U.S. drops the hammer on Iranian ransomware outfit

The U.S. government announced a legal offensive Wednesday aimed at bringing down alleged members of an Iranian ransomware outfit.

A dual set of announcements from the Department of Justice (DOJ) and Department of the Treasury detailed both criminal indictments and financial sanctions directed at multiple individuals who are allegedly part of the state-sponsored Charming Kitten hacking crew.

According to the two U.S. agencies, the group of Iranian nationals both oversaw and supported the network for Charming Kitten and its efforts to break into networks and extract valuable data from foreign and domestic targets.

Through its New Jersey district office, the DOJ issued indictments against three members of the group -- Mansour Ahmadi, 34; Ahmad Khatibi Aghda, 45; and Amir Hossein Nickaein Ravari, 30 -- on counts of conspiring to commit computer fraud, intentionally damaging a protected computer and transmitting a demand in relation to damaging a protected computer. The charges carry maximum terms of five, 10 and five years, respectively.

"This coordinated, global effort amongst law enforcement and the intelligence community should send a clear message to those actors who think they can't be found in cyberspace," said James Dennehy, special agent in charge of the FBI's Newark, N.J., division office, in the announcement.

"The days of hiding behind a keyboard and perpetrating crimes against the American people without consequence are waning, and we will bring the full force of the American Justice system to disrupt your criminal behavior," he said.

A spokesperson for the DOJ confirmed to TechTarget Editorial that none of the three has been arrested or extradited, and all are considered to be fugitives.

The indictment alleged that the trio were part of a larger group that targeted both private companies and infrastructure providers in the U.S., the U.K. and Iran for network intrusions, ransomware attacks and extortion. The victims ranged from city governments and utility providers to accounting and construction companies.

The DOJ said the group was operating at the direction of the Iranian Islamic Revolutionary Guard Corps (IRGC). The indictment claimed the defendants and their various businesses and associates ran the Charming Kitten operation by performing the hacking and facilitating the ransomware payments from victims, as well as setting up and maintaining the infrastructure for the Iranian ransomware operation.

In addition to the criminal charges, the Treasury Department announced sanctions against the accused criminal hackers and their IRGC-affiliated associates.

The department issued sanctions freezing their assets and forbidding U.S. entities from doing business with not only the three individuals facing criminal charges, but also an additional seven individuals and two Iranian companies that were allegedly working directly with the trio or providing support for their operations. The two companies sanctioned are Najee Technology Hooshmand Fater LLC and Afkar System Yazd Company.

"Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board -- directly threatening the physical security and economy of the United States and other nations," said Brian Nelson, under secretary of the Treasury for terrorism and financial intelligence, in the announcement.

"We will continue to take coordination action with our global partners to combat and deter ransomware threats, including those associated with the IRGC," he said.

In addition to the DOJ and Treasury Department actions, the U.S. issued a joint cybersecurity advisory with other Five Eyes governments warning that IRGC-affiliated threat actors are actively exploiting vulnerabilities and launching ransomware attacks against a variety of industries and governments.

"These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran," the advisory said. "The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors."