Alleged Iranian hackers balanced espionage with personal cybercrime, US indictment says

Written by

Two Iranian nationals have been charged for their alleged involvement in a government-linked hacking operation that has targeted entities in the U.S., Europe, and the Middle East as well as Iranian dissidents and human rights activists, the U.S. Department of Justice said Wednesday.

The hackers’ operations, which prosecutors say began as early as 2013, are alleged to have targeted American and foreign universities, a Washington, D.C.-based think tank, non-governmental organizations and nonprofits, as well as a U.S. defense contractor. The two men charged, Hooman Heidarian and Mehdi Farhadi, are alleged to have stolen hundreds of terabytes from victims, including information about national security, foreign policy, intelligence, nuclear information, and the aerospace sector, according to the Justice Department.

Attackers allegedly operated at the behest of the Iranian government at times, including instances in which they are accusing of stealing data about opposition leaders, perceived political dissidents, and human rights activists. The hackers are also alleged to have run some operations for their own, personal financial gain, according to the DOJ.

The Iranian government’s apparent willingness to allow the defendants’ nefarious private hacking operations while employing them is part of the reason the U.S. government is disclosing details bout the effort, according to John Demers, the assistant attorney general for national security.

“Today’s defendants will now learn that such service to the Iranian regime is not an asset, but a criminal yoke that they will now carry until the day they are brought to justice,” Demers said.

The Iranian hackers appeared to be conducting espionage activities related to non-military nuclear information while negotiating the terms of the Joint Comprehensive Plan of Action, the nuclear deal between Iran and China, France, Russia, U.K., and the U.S., when that information would have been considered highly sensitive, according to the indictment.

Tehran has consistently denied any involvement in cyber-espionage, or international hacking operations.

The announcement comes amid a sweeping effort from the U.S. to reveal a series of alleged Iranian-linked hacking campaigns, CyberScoop has learned. The indictment Wednesday comes after U.S. prosecutors revealed charges against two hackers, including one Iranian national, who allegedly defaced websites in retaliation for the U.S. killing of Qassem Soleimani, Iran’s top general, in January. Another indictment related to Iranian-linked hacking will be issued later this week, two people familiar with the matter tell CyberScoop.

Heidarian and Farhadi occasionally have run operations that defaced websites, using the pseudonym “Sejeal,” according to the indictment. They typically vandalized websites with messages meant to denigrate Iranian adversaries.

To run their operations, the hackers used keyloggers and remote access trojans to access victim organizations, according to the DOJ. They also used a botnet to spread malicious software, carry out denial-of-service attacks, and organize email forwarding schemes to establish access to sensitive communications, the DOJ said.

The attackers also allegedly created presentations on their techniques and insider access to help guide future operations against victim networks, according to the indictment.

While many Iran-linked hacking campaigns have historically used defacements to disrupt victims, in recent years, some hacking groups that seemingly are aligned with Iranian geopolitical interests and which have traditionally targeted political opposition domestically, have expanded their operations to foreign espionage, according to BlackBerry Cylance security researchers.

Heidarian and Farhadi are both charged with one count of conspiracy to commit fraud and activity in connection with computers, unauthorized access to protected computers, unauthorized damage to protected computers, and conspiracy to commit wire fraud. The are also charged with access device fraud and five counts of aggravated identity theft.

The indictment is available in full below.

Sean Lyngaas contributed reporting.