January 22, 2022

News

News Network

Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community

20 min read

Unsealing of Indictments, Sanctions Designations, and Technical Indicator Releases Have Occurred Throughout the Week

Starting on Sept. 14, 2020 and continuing through today, the Department of Justice, the Federal Bureau of Investigation, the Department of Homeland Security, and the Department of the Treasury have engaged in a coordinated effort to disrupt and deter malicious cyber activities by actors associated with the Islamic Republic of Iran’s (Iran) Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC), as well as other Iran-based individuals.  These malicious cyber actors targeted victims in Australia, Europe, the Middle East, Southeast Asia, and the United States. 

“This week’s unsealing of indictments and other disruptive actions serves as another reminder of the breadth and depth of Iranian malicious cyber activities targeting not only the United States, but countries all over the world,” said Assistant Attorney General for National Security John C. Demers.  “Whether directing such hacking activities, or by offering a safe haven for Iranian criminal hackers, Iran is complicit in the targeting of innocent victims worldwide and is deepening its status as a rogue state.  By contrast, the Department of Justice and its U.S. government partners stand with such victims, regardless of their location, and we will continue our cooperative efforts domestically and internationally to disrupt Iranian hacking activities.”

“The FBI is using its unique partnerships and world-class capabilities to hold Iranian cyber actors publicly accountable for their actions,” said Executive Assistant Director Terry Wade of the FBI’s Criminal, Cyber, Response, and Services Branch. “Those malicious activities, as once again outlined this week, highlight Iran’s persistent use of cyber methods to harm the citizens of the United States and its allies. No cyber actor should think they can compromise U.S. networks, steal our intellectual property, or hold our critical infrastructure at risk without incurring risk themselves. The FBI will continue to work with our partners to protect U.S. interests and to impose consequences on those cyber actors working on behalf of the Government of Iran in furtherance of their nefarious goals.”

On Sept. 14, 2020, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly published a Cybersecurity Advisory regarding tactics, techniques, and procedures (TTPs) of an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks.

On Sept. 15, 2020, in the District of Massachusetts, the Department announced the unsealing of a three-count indictment charging two hackers in relation to their intrusions into, and defacements of, websites hosted in the United States.  The hackers, Behzad Mohammadzadeh, aka “Mrb3hz4d,” a citizen and resident of the Iran, and Marwan Abusrour, aka “Mrwn007,” a stateless national under the jurisdiction of the Palestinian Authority, conspired to and subsequently damaged computers in perceived retaliation for the January 2, 2020 U.S. military strike that killed Qasem Soleimani, the head of the IRGC-Quds Force, a U.S.-designated Foreign Terrorist Organization.  These defacements were a subset of the over 1,400 defacements around the world for which the defendants claimed responsibility between in or around June 2016 and July 2020.

On Sept. 16, 2020, in the District of New Jersey, the Department announced the unsealing of a 10-count indictment charging two hackers, who sometimes operated under the using the pseudonym “Sejeal,” in relation to coordinated cyber intrusions and hacking campaigns targeted computer systems in Europe, the Middle East, and the United States.  The defendants, Hooman Heidarian, aka “neo,” and Medhi Farhadi, aka “Mehdi Mahdavi,” both Iranian nationals residing in Iran, stole hundreds of terabytes of data, which typically included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.  In some instances, the defendants’ hacks were politically motivated or at the behest of the government of Iran, including instances where they obtained information regarding dissidents, human rights activists, and opposition leaders.  In other instances, the defendants sold the hacked data and information on the black market for private financial gain.

On Sept. 17, 2020, in the Eastern District of Virginia, the Department announced the unsealing of a nine-count indictment charging three hackers in relation to an approximately four-year campaign to steal and attempt to steal critical information related to aerospace and satellite technology and resources, including sensitive commercial information, intellectual property, and personal data.  The defendants, Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati, all Iranian nationals residing in Iran, conducted their activity at the direction of the IRGC, of which Arabi was a member.  The defendants primarily accomplished their intrusions through socially engineered spearphishing campaigns, using at least one target list of over 1,800 individuals in Australia, Israel, Singapore, the United States, and the United Kingdom.  Upon successfully enticing a victim to click on a link in such a spearphishing e-mail, a member of the conspiracy would deploy malware that allowed the conspirators to gain access credentials, escalate their privileges, maintain their unauthorized access to victim networks, and ultimately steal the sought-after data.  To accompany the unsealing of this indictment, and to aid potential targets in the identification of malicious activity, the FBI released a Private Industry Notification (PIN) that identified the conspiracy’s TTPs and indicators of compromise.

Also on Sept. 17, 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions against 45 individuals and one front company associated with the MOIS who comprised the cyber threat group known publicly as “Advanced Persistent Threat 39” (APT39), “Chafer,” “Remexi,” “Cadelspy,” or “ITG07.”   According to OFAC, masked behind its front company, Rana Intelligence Computing Company (Rana), the MOIS employed a years-long malware campaign that targeted Iran’s own citizens, the government networks of Iran’s neighboring countries, and U.S.-based travel services companies. Concurrent with OFAC’s action, and following a long-term FBI investigation, the FBI released technical indicators about Rana’s malware in an FBI FLASH alert.  This alert provides information to assist organizations and individuals in determining whether they were targeted by Rana.

The above disruptive actions targeting Iranian malicious cyber activities were the result of investigations conducted by the FBI’s Boston, Newark, and Washington Field Offices and Cyber Division, the United States Attorney’s Offices for the Eastern District of Virginia, District of Massachusetts, and District of New Jersey, and the National Security Division’s Counterintelligence and Export Control Section.  Several of the disruptive actions were the result of the close partnership between these Department of Justice components and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and Department of the Treasury’s OFAC, and coordination through the National Cyber Investigative Joint Task Force.

The details contained in the above-described charging document are allegations.  The defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

