FBI Indicts Iranian Hackers As Part Of New Cyber Strategy

In Sep­tem­ber 2020, the U.S. FBI report­ed on sev­er­al recent crim­i­nal charges raised against Iran­ian hack­ers, believed to be oper­at­ing at the behest of the Iran­ian gov­ern­ment, or in sup­port of it. The hacks includ­ed cyber intru­sions and fraud, van­dal­ism of U.S. web­sites, and intel­lec­tu­al prop­er­ty theft from U.S. aero­space and satel­lite tech­nol­o­gy com­pa­nies. Accord­ing to the FBI report:

Sep­tem­ber 18, 2020 While the cas­es filed in fed­er­al courts in Boston, Alexan­dria, and Newark are sep­a­rate and unique, pros­e­cu­tors and FBI inves­ti­ga­tors said they send a mes­sage that hack­ers will face con­se­quences regard­less of dis­tance and borders.

The FBI added that:

The efforts were reflec­tive of the FBI’s new cyber strat­e­gy, which is to impose risk and con­se­quences on cyber adversaries—making it hard­er for both cyber crim­i­nals and for­eign gov­ern­ments to use mali­cious cyber activ­i­ty to achieve their objec­tives. The new strat­e­gy also empha­sizes the role the FBI plays as an indis­pens­able part­ner to fed­er­al coun­ter­parts, for­eign part­ners, and pri­vate-sec­tor partners.

Fol­low­ing is a short sum­ma­ry on each of the cas­es referred to:

• Two alleged com­put­er hack­ers, Behzad Moham­madzadeh (a/k/a “Mrb3hz4d”), an Iran­ian nation­al, and Mar­wan Abus­rour (a/k/a “Mrwn007”), a state­less nation­al of the Pales­tin­ian Author­i­ty were indict­ed in the Dis­trict of Mass­a­chu­setts on charges of dam­ag­ing mul­ti­ple web­sites across the Unit­ed States as retal­i­a­tion for Unit­ed States mil­i­tary action in Jan­u­ary 2020 that killed Qasem Soleimani, the head of the Islam­ic Rev­o­lu­tion­ary Guard Corps-Quds Force, a U.S.-designated for­eign ter­ror­ist orga­ni­za­tion… Moham­madzadeh has pub­licly claimed to have per­son­al­ly defaced more than 1,100 web­sites around the world with pro-Iran­ian and pro-hack­er mes­sages, which he began in 2018 and con­tin­ues through the present day. Abus­rour is a self-described spam­mer (sender of unso­licit­ed emails for prof­it), carder (illic­it trad­er in stolen cred­it cards) and black hat hack­er (a hack­er who vio­lates com­put­er secu­ri­ty for per­son­al gain or mali­cious­ness) who has pub­licly claimed to have defaced at least 337 web­sites around the world, which he began no lat­er than June 6, 2016, and con­tin­ued through at least July 2020… The defen­dants alleged­ly start­ed work­ing togeth­er on or about Dec. 26, 2019, when Abus­rour began pro­vid­ing Maham­madzadeh with access to com­pro­mised websites.

• Two Iran­ian nation­als from Hamedan, Iran, Hooman Hei­dar­i­an, a/k/a “neo,” 30, and Meh­di Farha­di, a/k/a “Meh­di Mah­davi” and “Moham­mad Meh­di Farha­di Ramin” have been charged in con­nec­tion with a coor­di­nat­ed cyber intru­sion cam­paign – some­times at the behest of the gov­ern­ment of Iran – tar­get­ing com­put­ers in New Jer­sey and around the world… are each charged in a 10-count indict­ment returned Sept. 15, 2020, with: one count each of con­spir­a­cy to com­mit fraud and relat­ed activ­i­ty in con­nec­tion with com­put­ers and access devices; com­put­er fraud — unau­tho­rized access to pro­tect­ed com­put­ers: com­put­er fraud, unau­tho­rized dam­age to pro­tect­ed com­put­ers; con­spir­a­cy to com­mit wire fraud; and access device fraud; and five counts of aggra­vat­ed iden­ti­ty theft… The vic­tims includ­ed sev­er­al Amer­i­can and for­eign uni­ver­si­ties, a Wash­ing­ton, D.C.-based think tank, a defense con­trac­tor, an aero­space com­pa­ny, a for­eign pol­i­cy orga­ni­za­tion, non-gov­ern­men­tal orga­ni­za­tions (NGOs), non-prof­its, and for­eign gov­ern­ment and oth­er enti­ties iden­ti­fied as rivals or adver­saries to Iran around the world.

• Three com­put­er hack­ers – Iran­ian nation­als resid­ing in Iran, Said Pourkarim Ara­bi, Moham­mad Reza Espargham and Moham­mad Bay­ati, were indict­ed with engag­ing in a coor­di­nat­ed cam­paign of iden­ti­ty theft and hack­ing on behalf of Iran’s Islam­ic Rev­o­lu­tion­ary Guard Corps (IRGC), a des­ig­nat­ed for­eign ter­ror­ist orga­ni­za­tion, in order to steal crit­i­cal infor­ma­tion relat­ed to Unit­ed States aero­space and satel­lite tech­nol­o­gy and resources… Accord­ing to alle­ga­tions in the indict­ment, the defen­dants’ hack­ing cam­paign, which tar­get­ed numer­ous com­pa­nies and orga­ni­za­tions in the Unit­ed States and abroad, began in approx­i­mate­ly July 2015 and con­tin­ued until at least Feb­ru­ary 2019. The defen­dants at one time pos­sessed a tar­get list of over 1,800 online accounts, includ­ing accounts belong­ing to orga­ni­za­tions and com­pa­nies involved in aero­space or satel­lite tech­nol­o­gy and inter­na­tion­al gov­ern­ment orga­ni­za­tions in Aus­tralia, Israel, Sin­ga­pore, the Unit­ed States, and the Unit­ed Kingdom.

Details were released on eight sep­a­rate and dis­tinct sets of mal­ware used by Rana Intel­li­gence Com­put­ing Com­pa­ny, said to be a front com­pa­ny which helped Iran’s Min­istry of Intel­li­gence and Secu­ri­ty, tar­get at least 15 U.S. com­pa­nies along with hun­dreds of indi­vid­u­als and enti­ties from more than 30 coun­tries across Asia, Africa, Europe, and North Amer­i­ca. The FBI added that the inves­ti­ga­tion led to the U.S. Depart­ment of the Trea­sury issu­ing sanc­tions against Rana and 45 cyber actors.