Coordinated U.S. Actions Combat Wide Range of Iran’s Malign Cyber Activities

In a series of coordinated actions in mid-September, the U.S. departments of Justice and the Treasury exposed more than 50 Iranian hackers and took steps in concert with the FBI to thwart their ability to vandalize websites, surveil dissidents, and steal sensitive information. Collectively, these steps marked the largest law enforcement effort to date to combat the malicious cyber campaigns of the regime in Iran. The details of the disclosed campaigns may also point to additional actions the United States and its allies can undertake to disrupt Iran’s offensive cyber operations.

In three sets of indictments, the Department of Justice (DOJ) charged six Iranians and one Palestinian hacker with a range of malicious cyber activity. On September 15, the DOJ charged two hackers with defacing “scores of websites across the country” following the killing of General Qassem Soleimani, the commander of the Islamic Revolutionary Guard Corps (IRGC) Quds Force. While website defacement is a simplistic kind of cyberattack, it impairs the integrity and availability of data and, in this case, cost victims thousands of dollars to conduct damage assessments and restore affected data and networks, according to the DOJ indictment.

The second set of indictments, announced the next day, charged two Iranians with participating in a “coordinated cyber intrusion campaign” at least “sometimes at the behest of the government of the Islamic Republic of Iran.” In addition to defacing websites, the operatives “often sought to intimidate perceived enemies of Iran including dissidents fighting for human rights in Iran and around the world,” explained U.S. Attorney for the District of New Jersey Craig Carpenito.

These hackers also sought sensitive nuclear and military information. The indictment charges that the hackers successfully breached an organization that is likely the International Atomic Energy Agency (IAEA) between January 2013 and January 2015. The indictment does not mention the victim by name but describes it as “an international organization that promoted the non-military use of nuclear technology, the safeguarding of nuclear materials, and international nuclear security standards” with “an office in New York.” If the hackers did target and successfully breach the IAEA’s networks, this would not be the first time. In 2011 and again in 2012, hackers with possible ties to the Iranian government targeted IAEA inspectors and the organization itself.

The third set of indictments, issued on September 17, charged three hackers as part of a five-year campaign to “steal data sought by the IRGC.” This state-sponsored effort targeted companies and other organizations in the aerospace and satellite industry in the United States, the United Kingdom, Israel, Australia, and Singapore. This campaign to “steal the fruits of this country’s [the United States] hard work and expertise,” in the words of Assistant Attorney General for National Security John C. Demers, is part of Tehran’s larger cyber-enabled economic warfare strategy.

On September 17, the Treasury Department also issued sanctions against 45 individuals and a front company, Rana Intelligence Computing Company, responsible for a multi-year campaign by Tehran’s Ministry of Intelligence and Security (MOIS) to target Iranian dissidents. Collectively, Rana and its employees make up Advance Persistent Threat (APT) 39, a cyber threat group also known as Chafer, among other names. While cybersecurity firms had previously detailed the group’s activities and tools, the FBI published new technical information about APT39’s malware and how defenders can “identify the malware on their networks and systems.”

Separately, the FBI and Department of Homeland Security also issued guidance about the IRGC-associated cyber campaign revealed in the DOJ indictment and about the tools used by APT group Pioneer Kitten, which pilfers sensitive data for the regime in Iran and provides network access that other APTs use. These alerts help educate the public about the cyber threat from Iran. The APT39 alert, in particular, explained the Bureau, provides network administrators with the information they need to defend their systems from “malicious cyber activity that has already cost companies in the United States and around the world millions of dollars.”

Private companies had previously attributed Chafer/APT39 operations to an “Iran-based” group (according to Symantec), a group with an “apparent Iranian link” (according to Bitdefender), or a group operating “in support of” Tehran’s interests (according to FireEye). At the same time, unknown actors had revealed the existence of Rana and its connection to MOIS last year by leaking secret Iranian government documents on Telegram. However, the connection between Rana and APT39 was previously unknown.

At the time of the leak last year, tech news outlet ZDNet observed that Rana constituted a “new group whose activities have never been described or even spotted until today, despite being active since 2015.” Rana appeared to have moderate technical capabilities but was “operationally sophisticated” and “clearly effective,” according to risk firm Digital Shadows. The leaked material further revealed that MOIS created Rana as a “specialized cyber espionage” unit with a subgroup focused on using cyberattacks “to identify anyone who poses a threat to the regime such as riot leaders,” according to Israeli cybersecurity firm ClearSky.

Summarizing ClearSky’s findings, the King Faisal Center for Research and Islamic Studies, a Saudi think tank, explained that Rana’s objective in hacking airlines and travel companies around the world was to “track Iranian citizens outside Iran.” The documents did not include malware samples, so it was difficult for cybersecurity researchers at that time to connect Rana’s tools and infrastructure to other known APT groups. Last month, the U.S. government finally put the pieces together, officially connecting APT39 to MOIS operations through Rana.

Despite the coordination in timing, the Treasury and Justice departments targeted separate groups of hackers. In the past, by contrast, the two departments jointly took action against the same targets.

While indictments limit the ability of their targets to travel outside of Iran (lest they face arrest and extradition), complementary sanctions by the U.S. Department of the Treasury also restrict the ability of their targets to move money through the global financial system, since banks around the world look to U.S. guidance and sanctions lists to limit their illicit finance risk exposure.

Washington’s announcements did not indicate why the Justice Department focused on hackers who pilfered sensitive national security information for the IRGC, while Treasury targeted hackers who persecuted Iranian dissidents on behalf of the MOIS. One of the three hackers charged in the third DOJ indictment, however, is worthy of particular attention. According to the U.S. government, he is eligible for sanctions not only for malicious cyber activities but also for being an official, agent, or affiliate of the IRGC. Members of the IRGC – the organization responsible for implementing the regime’s most dangerous policies – should always receive maximum punishment.

At the same time, the lack of overlap in personnel between the IRGC and MOIS operations may offer Washington a new tactic for undermining Iranian cyber capabilities. Cybersecurity company Recorded Future assessed that even as Iranian cyber operatives operate like “defense contractors” that service multiple regime agencies, feuds between the IRGC and MOIS are likely causing hackers to align more closely with one faction or the other. In fact, Recorded Future noted that there is uncorroborated reporting that the leak of documents about Rana and other APT groups can be attributed to the disdain competing hackers have for one another.

ZDNet observed that the leaks sabotaged Iran’s cyber espionage operations and likely forced the exposed groups to “re-tool and focus on new campaigns going forward, potentially delaying any current or planned hacking efforts.” Thus, the United States should consider ways to exploit divisions within Iran’s intelligence agencies and hacker community. For example, clandestine influence operations in which U.S. and allied cyber operators impersonate Iranian hackers in order to instigate internecine fighting may cripple Iranian offensive cyber capabilities as fast as any direct U.S. government law enforcement action could.

Annie Fixler is deputy director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where she also contributes to FDD’s Center on Economic and Financial Power (CEFP) and Iran Program. For more analysis from Annie, CCTI, CEFP, and the Iran Program, please subscribe HERE. Follow Annie on Twitter @afixler. Follow FDD on Twitter @FDD. Follow CCTI, CEFP, and the Iran Program on Twitter @FDD_CCTI and @FDD_CEFP and @FDD_Iran. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.