– Advertisement –
WASHINGTON — The Justice Department on Wednesday dropped the August indictment of three Iranian nationals who officials said are behind an international ransomware conspiracy that has targeted hundreds of corporate and government victims around the world for at least two years. .
– Advertisement –
The three men allegedly defrauded a township in New Jersey, a county in Wyoming, a regional electricity company in Mississippi and another in Indiana, a public housing authority in Washington state, and a statewide bar association in an undisclosed state.
DOJ officials said they believe the number of victims in the US alone has reached hundreds, and that even more are likely to be identified in the future.
– Advertisement –
The defendants are Mansoor Ahmadi, Ahmed Khatibi Aghada and Amir Hussein Nikaien Ravari, and are believed to be living in Iran. None of them have been arrested, and officials acknowledged that US law enforcement has few options for personally detaining them.
DOJ officials said Wednesday morning that the three men carried out the alleged cyberattacks for their personal gain and not under the direction of the Iranian government.
But it soon became clear that the relationship between Iran’s government and the three alleged cybercriminals was more complicated than previously thought.
Several hours after the Justice Department dropped the indictments, the Treasury Department announced new sanctions against 10 Iranian nationals and two Iranian tech companies.
Ahmadi, Aghda and Ravari were among the sanctioned, and there are two tech-sanctioned companies where the defendants work.
Treasury officials described all 10 sanctioned individuals as “affiliated with Iran’s Islamic Revolutionary Guard Corps”.
The IRGC is a specialized branch of the Iranian military that oversees Iran’s international cyber warfare and espionage operations. These operations are often performed using proxy groups, which Western security experts recognize by nicknames such as “Phosphorus” and “Charming Kitten”.
According to a Treasury Department notice, this particular group of Iranians is clearly not aligned with one of the existing IRGC proxy gangs. Nevertheless, “some of their malicious cyber activity may be partly responsible for many gangs linked to the government of Iran”.
The plan relied in part on BitLocker, a popular cybersecurity encryption product from Microsoft that is used by thousands of customers around the world.
In addition to Treasury and Justice, the State Department also took action against three alleged cybercriminals, announcing rewards of up to $10 million for information about any of them.
During the day, the picture that emerged from the indictments and sanctions notices was of a group of cyber hackers affiliated with the Iranian government, moonlighting as ransomware thieves.
A Justice Department official said, “We have a group of people who have some level of state employment, or are doing something for the state, but who are also willing to do something to make money. ” court case.
However, the official declined to explain how the government was alerted to individual ransomware attacks. Nor would he specifically reveal which organizations were targeted, which reached the authorities and which did not.
It is little secret that corporations targeted by ransomware attacks often choose to pay ransoms to attackers rather than alert law enforcement for fear that news of the attack will scare away investors and customers.
The Justice Department has struggled for decades to convince institutional victims of cyber attacks that they would be better served by reporting the attack than by covering up.