Three Iranians charged with hacking, using ransomware to extort Americans

Three Iranian nationals were accused Wednesday of a broad international hacking campaign designed to steal information and, in some cases, hold it ransom.

Mansour Ahmadi, Ahmad Khatibi and Amir Hossein Nickaein have been each charged with “one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer,” with Mr. Ahmadi facing one additional count of intentionally damaging a protected computer, according to the Justice Department.

From October 2020 through Aug. 2022, the three defendants are alleged to have exploited known vulnerabilities in devices and software to access and steal information and data from their victims.

In some cases, the three suspected hackers are accused of encrypting stolen data and ransoming it back to victims.

“The Government of Iran has created a safe haven where cyber criminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers … Even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals,” Assistant Attorney General Matthew Olsen said in a statement.

The hacking conspiracy was international in scope, hitting targets in Iran itself, along with America, Britain and Israel.

The three defendants are still at large outside the United States.

The victims of the alleged hack attacks vary, including “small businesses, government agencies, nonprofit programs and educational and religious institutions,” as well as “multiple critical infrastructure sectors, including health care centers, transportation services and utility providers,” according to the Justice Department.

Targets in the U.S. ranged from coast to coast, including “an accounting firm based in Illinois; a regional electric utility company based in Mississippi; a regional electric utility company based in Indiana; a public housing corporation in the state of Washington; a county government in Wyoming and a construction company located in the state of Washington that was engaged in work on critical infrastructure projects,” according to the Justice Department.

In one case from Feb. 2022, the defendants are accused of exploiting a vulnerability to access the data of an accounting firm in Morris County, New Jersey, before using a hacking tool to set up a connection between the hacked firm and a server registered to Mr. Nickaein.

In March 2022, the three suspects are alleged to have used encryption software to deny the firm access to some systems, demanding a $50,000 ransom paid in cryptocurrency. If the ransom was not paid, Mr. Khatibi threatened to sell the data on the black market.

A domestic violence shelter in Pennsylvania had its data ransomed for $13,000, according to the Associated Press.

“No form of cyberattack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security,” U.S. Attorney for the District of New Jersey Philip Sellinger said in a statement.

The conspiracy and ransom demand charges both have a maximum sentence of five years, while the charges of intentionally damaging protected computers have a maximum sentence of 10 years.

Fines may also be levied, with a maximum either of $250,000 or twice the amount of gains made or losses inflicted as a result of the offense. Whichever fine is highest is set as the maximum.