U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks

The U.S. Treasury Department’s Office of Foreign Assets Control
(OFAC) on Wednesday announced sweeping sanctions against ten
individuals and two entities backed by Iran’s Islamic Revolutionary
Guard Corps (IRGC) for their involvement in ransomware attacks at
least since October 2020.

The agency said the cyber activity mounted by the individuals is
partially attributable to intrusion sets tracked under the names
APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and
TunnelVision.

“This group has launched extensive campaigns against
organizations and officials across the globe, particularly
targeting U.S. and Middle Eastern defense, diplomatic, and
government personnel, as well as private industries including
media, energy, business services, and telecommunications,” the
Treasury said^[1].

The Nemesis Kitten actor, which is also known as Cobalt Mirage^[2], DEV-0270^[3], and UNC2448^[4], has come under the
scanner in recent months for its pattern of ransomware attacks for
opportunistic revenue generation using Microsoft’s built-in
BitLocker tool to encrypt files on compromised devices.

Microsoft and Secureworks have characterized DEV-0270 as a
subgroup of Phosphorus^[5]
(aka Cobalt Illusion), with ties to another actor referred to as
TunnelVision^[6]. The Windows maker also
assessed with low confidence that “some of DEV-0270’s ransomware
attacks are a form of moonlighting for personal or company-specific
revenue generation.”

What’s more, independent analyses from the two cybersecurity
firms as well as Google-owned Mandiant^[7]
has revealed the group’s connections to two companies Najee
Technology (which functions under the aliases Secnerd and Lifeweb)
and Afkar System, both of which have been subjected to U.S.
sanctions.

It’s worth noting that Najee Technology and Afkar System’s
connections to the Iranian intelligence agency were first flagged
by an anonymous anti-Iranian regime entity called Lab Dookhtegan^[8]
earlier^[9]
this year^[10].

“The model of Iranian government intelligence functions using
contractors blurs the lines between the actions tasked by the
government and the actions that the private company takes on its
own initiative,” Secureworks said in a new report^[11] detailing the
activities of Cobalt Mirage.

While exact links between the two companies and IRGC remain
unclear, the method of private Iranian firms acting as fronts or
providing support for intelligence operations is well established
over the years, including that of ITSecTeam (ITSEC), Mersad^[12], Emennet Pasargad^[13], and Rana Intelligence Computing
Company^[14].

On top of that, the Secureworks probe into a June 2022 Cobalt
Mirage incident showed the metadata associated with a PDF file
containing the ransom text had tagged Ahmad Khatibi as its creator,
who happens to be the CEO and owner of the Iranian company Afkar
System.

Ahmad Khatibi Aghda is also part of the 10 individuals
sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee
Technology, and other employees of the two enterprises who are said
to be complicit in targeting various networks globally by
leveraging well-known security flaws to gain initial access to
further follow-on attacks.

Some of the exploited flaws^[15], according to a
joint cybersecurity advisory^[16] released by Australia,
Canada, the U.K., and the U.S., as part of the IRGC-affiliated
actor activity are as follows –

• Fortinet FortiOS path traversal vulnerability (CVE-2018-13379^[17])
• Fortinet FortiOS default configuration vulnerability (CVE-2019-5591^[18])
• Fortinet FortiOS SSL VPN 2FA bypass (CVE-2020-12812^[19])
• ProxyShell^[20] (CVE-2021-34473,
  CVE-2021-34523, and CVE-2021-31207), and
• Log4Shell^[21] (CVE-2021-44228,
  CVE-2021-45046, and/or CVE-2021-45105)

“Khatibi is among the cyber actors who gained unauthorized
access to victim networks to encrypt the network with BitLocker and
demand a ransom for the decryption keys,” the U.S. government said,
in addition to adding him to the FBI’s Most Wanted list^[22].

“He leased network infrastructure used in furtherance of this
malicious cyber group’s activities, he participated in compromising
victims’ networks, and he engaged in ransom negotiations with
victims.”

Coinciding with the sanctions, the Justice Department separately
charged^[23] Ahmadi, Khatibi, and a
third Iranian national named Amir Hossein Nickaein Ravari for
engaging in a criminal extortion scheme to inflict damage and
losses to victims located in the U.S., Israel, and Iran.

All three individuals have been charged with one count of
conspiring to commit computer fraud and related activity in
connection with computers; one count of intentionally damaging a
protected computer; and one count of transmitting a demand in
relation to damaging a protected computer. Ahmadi has also been
charged with one count of intentionally damaging a protected
computer.

That’s not all. The U.S. State Department has also announced monetary rewards^[24] of up to $10 million
for any information about Mansour, Khatibi, and Nikaeen^[25] and their
whereabouts.

“These defendants may have been hacking and extorting victims –
including critical infrastructure providers – for their personal
gain, but the charges reflect how criminals can flourish in the
safe haven that the Government of Iran has created and is
responsible for,” Assistant Attorney General Matthew Olsen
said.

The development comes close on the heels of sanctions^[26] imposed by the U.S.
against Iran’s Ministry of Intelligence and Security (MOIS) and its
Minister of Intelligence, Esmaeil Khatib, for engaging in
cyber-enabled activities against the nation and its allies.