The US Treasury Department’s Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities supported by Iran’s Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks on at least since October 2020.
The agency said the cyber activity raised by the individuals was attributed in part to intrusion groups tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus and TunnelVision.
“This group has launched extensive campaigns against organizations and officials across the globe, specifically targeting US and Middle East defense, diplomatic and government personnel, as well as private industries including media, energy, business services and telecommunications”, said the Treasury.
The Nemesis Kitten actor, also known as Cobalt Mirage, DEV-0270 and UNC2448, has come under scrutiny in recent months for his pattern of opportunistic revenue-generating ransomware attacks using Microsoft’s built-in BitLocker tool to encrypted files in compromised. equipment.
Microsoft and Secureworks have characterized DEV-0270 as a subset of Phosphorus (aka Cobalt Illusion), with links to another actor referred to as TunnelVision. The Windows maker also assessed with low confidence that “some of DEV-0270’s ransomware attacks are a form of moonlighting to generate personal or company-specific revenue.”
Additionally, independent analysis by two cybersecurity firms, as well as Google-owned Mandiant, has revealed the group’s links to two companies, Najee Technology (operating under the aliases Secnerd and Lifeweb) and Afkar System, both of which are subject to US sanctions. .
It is worth noting that Najee Technology and Afkar System’s links to the Iranian intelligence agency were first reported by an anonymous anti-Iranian regime entity called Lab Dookhtegan. earlier it year.
“The pattern of Iranian intelligence functions using contractors blurs the lines between government-mandated actions and actions that private enterprise takes on its own initiative,” Secureworks said in a new report detailing Cobalt Mirage’s activities.
While the exact links between the two companies and the IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations has been well established over the years, including that of ITSecTeam (ITSEC), Mersad, Emennet Pasargad and Rana Intelligence. Computer Company.
Additionally, Secureworks’ investigation into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an “Ahmad Khatibi” and stamped in the UTC+03:30 time zone , which corresponds to Iran Standard Time. Khatibi, coincidentally, happens to be the CEO and owner of the Iranian company Afkar System.
Ahmad Khatibi Aghda is also part of the 10 individuals sanctioned by the US, along with Mansour Ahmadi, CEO of Najee Technology, and other employees of the two companies, who are said to be complicit in targeting various networks globally using flaws known security. to gain initial access to further follow-up attacks.
Some of the vulnerabilities exploited, according to a joint cyber security advisory issued by Australia, Canada, the UK and the US, as part of the activity of IRGC-linked actors are as follows –
- Fortinet FortiOS Path Traversal Vulnerability (CVE-2018-13379)
- Fortinet FortiOS Default Configuration Vulnerability (CVE-2019-5591)
- Fortinet FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)
- ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and
- Log4Shell (CVE-2021-44228, CVE-2021-45046 and/or CVE-2021-45105)
“Khatibi is among the cyber actors who gained unauthorized access to victims’ networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,” the US government said, in addition to adding him to the FBI’s most-wanted list. of.
“He leased the network infrastructure used to further the activities of this malicious cyber group, he participated in compromising the victims’ networks and engaged in ransom negotiations with the victims.”
Coinciding with the sanctions, the Justice Department separately indicted Ahmadi, Khatibi and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to cause harm and loss to victims located in the US, Israel and Iran.
All three individuals have been charged with one count of conspiracy to commit computer fraud and computer related activities; one count of willful damage to a protected computer; and one count of transmitting a solicitation involving damage to a protected computer. Ahmadi has also been charged with another count of willful damage to a protected computer.
That’s not all. The US State Department has also announced cash rewards of up to $10 million for any information about Mansour, Khatibi and Nikaeen and their whereabouts.
“These defendants may have been hacking and extorting victims – including critical infrastructure providers – for their own personal gain, but the charges reflect how criminals can thrive in the safe haven that the government of Iran has created and is responsible for. ,” Assistant Attorney General Matthew. Olsen said.
The development follows sanctions imposed by the US against Iran’s Ministry of Intelligence and Security (MOIS) and its Intelligence Minister, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.
