The U.S. Department of Justice unsealed an indictment Sept. 14 charging three Iranian nationals with allegedly running a massive, global ransomware operation that hacked into the computer networks of multiple U.S. victims, including several in the Garden State.
The indictment charges Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari of engaging in the scheme. The three, who are residents of Iran, are each charged with one count of conspiring to commit computer fraud and related activity, one count of intentionally damaging a protected computer, and one count of transmitting a demand in relation to damaging a protected computer.
“The Government of Iran has created a safe haven where cyber criminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers,” said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division. “This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals.”
The hacking allegedly exploited vulnerabilities in software and networks to gain access and exfiltrate data and information from victims’ computer systems. The indictment also accuses the trio of denying victims access to their systems and data unless a ransom payment was made.
The three men are accused of victimizing a broad range of organizations, including small businesses, government agencies, nonprofit programs and institutions, as well as critical infrastructure sectors such as health care centers, transportation services and utility providers.
Here in New Jersey, according to court documents, the defendants targeted a township in Union County in February 2021, gaining control and access to the township’s network and data and using a hacking tool to establish persistent remote access to a particular domain that was registered to one of the men.
They are also accused of targeting a Morris County-based accounting firm in or before February 2022, using a hacking tool to establish a connection to a server registered to one of the defendants to steal data. The indictment then alleges that they launched an encryption attack against the accounting firm, denying the firm access to some of its systems and demanding a payment of $50,000 in cryptocurrency while threatening to sell the data on the black market.
“Ransom-related cyberattacks – like what happened here – are a particularly destructive form of cybercrime,” said U.S. Attorney for New Jersey Philip Sellinger. “No form of cyber attack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security.”
The defendants remain at large abroad.
“Hackers like these defendants go to great lengths to keep their identities secret, but there is always a digital trail,” Sellinger added. “And we will find it.”