The U.S. Justice Department unsealed criminal charges on Wednesday against three Iranian nationals accused of hacking the networks of hundreds of victims in the United States and around the world in what officials described as a “ransomware-style” cyber campaign.
Although the alleged hackers are not accused of operating on behalf of the Iranian government, U.S. law enforcement agencies released a joint advisory warning about “continued malicious cyber activity” by actors affiliated with Iran’s Islamic Revolutionary Guard Corps, while the Treasury Department blacklisted bitcoin addresses tied to two of the defendants.
Cybercriminals often demand payments in bitcoins. The advisory was issued jointly by U.S., Australian, British and Canadian law enforcement agencies.
“To these sorts of actors, nothing is off limits, not even, for example, Boston Children’s Hospital, which they set their sights on in the summer of 2021,” FBI Director Christopher Wray said in a video statement.
The three Iranian nationals – identified as Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari – are accused of carrying out “computer intrusions and ransomware-style extortion” between October 2020 and August 2022, according to a 30-page indictment unsealed Wednesday.
The men remain at large and are believed to be in Iran, according to U.S. law enforcement officials briefing reports on condition of anonymity.
The four-count indictment comes as U.S. law enforcement agencies have stepped up their efforts in response to what is seen as a growing threat to U.S. national security: cybercriminals targeting critical infrastructure and services for extortion.
In a so-called “ransomware attack,” cybercriminals encrypt a victim’s computer files and then demand payments in cryptocurrency in exchange for decrypting them.
U.S. law enforcement officials described the Iranian campaign of hacking and extortion as “ransom-related cyberattack.”
Wray said many of the victims of the hacking campaign “offer critical services we all rely on every day.”
“I’m talking about health care facilities, power companies, local governments, in communities across the United States and around the globe,” he said.
According to the indictment, some of the victims made ransom payments.
In addition to targeting victims in the U.S., the hackers targeted companies and organizations in the United Kingdom, Iran, Israel, and Russia.
Among the U.S. victims described in the indictment were a New Jersey township, two accounting firms, a power company, and a domestic violence shelter.
Law enforcement officials said the victims were “targets of opportunity,” identified because of vulnerabilities in their computer systems.
“No form of cyberattack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey.
Senior FBI and Justice Department officials briefing reporters about the case stressed that the alleged Iranian hackers did not work for the Iranian government.
But in a statement, the Treasury Department said all three defendants were “affiliated” with Iran’s Revolutionary Guard.
“Crimes like these will happen when nations and their governments do not adhere to widely accepted norms like promulgating and enforcing broadly applicable laws against computer hacking and extortion,” a senior law enforcement official said, speaking on condition of anonymity.