Security Experts:

U.S. Charges Two State-Sponsored Iranian Hackers

Two Iranian hackers were indicted in the United States for allegedly engaging in numerous cyberattacks, some of them conducted on behalf of the government of Iran, the U.S. Department of Justice announced on Wednesday.

The two, Hooman Heidarian (aka neo), 30, and Mehdi Farhadi (aka Mehdi Mahdavi, Mohammad Mehdi Farhadi Ramin), 34, both of Hamedan, Iran, were charged with conspiracy to commit fraud and wire fraud, unauthorized access to protected computers, unauthorized damage to protected computers, access device fraud, and aggravated identity theft.

Starting in at least 2013, the two launched coordinated attacks on an aerospace company, a defense contractor, several American and foreign universities, a think tank based in Washington, D.C., foreign governments, a foreign policy organization, non-governmental organizations (NGOs), and non-profits.

Many of the attacks were allegedly conducted in the interest of the Iranian government, targeting highly protected and extremely sensitive data related to national security communications, foreign policy, aerospace, financial and personally identifiable information, non-military nuclear data, intellectual property, and human rights activists.

Victims were selected after extensive online reconnaissance, with the information gathered at this stage often used in later phases to identify the soft spots of victim networks. Vulnerability-scanning tools were employed to identify security weaknesses.

A broad range of tools and methods were used to compromise and maintain access to victim networks, including session hijacking, SQL injection, and malware. Keyloggers and remote access Trojans were leveraged for persistence on the networks.

The defendants also created a botnet to spread malware, launch DDoS attacks, and send out spam. They also established automated forwarding rules to have new outgoing and incoming emails automatically sent to attacker-controlled accounts.

“Using these methods, the defendants stole hundreds of terabytes of data, including confidential victim work product and intellectual property, and personal identifying information, such as access credentials, names, addresses, phone numbers, Social Security numbers, and birthdates. The defendants marketed stolen data on the black market,” the DoJ says.

The defendants are also charged with defacing websites with political and other ideological content “for apparent purpose of projecting Iranian influence and threatening perceived enemies of Iran.”

Related: U.S. Charges Hackers for Defacing Sites in Response to Killing of Qasem Soleimani

Related: CISA Shares Details on Web Shells Employed by Iranian Hackers

Related: Iranian Hackers Target Critical Vulnerability in F5's BIG-IP

Related: U.S. Charges Alleged Hackers of Chinese APT41 Group for Attacks on 100 Firms

view counter