View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 16, 2022updated 19 Sep 2022 2:05pm

Iran’s cybercrime spree against the US reflects increasingly close relationship with Russia

Putin's regime may see Iran as an ally and useful proxy as it seeks to strike back against Western sanctions.

By Claudia Glover

Ten Iranian nationals and two companies with links to Iran’s government have been sanctioned by the US for allegedly hitting hundreds of organisations with ransomware attacks over the past two years. But the sanctions may prove ineffective, as Iran’s growing ties to Russia and China provide it with help and protection, emboldening its cybercrime activity.

A ransomware campaign carried out by Iranian hackers was linked to the government in Tehran, the US government claims. (Photo by Natanael Ginting/Shutterstock)

The US Treasury’s Office of Foreign Assets Control (OFAC) imposed economic sanctions on the group this week in a bid to disrupt what it says has been a sustained campaign of cyberattacks.

In addition, three of the people on the sanctions list, Mansur Ahmadi, Ahmad Khatibi and Amir Hossein Nickaein Ravari, have been charged with allegedly orchestrating a scheme to hack into the computer networks of multiple US companies, including critical infrastructure providers. The US Department of Justice believes they are currently in Iran, and a $10m reward is on offer for information which leads to them being brought to justice.

The Iran cybercrime campaign exploited known vulnerabilities in commonly used network devices and software applications to gain access and extract data from compromised systems. The cybercriminals compromised, encrypted and extorted hundreds of victims, including an accounting-based firm in Illinois, a regional electric utility company in Mississippi and a domestic violence shelter in Pennsylvania. 

“The Government of Iran has created a safe haven where cybercriminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers,” said assistant attorney general Matthew G Olsen from the DoJ’s national security division. “This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cybercriminals.” 

Iran cybercrime spree linked to IRGC

The OFAC indictment says the ten people on the sanctions list are all linked to two Iranian government contractors, Najee Technology and Afkar System, both of which have been sanctioned. These businesses are said to be affiliated with the Islamic Revolutionary Guard Corps (IRGC), Iran’s powerful security agency.

The FBI released an advisory on the same day as the sanctions warning that law enforcement agencies from four nations had provided specific examples of IRGS-affiliated cybercriminals exploiting common vulnerabilities to gain access to systems. “The actors then leveraged the access for disk encryption and data extortion to support ransom operations,” explains the advisory. 

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Explicitly identifying these links to the IRGC is “a big step”, says Allan Liska of security company Recorded Future. “That’s going to make it harder for them to conduct activity,” he says.

Earlier this month UK and US government representatives publicly denounced Iran for attacking and taking offline several Albanian government websites. The incident led to Albania cutting diplomatic ties with Iran, though officials in Tehran have denied responsibility for the attack, and a subsequent hit on systems used by Albania’s police force.

Iran’s increasingly close relationship with Russia and China is likely to have influenced the uptick in cybercrime activity, says Toby Lewis, global head of threat analysis at security company Darktrace. “Allyship with Russia is likely to be playing a part in current operations and will continue to influence future activity,” Lewis says. “This week, Iran signed an intention to become a member of the Shangai Cooperation Organisation, a security body set up by Russia and China.”

Indeed, Iran’s president said it was keen to work more closely with Russia in the face of US sanctions. “The relationship between countries that are sanctioned by the US, such as Iran, Russia or other countries, can overcome many problems and issues and make them stronger,” Ebrahim Raisi told his Russian counterpart, Vladimir Putin, during a meeting in Samarkand, Reuters reported. “The Americans think whichever country they impose sanctions on, it will be stopped, their perception is a wrong one.”

The possibility remains therefore that Russia may step in to provide covert help to the Iranians, explains Lewis. “It would suit the Russians to use Iran as a proxy against the US in a period where retaliation is expected,” he says.

There have been concerns that the Russians could provide help to Iran “by providing access to US systems or by supercharging the Iranian cyber capability with their own cyber weaponry, helping to co-ordinate attacks with increased potency and damage,” Lewis adds.

There may also be an additional dimension to Iran’s increased cyber activity. “It is possible that the rash of public activity is part of posturing by both American and Iranian administrations in preparation for the renegotiation of the Iranian Nuclear Agreement,” says Avishai Avivi, CISO at security vendor SafeBreach.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Iran’s steel industry hit with cyberattack as tensions with Israel rise

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU