if the defendants are not apprehended, the indictment limits their freedom to travel outside Iran.

2. Indictment

The indictment states that the defendants allegedly engaged in a scheme to gain access to the computer systems of hundreds of targets in the United States, the United Kingdom, Israel, Iran, and Russia by exploiting known vulnerabilities in commonly used network devices and software applications to exfiltrate data and information from their systems. The defendants profited by conducting encryption attacks against the targets’ computer systems and then denying them access unless they made a ransom payment. The targets included a broad range of organizations including small businesses, government agencies and non-profit programs. Three of the specifically named targets were an Indiana electric utility company, a public housing corporation in the State of Washington and a domestic violence shelter in Pennsylvania.

3. Conspiracy

The indictment alleges that the defendants conspired to commit two specific offences against the United States: (a) conspiracy to damage a protected computer without authorization causing loss totaling at least $5,000 in value; and, (b) conspiracy to extort money by transmitting a demand for money in relation to damage to a protected computer where the damage was caused to facilitate the extortion. (para. 4) The goal of the conspiracy was to accomplish four objectives: (i) control the targets’ computer systems; (ii) steal money; (iii) cause damage to the targets’ computers, including by encrypting their data; and, (iv) demand ransom payments in exchange for maintaining confidentiality of the targets’ data or decrypting their data. (para. 5) It appears that the gambit was straight out of the standard ransomware playbook. The government claims the conspiracy was implemented by the following means:

• the exploitation of vulnerabilities in the targets’ computer systems to gain unauthorized access;
• the use of a publicly available cyber tool, Fast Reverse Proxy (FRP), to maintain “back door” connections to targeted networks;
• the creation and registration of look-alike web domains using a naming format that was designed to resemble the web domains of legitimate, well known, technology companies in order to deceive the targets;
• theft of data from the targets’ computer systems;
• the deployment of encryption attacks by activating BitLocker on the targets’ networks, thereby denying targets access to their systems and data unless they made a ransom payment in exchange for the BitLocker decryption keys; and,
• the collection of ransom payments using Bitcoin and other cryptocurrencies. (para. 6)

I will give you four of the alleged overt acts carried out by the defendants in furtherance of the conspiracy titled The Township Compromise; Compromise, Malicious Encryption, and Extortion of Accounting Firm 2; Compromises of Power Company 1 and Power Company 2; and, Compromise, Malicious Encryption, and Extortion of The Domestic Violence Shelter.

(a) Township Compromise

On January 6, 2021, Mr. Ahmadi registered a website address with a U.S. company identified as “Domain 1”. Domain 1 used a name that resembled a major U.S. technology company but had no relationship with that company. About a month later, an unidentified member of the conspiracy gained unauthorized access to the computer system of the Township, thereby gaining access to its network and data. During the same time period, using this unauthorized access, an unidentified member of the conspiracy installed FRP on the Township’s network to establish an unauthorized connection from the Township’s network to Domain 1.

(b) Extortion of Accounting Firm 2

On April 19, 2021, Mr. Ravari gained unauthorized access to the computer system of Accounting Firm 2, stole data, and launched an encryption attack using BitLocker. Accounting Firm 2 was thus denied access to certain systems and data. A ransom demand was then sent to the printers at Accounting Firm 2. The note demanded payment in exchange for decrypting the data and also threatened to publicize the stolen data if payment was not made. The note directed Accounting Firm 2 to contact an email account controlled by Mr. Ravari. Here is the ransom note:

“Hi! IF YOU ARE READING THIS, IT MEANS YOUR DATA IS ENCRYPTED AND YOUR PRIVATE SENSITIVE INFORMATION IS STOLEN! READ CAREFULLY THE WHOLE INSTRUCTIONS TO AVOID ANY PROBLEMS. YOU HAVE TO CONTACT US IMMEDIATELY TO RESOLVE THIS ISSUE AND MAKE A DEAL! We will sell your data if you decide not to pay or try to recover them.”

(c) Compromises of the Power Companies

On October 14, 2021, Mr. Aghda gained unauthorized access to Power Company 1’s computer system and launched an encryption attack by activating BitLocker denying the company access to some of its systems and data. Mr. Aghda then sent a ransom demand to the company’s printers. The demand directed the company to contact an email account or a messaging platform account that Mr. Aghda controlled. Here is the ransom demand:

“You read this text because your network is accessible to us. We can block re-hacking. You are constantly at risk. If you want to secure your network against any hacking and get your encrypted codes, contact us.”

On October 25, 2021, Mr. Aghda gained unauthorized access to Power Company 2’s computer system and attempted to launch an encryption attack using BitLocker.

(d) Extortion of The Domestic Violence Shelter

On December 12, 2021, an unidentified member of the conspiracy gained unauthorized access to the Domestic Violence Shelter’s computer system and launched an encryption attack by activating BitLocker. A ransom note was then sent to the printers at the Domestic Violence Shelter that stated:

“Hi. Do not take any actions for recovery. Your files may be corrupted and not recoverable. Just contact us.”

The note directed the Shelter to contact an email account or messaging platform account controlled by Mr. Aghda. Mr. Aghda then sent an email to a representative of the Shelter asking for payment of one Bitcoin. After agreeing to a price of $13,000, Mr. Aghda provided his Bitcoin wallet address to the Shelter representative for payment. After receiving payment, Mr. Aghda released the decryption keys to restore access to the Shelter’s systems and data.

4. Broader Implications

In a press release issued by the U.S. Attorney’s Office, District of New Jersey, on September 14, 2022, U.S. Attorney Philip R. Sellinger said the charges reflect how cybercrime flourishes in the “safe haven” created by the Iranian government although the indictment does not allege that the defendants were working at the behest of the government. (here) Although the targets appear to be victims of opportunity, Mr. Sellinger noted a “through line” among many of them. A common feature is the delivery of essential services that people rely upon every day. (here) It is not clear at this point how much data may have been stolen or how it has been used. (here)

The unsealing of the indictment also coincided with an announcement by the U.S. Treasury Department’s Office of Foreign Assets Control sanctioning ten individuals and two entities for their roles in conducting malicious cyber acts including ransomware activities. The designations are part of a joint action with the Department of Justice, Department of State, FBI, U.S. Cyber Command, National Security Agency, and Cybersecurity and Infrastructure Security Agency. The individuals and entities designated are all affiliated with Iran’s Islamic Revolutionary Guard Corps and include the three defendants charged in the Amadi indictment. (here) In a concurrent press release, the U.S. Department of State offered up to $10m for information leading to the location of the defendants. (here and here)

5. Conclusion

Ransomware attacks have been steadily on the increase over the last decade as I discussed in previous posts to On The Wire. (here and here) Earlier this month, hackers breached the computer systems of Los Angeles Unified, the second largest school district in the United States. (here) And hospitals in the United States have been aggressively targeted by a North Korean ransomware campaign since 2021. According to a report by the cybersecurity firm Sophos, the number of ransomware attacks on health care organizations in the U.S. increased 94% from 2021 to 2022. Ransomware attacks on health care facilities are particularly common in the U.S. Forty-one percent of ransomware attacks worldwide have been carried out against U.S. targets. As tech journalist, Kari Paul, said in a report for The Guardian, ransomware attacks have become “ominously frequent.” (here and here)