WASHINGTON — The Department of Justice on Wednesday unsealed an August indictment of three Iranian nationals who officials said are behind an international ransomware conspiracy that has targeted hundreds of corporate and government victims around the world for at least two years.
The three men allegedly defrauded a township in New Jersey, a county in Wyoming, a regional electric power company in Mississippi and another in Indiana, a public housing authority in Washington state and a statewide bar association in an unnamed state.
DOJ officials said they believed the number of victims in the U.S. alone reached well into the hundreds, with even more likely to be identified in the future.
The defendants are Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari, and they are believed to be living in Iran. None of them has been arrested, and officials admitted that U.S. law enforcement has few options available to detain them in person.
The three individuals carried out the alleged cyber attacks for their personal gain, and not under the direction of the Iranian government, DOJ officials said Wednesday morning.
But it soon became clear that the relationship between Iran’s government and the three alleged cyber criminals was more complicated than it had initially appeared.
Several hours after the Justice Department unsealed the indictments, the Treasury Department announced new sanctions against 10 Iranian nationals and two Iranian tech companies.
Ahmadi, Aghda and Ravari were among those sanctioned, and the two tech sanctioned companies are where the defendants work.
Treasury officials described all 10 of the sanctioned individuals as “affiliated with Iran’s Islamic Revolutionary Guard Corps.”
The IRGC is an elite branch of the Iranian military that oversees Iran’s international cyber warfare and espionage operations. These operations are often conducted using proxy groups, which Western security experts identify with nicknames like “Phosphorous” and “Charming Kitten.”
According to a notice from the Treasury Department, this particular group of Iranians is not obviously aligned with one of the existing IRGC proxy gangs. Even so, “some of their malicious cyber activity can be partially attributable to several” gangs associated with Iran’s government.
The scheme relied in part upon BitLocker, a popular cybersecurity encryption product from Microsoft which is used by thousands of clients worldwide.
In addition to Treasury and Justice, the State Department also took action against the three alleged cybercriminals, announcing rewards of up to $10 million for information about any of them.
Over the course of the day, the picture that emerged from the indictments and the sanctions notice was that of a group of Iranian government affiliated cyber hackers who were moonlighting as ransomware thieves.
“We have a group of folks who have some level of state employment, or are doing something for the state, but who are also up to something on the side to make money,” said a Justice Department official who spoke to reporters on background about the case.
The official declined to say how the government was alerted to the individual ransomware attacks, however. Nor would he reveal specifically which of the organizations that were targeted reached out to authorities and which did not.
It’s little secret that corporations targeted by ransomware attacks often choose to pay the ransom to the attackers instead of alerting law enforcement out of fear that news of the attack will spook investors and customers.
The Justice Department has struggled for decades to convince institutional victims of cyberattacks that they would be better served by reporting the attack than by covering it up.