U.S. targets Iran-backed hackers with sanctions, charges

Said Pourkarim Arabi has been accused of being a member of Iran's Islamic Revolutionary Guard Corps. Photo courtesy of the FBI
1 of 2 | Said Pourkarim Arabi has been accused of being a member of Iran's Islamic Revolutionary Guard Corps. Photo courtesy of the FBI

Sept. 17 (UPI) -- The Trump administration on Thursday indicted and sanctioned dozens of Iranian hackers as part of a larger multiagency effort to disrupt cyberattacks connected to Iran's Ministry of Intelligence and Security and its elite Islamic Revolutionary Guard Corps.

Since Monday, the United States has been disseminating warnings and announcing charges against Iran-sponsored hackers, an effort that continued Thursday with the Justice Department unsealing a nine-count indictment in the Eastern District of Virginia charging three hackers with stealing critical aerospace and satellite technology and resources.


Treasury Secretary Steven Mnuchin announced sanctions imposed against the Iranian cyber threat group called Advanced Persistent Threat 39, including 45 associates and a front company over a multi-year malware campaign targeting Iranian dissidents, journalists and international travel-sector companies in at least 15 countries.


"This week's unsealing of indictments and other disruptive actions serves as another reminder of the breadth and depth of Iranian malicious cyber activities targeting not only the United States but countries all over the world," Assistant Attorney General for National Security John C. Demers said in a statement. "Whether directing such hacking activities, or by offering a safe haven for Iranian criminal hackers, Iran is complicit in the targeting of innocent victims worldwide and is deepening its status as a rogue state."

The indictment unsealed Thursday charges Iranian nationals Said Pourkarim Arabi, 34; Mohammad Reza Espargham, 25; and Mohammad Bayati, 34, with conspiracy to commit computer intrusions, obtaining information by unauthorized access to protect computers, four counts of intentional damage to protected computers, three counts of aggravated identity theft and conspiracy to commit wire fraud.

According to the indictment, Arabi was a member of the Islamic Revolutionary Guard Corps, an elite arm of the Iranian military that the Trump administration designated as a terrorist organization in 2019.

Prosecutors said Arabi was living in IRGC housing and was an intelligence officer and operations manager for IRGC air, space and cyber during the four years of the campaign and who passed on directives to the other two hackers.


The indictment accuses the trio of sending spear-phishing emails to a target list of more than 1,800 online accounts belonging to individuals, organizations and companies involved in aerospace or satellite technology and government organizations in the United States, Britain, Singapore, Australia and Israel.

Spear phishing is the sending of an email or an electronic message spoofed to be from a reputable or known source to a specific target, according to the Justice Department.

The accused would create falsified email accounts to appear as real people and organizations to send emails to their targets in order to have their victims click on a link to download malware to their computers, giving the hackers access not only to their devices but their networks, the indictment said.

The trio then used additional hacking tools to maintain unauthorized access, escalate their privileges and steal data sought by the IRGC, the Justice Department said.

"This case highlights the Islamic Revolutionary Guard Corps' efforts to infiltrate the networks of American companies in search of valuable commercial information and intellectual property," John C. Demers, assistant attorney general for National Security, said in a statement.

The Treasury on Thursday blacklisted dozens of individuals following a long-term investigation by the FBI that connected them to the Ministry of Intelligence and Security via a front company, the Rana Intelligence Computing Company.


Those sanctioned include managers, programmers and hacking experts employed at Rana over their support for ongoing cyber intrusions targeting the networks of international businesses, institutions air carriers and other targets the ministry sees as a threat, the Treasury said in a release.

"The Iranian regime uses its intelligence ministry as a tool to target innocent civilians and companies, and advance its destabilizing agenda around the world," Mnuchin said in a statement. "The United States is determined to counter offensive cyber campaigns designed to jeopardize security and inflict damage on the international travel sector."

The FBI on Thursday released an advisory on Rana, and several other Iran-backed hacking groups, explaining Rana's malware campaign targeted and surveilled Iranian citizens and dissidents, journalists and government networks of Iran's neighboring countries as well as foreign travel, academic and telecommunication organizations.

At least 15 U.S. companies and hundreds of individuals and entities from more than 30 countries were compromised by Rana's attacks, it said, adding the intent of the attacks was to harm the United States and its allies.

The sanctions freeze all U.S. assets owned by the blacklisted names and bars U.S. citizens from conducting business with them.

Secretary of State Mike Pompeo said Rana's tools were also used to target refugees, university students and employees at international non-governmental organizations.


"Today's action is another reminder of the great risk that the Iranian regime poses to international cybersecurity as well as to the Iranian people, who face the continued threat of digital darkness and high-tech silencing," the United States' top diplomat said. "The United States will not relent in our efforts to expose these threats and protect our homeland and our friends and allies."

The campaign targeting Iran's cyberattacks comes amid further fraying of their already fraught relationship as Washington seeks to reimpose all U.N. sanctions against Tehran that were removed under a 2015 multination nuclear accord signed to prevent the Middle Eastern country from developing nuclear arms.

The Justice Department unsealed a three-count indictment on Tuesday charging two hackers for defacing U.S. websites and a 10-count indictment on Wednesday charging two hackers for stealing hundreds of terabytes of data pertaining to national security and other related departments on top of Thursday's nine-count indictment.

Latest Headlines