News Network

  • Military Child Care: Off-Base Financial Assistance and Wait Lists for On-Base Care
    In U.S GAO News
    The Department of Defense (DOD) has reviewed the financial assistance it provides for off-base child care services and taken steps to standardize this assistance across the military services. Specifically, in August 2018, representatives of each service agreed to work toward a goal of standardizing the only element of the fee assistance calculation that varies among the services—the maximum provider rate. DOD officials said that they assess progress toward this goal each year, but have not set a definite deadline for full standardization. With respect to assistance for off-base child care at high-cost duty stations, DOD's 2020 report on its child care programs states that the Air Force, Marines, and Navy review high-cost locations annually, and the services may approve increased provider rate caps for specific high-cost locations. In addition, it states that the services may grant waivers allowing increased fee assistance for individual families experiencing hardship. DOD has also assessed factors that contribute to wait lists for on-base child care. According to DOD’s report, DOD found that wait lists are the result of a myriad of factors, including staff shortages and facility conditions that vary across service locations. Officials said DOD has worked for several years to analyze and address wait lists. In 2017, DOD launched a web portal that consolidates child care data across the services and in August 2019, DOD officials began monthly monitoring of wait list data from this portal. These data allowed DOD to identify four geographic regions and six additional locations that account for the majority of wait lists, and focus their efforts on addressing the issues affecting these regions and locations, according to the report. DOD officials said that any requests for additional resources to help address wait lists must be handled through the individual services’ budgeting processes. DOD offers child care in a variety of on- and off-base settings for children of military families. In fiscal year 2020 these child care programs received nearly $1.2 billion in federal funds; in addition, parents pay a portion of the costs. The National Defense Authorization Act for Fiscal Year 2020 required DOD to report on elements of its financial assistance to off-base child care providers and wait lists for on-base child care, and included a provision for GAO to review DOD's report. This report describes DOD's assessment of (1) financial assistance provided to off-base child care providers, and (2) its efforts to reduce wait lists for child care at military bases. GAO reviewed DOD's report on this assessment, interviewed DOD officials, and reviewed relevant federal law. For more information, contact Kathryn A. Larin at (202) 512-7215 or larink@gao.gov.
    [Read More…]
  • [Protest of GSA Contract Award for Office Space]
    In U.S GAO News
    A firm protested the General Services Administration (GSA) decision to increase its required office space under an existing contract, contending that since GSA failed to afford it an opportunity to bid on the additional space, GSA should: (1) resolicit its requirements; and (2) allow it an opportunity to bid on the current requirements. GAO held that it would not consider the protest, since there was a pending appeal concerning the initial award of the lease, which could ultimately render any GAO decision academic. Accordingly, the protest was dismissed.
    [Read More…]
  • Assistant Attorney General Kristen Clarke Delivers Remarks Announcing a Civil Rights Investigation into Conditions in Texas Juvenile Facilities
    In Crime News
    Good afternoon.  My name is Kristen Clarke, Assistant Attorney General for Civil Rights at the U.S. Department of Justice. I am joined by Ashley Hoff, United States Attorney for the Western District of Texas; Jennifer Lowery, Acting United States Attorney for the Southern District of Texas; Nicholas Ganjei, Acting United States Attorney for the Eastern Districts of Texas; and Chad Meacham, Acting United States Attorney for the Northern District of Texas. 
    [Read More…]
  • The United States Condemns Attack on Saudi Arabia
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Former Indiana State Senator and Gaming Executive Indicted for Violations of Federal Campaign Finance Laws
    In Crime News
    A federal grand jury sitting in the Southern District of Indiana returned an indictment charging a former Indiana state senator and a gaming executive with violations of federal campaign finance laws, false statements, and falsification of Federal Election Campaign (FEC) records in connection with a series of illegal corporate contributions and conduit contributions they made to fund the congressional campaign of the former state politician.
    [Read More…]
  • Special Envoy Rayburn Travel to the United Arab Emirates and Jordan
    In Crime Control and Security News
    Joel D. Rayburn, Special [Read More…]
  • Penitas public servants convicted
    In Justice News
    Two local officials have [Read More…]
  • Justice Department Acts To Shut Down Fraudulent Websites Exploiting The Covid-19 Pandemic
    In Crime News
    The United States Department of Justice announced today that it has obtained a Temporary Restraining Order in federal court to combat fraud related to the coronavirus (COVID-19) pandemic. The enforcement action, filed in Tampa, Florida, is part of the Justice Department’s ongoing efforts prioritizing the detection, investigation, and prosecution of illegal conduct related to the pandemic. The action was brought based on an investigation conducted by United States Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI), in coordination with the Vietnam Ministry of Public Security.
    [Read More…]
  • Justice Department Seeks to Shut Down Chicago Tax Return Preparer
    In Crime News
    The United States filed a complaint in the U.S. District Court for the Northern District of Illinois today seeking to bar a Chicago area tax return preparer from preparing federal income tax returns for others. 
    [Read More…]
