Justice Department charges 3 Iranians in hacking scheme targeting U.S. entities
Washington — Three Iranian men were charged with allegedly orchestrating a scheme to hack into computer networks of small businesses, government agencies and utility providers, among other entities, the Justice Department announced Wednesday.
An indictment unsealed in federal district court in New Jersey claims Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari, all Iranian nationals, engaged in a scheme beginning in October 2020 to break into computer systems of "hundreds" of victims across the U.S., United Kingdom, Israel, Iran, Russia and elsewhere.
In addition to their alleged hacking campaign, federal prosecutors said the three men, along with unidentified co-conspirators, profited from the scheme by launching encryption attacks against their targets' computer systems, denying them access to their data in exchange for a ransom payment.
The Justice Department claimed Ahmadi, Khatibi and Nickaein targeted a wide array of entities: a township in Union County, New Jersey; accounting firms in New Jersey and Illinois; regional electric utility companies in Mississippi and Indiana; a public housing corporation in Washington state; a shelter for domestic violence victims in Pennsylvania; a construction company in Washington state working on critical infrastructure projects; and a state bar association.
"These defendants may have been hacking and extorting victims — including critical infrastructure providers — for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the government of Iran has created and is responsible for," said Matthew Olsen, head of the Justice Department's National Security Division.
Olsen said the indictment shows that even Iranians themselves "are less safe because their own government fails to follow international norms and stop Iranian cyber criminals."
The newly unsealed indictment claims the goal of the hacking scheme was to obtain and maintain access to their victims' computers to control their systems, steal their victims' data, damage the computers and then demand ransom in the form of bitcoin or other cryptocurrencies in exchange for keeping their victims' data confidential or decrypting it.
Federal prosecutors said in the breach of the unnamed accounting firm in Illinois, Nickaein hacked the business's computer system in April 2021, stole data and launched an encryption attack that denied the firm access to some of its systems and data. He then allegedly sent a ransom demand to the accounting firm's printers that read in part: "Hi! If you are reading this, it means your data is encrypted and your private sensitive information is stolen! Read carefully the whole instructions to avoid any problems. You have to contact us immediately to resolve this issue and make a deal."
The note also warned the hackers "will sell your data if you decide not to pay or try to recover them," according to the indictment.
Notes informing their targets they had been breached and requesting they make contact were also sent to the power companies and domestic violence shelter, the latter of which paid $13,000 in bitcoin to regain access to its systems and data, the filing says.
The Iranians allegedly demanded $50,000 in cryptocurrency from the accounting firm in New Jersey after hacking into its computer system in February and launching a ransomware attack. The indictment claims Khatibi emailed a representative of the company in March asking, "Are you ready to pay?" In another email, he then allegedly stated he "locked more than 20 systems," and, in a message sent in mid-March, said, "If you don't want to pay, I can sell your data on the black market. This choice is yours."
Federal prosecutors said the men documented their acts, as Ahmadi emailed an unidentified person timesheets "reflecting the hours worked" by Nickaein, Khatib and others, which included in some instances "tasks performed in connection with cyberattacks" and to further their alleged scheme.
Ahmadi, 34, Khatibi, 45, and Nickaein, 30, are charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi also faces an additional charge of intentionally damaging a protected computer.
They face up to five years in prison for the conspiracy charge, up to 10 years in prison for intentionally damaging a protected computer, and up to five years in prison for the transmission of a ransom demand charge. All three men remain at large overseas, the Justice Department said.