US launches coordinated effort to deter malicious cyber activities

September 17, 2020

By a Biometrica staffer

Four federal agencies launched a coordinated effort to disrupt and deter Iranian malicious cyber activities targeting the US and the broader international community, the Department of Justice (DoJ) said in a statement.

The DoJ, the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Department of the Treasury (USDT) have been engaged in a coordinated effort since September 14 2020, which continued through September 17 2020.

The malicious cyber activities are said to have been conducted by actors associated with the Islamic Republic of Iran’s (Iran) Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC), as well as other Iran-based individuals. They targeted victims in Australia, Europe, the Middle East, Southeast Asia, and the US.

Timeline of events:

– On September 14 2020, the FBI and the DHS’ Cybersecurity and Infrastructure Security Agency jointly published a Cybersecurity Advisory regarding tactics, techniques, and procedures (TTPs) of an Iran-based malicious cyber actor targeting several US federal agencies and other US-based networks.

– On September 15 2020, the DoJ announced the unsealing of a three-count indictment in the District of Massachusetts charging two hackers in relation to their intrusions into, and defacements of, websites hosted in the US. The hackers were Behzad Mohammadzadeh (aka “Mrb3hz4d”) – a citizen and resident of Iran – and Marwan Abusrour (aka “Mrwn007”) – a stateless national under the jurisdiction of the Palestinian Authority.

They allegedly conspired to and subsequently damaged computers in what is perceived as retaliation for the US military strike that killed Qasem Soleimani, the head of the IRGC-Quds Force on January 2 2020. The IRGC-Quds Force is a branch of the IRGC, and a US-designated Foreign Terrorist Organization. The website defacements were a subset of the over 1,400 defacements around the world, for which the defendants claimed responsibility, between roughly June 2016 and July 2020.

(Website defacement involves malicious attacks wherein the hacking party replaces the original content of a website with its own message.)

– On September 16 2020 in the District of New Jersey, the DoJ announced the unsealing of a 10-count indictment charging two hackers, who sometimes operated under the pseudonym “Sejeal,” in relation to coordinated cyber intrusions and hacking campaigns targeting computer systems in Europe, the Middle East, and the US. The defendants, Hooman Heidarian (aka “neo”) and Medhi Farhadi (aka “Mehdi Mahdavi”) – both Iranian nationals residing in Iran – stole hundreds of terabytes of data, which typically included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.

In some instances, the defendants’ hacks were politically motivated or at the behest of the government of Iran, including instances where they obtained information regarding dissidents, human rights activists, and opposition leaders. In other instances, the defendants sold the hacked data and information on the black market for private financial gain.

– On September 17 2020, the Department announced the unsealing of a nine-count indictment charging three hackers in relation to a near four-year campaign to steal, and attempt to steal, critical information related to aerospace and satellite technology and resources, including sensitive commercial information, intellectual property, and personal data. The defendants, Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati – all Iranian nationals residing in Iran – conducted their activity at the direction of the IRGC, of which Arabi was a member.

The defendants primarily accomplished their intrusions through socially engineered spearphishing campaigns, using at least one target list of over 1,800 individuals in Australia, Israel, Singapore, the US, and the UK. Upon successfully enticing a victim to click on a link in a spearphishing mail, a member of the conspiracy would deploy malware that allowed the conspirators to gain access credentials, escalate their privileges, maintain their unauthorized access to victim networks, and ultimately steal the sought-after data. To accompany the unsealing of this indictment, and to aid potential targets in the identification of malicious activity, the FBI released a Private Industry Notification (PIN) that identified the conspiracy’s TTPs and indicators of compromise.

(Spearphishing is an email scam that is targeted at a specific person or organisation. It can either be intended to be used to steal data for malicious reasons, or to install malware on a targeted user’s system.)

– On September 17 2020, the Treasury Department’s Office of Foreign Assets Control (OFAC) imposed sanctions against 45 individuals and one front company associated with the Iranian MOIS. Together they made up the cyber threat group known publicly as “Advanced Persistent Threat 39” (APT39), “Chafer,” “Remexi,” “Cadelspy,” or “ITG07.” According to OFAC, masked behind its front company – Rana Intelligence Computing Company (Rana) – the MOIS employed a year-long malware campaign that targeted Iran’s own citizens, the government networks of Iran’s neighboring countries, and US-based travel services companies.

Concurrent with OFAC’s action, and following a long-term FBI investigation, the FBI released technical indicators about Rana’s malware in an FBI FLASH alert. This alert provides information to assist organizations and individuals in determining whether they were targeted by Rana.

Note – the details contained in the above-described charging document are allegations. The defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.