Wide-ranging penalties against ten people and two organizations supported by Iran’s Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020 were announced on Wednesday by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
According to the FBI, some of the individuals’ online activities can be attributed to intrusion sets known as APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.
The Treasury reported that “this group has launched significant campaigns against organizations and officials around the world, specifically targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications.”
The Nemesis Kitten actor, also known as Cobalt Mirage, DEV-0270, and UNC2448, has come under scrutiny recently for its history of ransomware operations for the purpose of opportunistic money generating. These attacks use Microsoft’s built-in BitLocker technology to encrypt files on compromised machines.
DEV-0270 has been identified by Microsoft and Secureworks as a subset of Phosphorus (also known as Cobalt Illusion), with connections to another actor known as TunnelVision. The creator of Windows also rated the claim that “part of DEV-0270’s ransomware attacks are a kind of moonlighting for personal or company-specific cash creation” as low confidence.
Additionally, studies conducted independently by the two cybersecurity organizations and Google-owned Mandiant have shown that the group has ties to the businesses Najee Technology (also known as Secnerd and Lifeweb) and Afkar System, both of which have been subject to U.S. sanctions.
It’s important to note that earlier this year, an anonymous anti-Iranian regime organization by the name of Lab Dookhtegan alerted the public to Najee Technology and Afkar System’s ties to the Iranian intelligence service.
Secureworks stated in a recent study describing the activities of Cobalt Mirage that “the paradigm of Iranian government intelligence services using contractors blurs the borders between the actions tasked by the government and the actions that the private corporation does on its own initiative.”
ITSecTeam (ITSEC), Mersad, Emennet Pasargad, and Rana Intelligence Computing Company are just a few examples of private Iranian enterprises that have served as fronts for intelligence activities over the years. Exact connections between the two organizations and the IRGC are yet unknown.
Additionally, the metadata linked to a PDF file containing the ransom text had identified Ahmad Khatibi as its originator, who also happens to be the CEO and owner of the Iranian business Afkar System, according to the Secureworks investigation into a June 2022 Cobalt Mirage incident.
Along with Mansour Ahmadi, the CEO of Najee Technology, and other workers from the two companies, Ahmad Khatibi Aghda is one of the ten people the U.S. has designated as terrorists. They are accused of conspiring to target numerous networks around the world by exploiting well-known security flaws to gain initial access to subsequent attacks.
According to a joint cybersecurity alert from Australia, Canada, the United Kingdom, and the United States, some of the exploited holes as part of the IRGC-affiliated actor activities are as follows:
- FortiOS path traversal vulnerability in Fortinet (CVE-2018-13379)
- Vulnerability in Fortinet FortiOS default settings (CVE-2019-5591)
- Vulnerability in Fortinet FortiOS SSL VPN that allows 2FA (CVE-2020-12812)
- Log4Shell (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)
- ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207)
The U.S. government added Khatibi on the FBI’s Most Wanted list and stated that he was “among the cyber actors that acquired unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys.”
He participated in compromising victims’ networks, leased network infrastructure that was utilized to enhance the activities of this criminal cyber gang, and bargained for ransom with victims.
The Justice Department separately charged Ahmadi, Khatibi, and a third Iranian national called Amir Hossein Nickaein Ravari in connection with the sanctions for participating in a criminal extortion plan to cause harm and losses to individuals in the United States, Israel, and Iran.
One count of conspiring to commit computer fraud and other computer-related offenses, one count of purposefully harming a protected computer, and one count of conveying a demand in connection with damaging a protected computer have been brought against all three people. Ahmadi is also accused of intentionally destroying a protected computer.
Not only that. Additionally, the U.S. State Department has offered cash incentives of up to $10 million for information regarding Mansour, Khatibi, and Nikaeen.
The accusations against the defendants “reflect how criminals can flourish in the safe haven that the Government of Iran has created and is accountable for,” Assistant Attorney General Matthew Olsen said. “These defendants may have been hacking and extorting victims – including critical infrastructure providers – for their personal gain,” he added.
As a result of Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, participating in cyber-enabled actions against the country and its allies, the United States has sanctioned them.