The Treasury Department on Thursday announced sanctions against a prolific Iranian hacking group, 45 individuals and a front group allegedly used by the Iranian government to target Iranian dissidents and other groups.
The 45 Iranian individuals were sanctioned for assisting in Iranian government-linked efforts to target dissidents, journalists, international organizations and other foreign governments through conducting computer intrusion and malware campaigns.
The APT39 cyber threat group and the Rana Intelligence Computing Company were sanctioned as well for their connections to Iran’s Ministry of Intelligence and Security, with Rana alleged to have served as a front company for the Iranian hackers.
According to the Treasury Department, some of the individuals targeted by the Iranian hackers — who also included students, refugees and former government employees — were eventually arrested and subjected to physical and psychological abuse.
“The Iranian regime uses its Intelligence Ministry as a tool to target innocent civilians and companies, and advance its destabilizing agenda around the world,” Treasury Secretary Steven Mnuchin said in a statement. “The United States is determined to counter offensive cyber campaigns designed to jeopardize security and inflict damage on the international travel sector.”
Secretary of State Mike Pompeo also expressed his support of the sanctions.
“We will continue to expose Iran’s nefarious behavior and we will never relent in protecting our homeland and allies from Iranian hackers,” Pompeo tweeted Thursday.
In addition to the sanctions, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency published an advisory warning of Iranian cyber targeting, detailing tools used by the hackers to enable security professionals to prepare for attempted attacks and hinder the ability of the Iranian hackers to use those tools.
The advisory noted that the agencies were aware of an “Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks” that had successfully gained access to networks through exploiting virtual private network (VPN) vulnerabilities. VPNs are commonly used to access sensitive networks remotely and have been increasingly utilized during the uptick in remote work due to the COVID-19 pandemic.
“This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence,” the agencies warned in the advisory.
FBI Director Christopher Wray said in a statement Thursday that the advisory was put out to “help computer security professionals everywhere protect their networks from the malign actions of this nation state.”
“The FBI, through our Cyber Division, is committed to investigating and disrupting malicious cyber campaigns, and collaborating with our U.S. government partners to impose risks and consequences on our cyber adversaries,” Wray said.
John Hultquist, the senior director of analysis at cybersecurity group FireEye’s Mandiant Solutions, told The Hill in a statement that FireEye had been tracking APT39 for years.
“We believe the actor, who we have tracked for over five years, is enabling Iranian surveillance,” Hultquist said. “The actor has focused heavily on the telecommunications and travel industries as part of an effort to collect customer data and personal information on targets of interest. These efforts could threaten the customers of victim organizations who may then be physically endangered by the Iranian security services.”
The announcement of the sanctions came in the midst of a flurry of moves by the Trump administration to crack down on foreign cyber criminals.
The Justice Department indicted multiple Iranian hackers on Tuesday for hacking and defacing dozens of U.S. websites in retaliation for the death of Iranian Gen. Qassem Soleimani in a U.S. military strike earlier this year.
On Wednesday, the Justice Department announced indictments against two Iranian hackers linked to stealing hundreds of terabytes of data from U.S. and international organizations, a move that came hours after officials also indicted five Chinese nationals for allegedly hacking over 100 organizations around the world.