  • Justice Department Settles Claim Against Akal Security To Enforce Servicemember’s USERRA Rights
    In Crime News
    The Justice Department announced today that it finalized the settlement of a claim against Akal Security to protect rights guaranteed to a military reservist, Chief Petty Officer Robert M. Diaz (Ret.), by the Uniformed Services Employment and Reemployment Rights Act of 1994 (USERRA).
    [Read More…]
  • Veterans Community Care Program: Immediate Actions Needed to Ensure Health Providers Associated with Poor Quality Care Are Excluded
    In U.S GAO News
    The Department of Veterans Affairs (VA) has implemented contracts with Optum and TriWest to set up networks of community providers as part of the new Veterans Community Care Program (VCCP). However, the two contractors' processes for implementing eligibility restrictions established by the VA MISSION Act, as outlined in their policies and reflected in their contracts, may not consistently exclude all ineligible providers from participating in the VCCP. The VA MISSION Act prohibits providers from participating in the VCCP if they have lost a state medical license, for example, as a result of revocation or termination for cause or due to concerns about poor quality of care. However, VA's contracts with these contractors do not require the verification of providers' history of license sanctions, including a revoked license, in all states during credentialing. Only one of the two contractors has a process that includes verifying providers' licensure history in all states and neither has a sufficient process for continuously monitoring provider licenses. Contractor Processes for Implementing VA MISSION Act Restrictions on Community Care Provider Eligibility In May 2019, VA began tracking providers who do not meet the eligibility restrictions established by the VA MISSION Act. However, this tracking does not address providers removed from VA prior to this date. As of September 2020, VA had deactivated 136 ineligible VA providers from VCCP participation. GAO reviewed data going back to July 1, 2016 and identified an additional 227 providers that had been removed from VA employment and are potentially providing care in the VCCP. VA stated it has no plans to further review these providers. VA officials said these providers were eligible to participate in the VCCP because they were removed from VA employment before the VA MISSION Act restrictions were effective. Thus, there is a continued risk that former VA providers associated with quality of care concerns are participating in the VCCP. The VA MISSION Act of 2018 established a new community care program, the VCCP, aimed at providing care to veterans when it could not reasonably be delivered by providers at VA medical facilities. The act also requires VA to exclude from participation in the VCCP providers who lost a license for violating medical license requirements in any state or who VA removed from employment for quality of care concerns or otherwise suspended from VA employment. The VA MISSION Act included provisions for GAO to report on the implementation of restrictions on certain health care providers' participation in the VCCP. This report examines, among other issues, VA and contractor processes to implement these eligibility restrictions on provider participation in the VCCP. GAO reviewed VA's contracts and contractor policies related to VCCP provider credentialing, interviewed VA and contractor officials, and assessed the provider credentialing requirements and processes. In addition, GAO collected data on former VA providers and compared these data to the database of VCCP providers. GAO is making three recommendations to VA, including that VA require its contractors to have credentialing and monitoring policies that ensure compliance with VA MISSION Act license restrictions and that it assess the risk to veterans when former VA providers with quality concerns continue to provide VCCP care. VA generally agreed with GAO's three recommendations. For more information, contact Sharon M. Silas at (202) 512-7114 or silass@gao.gov.
    [Read More…]
  • Secretary Blinken’s Call with Brazilian Foreign Minister França
    In Crime Control and Security News
    Office of the [Read More…]
  • Secretary Antony J. Blinken With Frisca Clarissa of Kompas TV
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Working Day or Night, NDMS Teams Deploy to Support Healthcare Facilities and Save Lives in Communities Overwhelmed by COVID-19: “We are NDMS…That’s What We do”
    In Human Health, Resources and Services
    On September 24, 2021, [Read More…]
  • Executive Office for Immigration Review Announces Investiture of 20 New Immigration Judges, Resulting in a 70 Percent Expansion of the Immigration Judge Corps Since 2017
    In Crime News
    The Executive Office for Immigration Review (EOIR) announced the investiture of 20 new immigration judges today, including three new assistant chief immigration judges.  The introduction of this class marks the most recent step in the ongoing development and expansion of the nationwide corps of professional adjudicators who resolve questions regarding the legal status of aliens in the United States and adjudicate claims of relief or protection from removal, such as asylum or withholding of removal.
    [Read More…]
  • Former Mexican police officer gets 30 years for sexually exploiting child
    In Justice News
    A 38-year-old resident [Read More…]
  • The United States Partners with Australia and Japan to Expand Reliable and Secure Digital Connectivity in Palau
    In Crime Control and Security News
    Office of the [Read More…]
  • 2020 Indo-Pacific Business Forum Promotes Free and Open Indo-Pacific
    In Crime Control and Security News
    Office of the [Read More…]
  • On the Fate of the “Hong Kong 12”
    In Crime Control and Security News
    Michael R. Pompeo, [Read More…]
  • Joint Statement by the Secretary of State of the United States of America and the EU High Representative for Foreign Affairs and Security Policy/Vice President of the European Commission
    In Crime Control and Security News
    Office of the [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.