US charges Iranians with cyber snooping on government, companies
Their holiday options are now far more restricted
The US has charged and sanctioned four Iranian nationals for their alleged roles in various attacks on US companies and government departments, all of whom are claimed to have worked for fake companies linked to Iran's military.
Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab were all once said to be employed by Mehrsam Andisheh Saz Nik (MASN), formerly known as Mahak Rayan Afraz – a company that claimed to offer cybersecurity services but instead is believed to have acted as a front for the attacks against the US.
Hossein Harooni was allegedly employed by a separate front company also affiliated with the Islamic Revolutionary Guard Corps (IRGC), a group responsible, among other things, for Iran's state-sponsored cyber activity. The IRGC was also designated as a foreign terrorist organization in the US in 2019, and the EU has been mulling an equivalent designation for some time.
All four and other co-conspirators are alleged to have been part of an organized effort to carry out multiple computer intrusions between at least 2016 and 2021. More than a dozen US companies were targeted, as well as the US State and Treasury departments.
Per the indictment [PDF], private sector attacks were mainly geared toward gaining access to accounts at US defense contractors, which have the necessary clearances to access classified information.
Spearphishing was the method of choice in most cases, with a smattering of social engineering thrown in. In one case, the accused are claimed to have breached an admin email account at an unnamed defense contractor, allowing them to create their own accounts and operate seemingly as genuine employees.
From there, the Justice Department said they used these accounts, along with the air of legitimacy that came with them, to launch follow-on spearphishing attacks at another defense contractor and a consulting firm.
In one case, the attackers compromised 200,000 staff accounts at a New York-based accounting business, the department claimed.
When they weren't lobbing malware through emails, they impersonated others – mainly women, the Justice Department said – to gain their trust and install malware that would compromise machines.
The DoJ reckons Kazemifar's role was to test the tools used for spearphishing campaigns, such as the emails sent to potential victims, and develop the malware those emails dropped. He's also alleged to have worked for the Electronic Warfare and Cyber Defense (EWCD) arm of the IRGC between 2014 and 2020.
- Iranian charged over attacks against US defense contractors, government agencies
- Underwater cables in Red Sea damaged months after Houthis 'threatened' to do just that
- OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things
- Iran's cyber operations in Israel a potential prelude to US election interference
Salmani and Nasab were responsible for sending the phishing emails and managing the infrastructure associated with the social engineering efforts respectively, the DoJ claimed.
SAs for Harooni, the US claims he had a wide-ranging role while working for a separate front company, still tied to the IRGC. He was responsible for procuring and managing the online infrastructure used to carry out attacks, including servers and custom software, while using another person's identity to conceal his tracks.
He's facing a maximum prison stint of 35 years, while Kazemifar, Salmani, and Nasab face 27 years each – if they're ever caught, that is.
As is often the case when trying to bring individuals from the US's main four adversary countries to justice, authorities will struggle to reach them since they're highly unlikely to ever be extradited by their home nations.
It's the same reason why ransomware criminals, who often reside in Russia, don't ever face any prison time. The same goes for cybercriminals in China and North Korea. They just won't be handed over.
So the US can charge them, add them to the Treasury's Office of Foreign Assets Control's (OFAC) sanctions list, and offer the typical $10 million cash reward for information leading to their arrest, as it has done, but unless they are foolish enough to ever step foot anywhere with a US extradition agreement, they'll probably roam free forever.
"Today's charges pull back the curtain on an Iran-based company that purported to provide 'cybersecurity services' while in actuality scheming to compromise US private and public sector computer systems, including through spearphishing and social engineering attacks," said Matthew G Olsen, assistant attorney general at the Department of Justice's National Security Division.
"The Department is committed to using a whole of government approach to disrupt such malicious activities and impose consequences on the individuals that carry them out. Employees that continue to work at these companies risk arrest and prosecution or a lifetime as an international fugitive from justice." ®