N.J. victims among those targeted by Iranian nationals in global cyberattacks

By: - September 14, 2022 10:39 pm

Three Iranian nationals were indicted in global cyberattacks that had two N.J. victims — a Union County township and Morris County accounting firm. (Getty Images)

Federal authorities have indicted three Iranian hackers for cyberattacks in seven states, including New Jersey, and issued an advisory Wednesday warning cybersecurity experts nationally to find and fix computer vulnerabilities.

The hackers infiltrated computer systems, encrypted their data, and then demanded victims make ransom payments in Bitcoin to get back into their systems — threatening to sell the data or bar them from it for good if they failed to pay, according to an August indictment unsealed Wednesday.

They exploited known vulnerabilities in commonly used network devices and software and targeted critical infrastructure, U.S. Attorney Philip Sellinger and FBI agent James E. Dennehy said at a joint press briefing in Newark Wednesday morning. Dennehy is special agent in charge of the U.S. Attorney’s Newark division.

“No form of cyberattack is acceptable,” Sellinger said. “But ransomware attacks that target critical infrastructure can harm national security.”

In New Jersey, a township in Union County and an accounting firm in Morris County fell victim to the scheme, prosecutors said.

Other U.S. victims include power companies in Indiana and Mississippi, a housing authority and construction company in Washington, a county government in Wyoming, a domestic violence shelter in Pennsylvania, an accounting firm in Illinois, and a state bar association in an unnamed state, according to the indictment. There were also victims in the United Kingdom, Israel, Russia, and Iran.

“Once they broke in, the defendants typically installed a cyber tool known as fast reverse proxy, which allowed them to stay in so that even if the victims wanted to kick them out, they could remain,” Sellinger said. “These hackers also sometimes use a security feature, BitLocker, to encrypt or lock the victims’ data, denying them access, cutting off the victims from their own systems.”

Some victims paid ransom, but the indictment didn’t detail the losses. Sellinger and Dennehy declined to divulge details not in the indictment.

Indicted were Mansour Ahmadi, 34, Ahmad Khatibi Aghda, 45, and Amir Hossein Nickaein Ravari, 30, who authorities accused of carrying out their attacks between October 2020 and last August.

The Iranian government and its Islamic Revolutionary Guard Corps have engaged in coordinated campaigns of cyberattacks against the U.S. financial sector.

But Sellinger and Dennehy said the three men indicted in August acted for personal profit, and investigators weren’t able to definitively link them to any governmental campaign.

Still, the global cybersecurity firm Mandiant said it has tracked the men “for some time,” and they may have been “moonlighting as criminals” in addition to being contractors serving the Islamic Revolutionary Guard Corps.

“This group has been carrying out a brazen, widespread vulnerability scanning operation against targets in the U.S., Canada, Israel, UAE, and Saudi Arabia, seeking vulnerabilities in VPNs and MS Exchange, among others,” said John Hultquist, vice president of Mandiant Intelligence. “More often than not, they are monetizing their access, but their relationship to the IRGC makes them especially dangerous. Any access they gain could be served up for espionage or disruptive purposes.”

The advisory issued Wednesday by U.S. authorities warned that Iranian government-sponsored actors — using tactics similar to those employed by the three men indicted in New Jersey — are actively carrying out cyberattacks in the U.S., Canada, Australia, and the United Kingdom.

The men indicted in New Jersey have not been arrested — and could be tough to collar, given that Iran is a country that not only tolerates but practices such activity, officials said.

“This activity exists because of a lack of neutral law enforcement, oversight, and interest in this activity,” a senior U.S. Department of Justice official said in an earlier press briefing. “In other words, there are nations in the world — and Iran is not the only one — where actors can act with a certain level of impunity, provided their victims are principally outside the country.”

U.S. authorities are dangling a sizeable reward — $10 million per suspect — for information leading to their arrest, Dennehy said.

“Your days of hiding behind a keyboard are waning,” Dennehy said. “We will find you.”

Even publicly identifying them, as the indictment has done, should help curb their criminal plans, Sellinger said.

“They cannot operate anonymously from the shadows anymore. We have put a spotlight on them as wanted criminals,” Sellinger said. “Through this indictment, we seek to disrupt their criminal operation to make it harder for them to commit future crimes and to send a clear message to other would-be cyber criminals that the United States will come after those who seek to use technology and victimize our companies, our citizens, and our allies.”

Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.

Dana DiFilippo
Dana DiFilippo

Dana DiFilippo comes to the New Jersey Monitor from WHYY, Philadelphia’s NPR station, and the Philadelphia Daily News, a paper known for exposing corruption and holding public officials accountable. Prior to that, she worked at newspapers in Cincinnati, Pittsburgh, and suburban Philadelphia and has freelanced for various local and national magazines, newspapers and websites. She lives in Central Jersey with her husband, a photojournalist, and their two children.