Iran

The Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions today against ten individuals and two entities affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks.

Throughout the last two years, these threat actors have been linked to ransomware incidents where they compromised networks belonging to organizations in the United States and worldwide.

Their malicious activity overlaps with that of state-sponsored hacking groups tracked by cybersecurity vendors under different names, including APT35, Charming Kitten, Phosphorus, DEV-0270, Tunnel Vision, and Nemesis Kitten.

"Several cybersecurity firms have determined these intrusion sets as being associated with the Government of Iran, and have identified them as having conducted a varied range of malicious cyber-enabled activities, including ransomware and cyber-espionage," the Department of Treasury said.

"This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting the U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications."

The IRGC-affiliated group is comprised of employees and associates of Iran-based Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System):

  • Mansour Ahmadi: the owner, managing director, and chairman of the board of Najee Technology
  • Ahmad Khatibi Aghda: managing director and member of the board of Afkar System
  • Additional employees and associates: Ali Agha-Ahmadi, Mohammad Agha Ahmadi, Mo'in Mahdavi, Aliakbar Rashidi-Barjini, Amir Hossein Nikaeen Ravari, Mostafa Haji Hosseini, Mojtaba Haji Hosseini, and Mohammad Shakeri-Ashtijeh.

The U.S. Department of the Treasury also sanctioned individuals linked to Net Peygard Samavat Company for working with the IRGC and Iran's Ministry of Intelligence and Security (MOIS) in 2019.

One year later, the U.S. Treasury sanctioned Rana Intelligence Computing Company and some of its employees for acting as a front company that coordinated cyber-attackers on behalf of MOIS.

The U.S. State Department also offers $10 million for information on Mansour Ahmadi, Ahmad Khatibi Aghda, and Hossein Nikaeen Ravari, three of the sanctioned Iranians who were also charged (indictment here) by the Department of Justice today for their involvement in ransomware attacks against U.S. critical infrastructure orgs.

This threat group's malicious activity was also described with added technical details in a joint advisory issued earlier today by cybersecurity agencies in the U.S., Canada, UK, and Australia.

State Dept reward poster
Reward poster (U.S. State Department)

Cybersecurity firm Secureworks also published today a report confirming the information released today by the U.S. Treasury.

Secureworks said it successfully linked the Nemesis Kitten group (tracked as Cobalt Mirage) to Iranian companies Najee Technology, Afkar System, and a third entity named Secnerd after taking advantage of several OPSEC mistakes made during a June 2022 ransomware incident.

Similar malicious activity linked to Cobalt Mirage (which has elements overlapping the Phosphorus APT group) was reported by SecureWorks' Counter Threat Unit (CTU) in May.

Last week, Microsoft said the same threat group (tracked as DEV-0270) has been moonlighting "for personal or company-specific revenue generation as a sub-group of the Iranian-backed Phosphorus cyber-espionage group (aka Charming Kitten and APT35).

Redmond also linked it to several Iranian companies, including Najee Technology, Secnerd, and Lifeweb.

"The group is typically opportunistic in its targeting: the actor scans the internet to find vulnerable servers and devices, making organizations with vulnerable and discoverable servers and devices susceptible to these attacks," Microsoft added.

Related Articles:

US govt sanctions Iranians linked to government cyberattacks

US offers up to $15 million for tips on ALPHV ransomware gang

US sanctions crypto exchanges used by Russian darknet market, banks

US sanctions APT31 hackers behind critical infrastructure attacks

Ransomware gang claims they stole 6TB of Change Healthcare data