Ten Iranian nationals and two companies with links to Iran’s government have been sanctioned by the US for allegedly hitting hundreds of organisations with ransomware attacks over the past two years. But the sanctions may prove ineffective, as Iran’s growing ties to Russia and China provide it with help and protection, emboldening its cybercrime activity.
The US Treasury’s Office of Foreign Assets Control (OFAC) imposed economic sanctions on the group this week in a bid to disrupt what it says has been a sustained campaign of cyberattacks.
In addition, three of the people on the sanctions list, Mansur Ahmadi, Ahmad Khatibi and Amir Hossein Nickaein Ravari, have been charged with allegedly orchestrating a scheme to hack into the computer networks of multiple US companies, including critical infrastructure providers. The US Department of Justice believes they are currently in Iran, and a $10m reward is on offer for information which leads to them being brought to justice.
The Iran cybercrime campaign exploited known vulnerabilities in commonly used network devices and software applications to gain access and extract data from compromised systems. The cybercriminals compromised, encrypted and extorted hundreds of victims, including an accounting-based firm in Illinois, a regional electric utility company in Mississippi and a domestic violence shelter in Pennsylvania.
“The Government of Iran has created a safe haven where cybercriminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers,” said assistant attorney general Matthew G Olsen from the DoJ’s national security division. “This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cybercriminals.”
Iran cybercrime spree linked to IRGC
The OFAC indictment says the ten people on the sanctions list are all linked to two Iranian government contractors, Najee Technology and Afkar System, both of which have been sanctioned. These businesses are said to be affiliated with the Islamic Revolutionary Guard Corps (IRGC), Iran’s powerful security agency.
The FBI released an advisory on the same day as the sanctions warning that law enforcement agencies from four nations had provided specific examples of IRGS-affiliated cybercriminals exploiting common vulnerabilities to gain access to systems. “The actors then leveraged the access for disk encryption and data extortion to support ransom operations,” explains the advisory.
Explicitly identifying these links to the IRGC is “a big step”, says Allan Liska of security company Recorded Future. “That’s going to make it harder for them to conduct activity,” he says.
Earlier this month UK and US government representatives publicly denounced Iran for attacking and taking offline several Albanian government websites. The incident led to Albania cutting diplomatic ties with Iran, though officials in Tehran have denied responsibility for the attack, and a subsequent hit on systems used by Albania’s police force.
Iran’s increasingly close relationship with Russia and China is likely to have influenced the uptick in cybercrime activity, says Toby Lewis, global head of threat analysis at security company Darktrace. “Allyship with Russia is likely to be playing a part in current operations and will continue to influence future activity,” Lewis says. “This week, Iran signed an intention to become a member of the Shangai Cooperation Organisation, a security body set up by Russia and China.”
Indeed, Iran’s president said it was keen to work more closely with Russia in the face of US sanctions. “The relationship between countries that are sanctioned by the US, such as Iran, Russia or other countries, can overcome many problems and issues and make them stronger,” Ebrahim Raisi told his Russian counterpart, Vladimir Putin, during a meeting in Samarkand, Reuters reported. “The Americans think whichever country they impose sanctions on, it will be stopped, their perception is a wrong one.”
The possibility remains therefore that Russia may step in to provide covert help to the Iranians, explains Lewis. “It would suit the Russians to use Iran as a proxy against the US in a period where retaliation is expected,” he says.
There have been concerns that the Russians could provide help to Iran “by providing access to US systems or by supercharging the Iranian cyber capability with their own cyber weaponry, helping to co-ordinate attacks with increased potency and damage,” Lewis adds.
There may also be an additional dimension to Iran’s increased cyber activity. “It is possible that the rash of public activity is part of posturing by both American and Iranian administrations in preparation for the renegotiation of the Iranian Nuclear Agreement,” says Avishai Avivi, CISO at security vendor SafeBreach.
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.