An Iranian cyber-crime outfit linked to the Iranian Ministry of Intelligence has been sanctioned by the US Treasury Department for conducting a “years-long malware campaign” targeting Iranian dissidents, journalists and international travel companies.
It comes as seven Iranian nationals were formally indicted by the US on cyber-crime charges including conspiracy to commit computer intrusions, identity theft and conspiracy to commit wire fraud, and were thus named as wanted by the FBI.
In a statement published on Thursday, September 18, US officials announced fresh sanctions on a hacking group known as Advanced Persistent Threat 39 (APT39) together with 45 individuals linked to the group, and the legal entity it was using as a front, called Rana Intelligence Computing Company.
The new measures came about after a protracted, deep-dive investigation by the US Federal Bureau of Investigation in Boston. The Treasury described APT39 as being owned and/or controlled by the Iranian Ministry of Intelligence, though it did state how this had been established.
Some 45 people allegedly worked for Rana in various capacities as managers, programmers, and hacking experts. Over time, the US authorities claimed, APT39 under the guise of Rana had advanced the Iranian regime’s interests “by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals the [Ministry of Intelligence] considers a threat.”
Individuals targeted or monitored by the outfit included Iranian citizens, particularly dissidents, Iranian journalists, ex-Iranian government employees, environmentalists, refugees, students and university faculties, and employees at international NGOs.
“Some of these individuals,” the Treasury went on, “were subjected to arrest and physical and psychological intimidation. APT39 actors have also victimized Iranian private sector companies and Iranian academic institutions, including domestic and international Persian language and cultural centers.”
All in all, the US Treasury Department said that APT39 and Rana had been used to target hundreds of people and entities in 30 different countries across Asia, Africa, Europe, and North America, as well as 15 US airlines and travel companies. Notably on the list of victims were two Lebanese companies that the US had previously sanctioned because of its affiliation with Lebanese Hezbollah.
US Treasury secretary Steven T. Mnuchin said: “The Iranian regime uses its intelligence ministry as a tool to target innocent civilians and companies, and advance its destabilizing agenda around the world. The United States is determined to counter offensive cyber campaigns designed to jeopardize security and inflict damage on the international travel sector.”
The sanctions coincided with the indictment of seven Iranian nationals by a federal grand jury in the United States. Five of the men, Saeed Pourkarim Arabi, 34, Mohammad Reza Spargham, 25, and Mohammad Bayati, 34, Hooman Heydarian, 30, Mehdi Farhadi, 34, are wanted by the FBI in connection with the online targeting of American companies and stealing the identities and credit card details of US citizens in an operation allegedly backed by the Revolutionary Guards.
Separately Behzad Mohammadzadeh, 19, and co-conspirator Marwan Abusrour were indicted on September 3 for allegedly “defacing” more than 1,400 websites between them with pro-Iranian and pro-hacking messages around the world.
A total of 21 Iranian citizens have been indicted by the AFBI on cyber crime-related charges, though Iran has no extradition treaty with the US so the likelihood of prosecution remains low. In the meantime, the 45 individuals and legal entities linked to Rana and APT39 are blocked from doing any business with companies in the US and any US assets they hold will be frozen.
FBI director Christopher Wray said: “Iran’s [intelligence ministry], through their front company Rana, recruited highly educated people and turned their cyber-talents into tools to exploit, harass, and repress their fellow citizens and others deemed a threat to the regime.
“The sanctions announced today hold these 45 individuals accountable for stealing data not just from dozens of networks here in the United States, but from networks in Iran’s neighboring countries and around the world."