US imposes sanctions on nine Iranian hackers involved in a massive state-sponsored hacking scheme

The US DoJ and Department of the Treasury on Friday announced charges against nine Iranian hackers for alleged involvement in state-sponsored hacking activities.

The US Department of Justice and Department of the Treasury on Friday announced charges against nine Iranians for alleged involvement in a massive state-sponsored hacking scheme, the hackers hit more than 300 universities and tens of companies in the US and abroad and stole “valuable intellectual property and data.”

According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.

The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.

The sanctions also hit the Mabna Institute, an Iran-based company, that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.

The nine defendants are Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah Karima, aka Vahid Karima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24; Abuzar Gohari Moqadam, 37; and Sajjad Tahmasebi, 30, they are all residents of Iran.

Gholamreza Rafatnejad (38) and Ehsan Mohammadi (37) are the two founders of the Mabna Institute.

“The indictment alleges that the defendants worked on behalf of the Iranian government, specifically the Islamic Revolutionary Guard Corps,” said Deputy Attorney General Rod Rosenstein in prepared remarks  illustrated at a press conference on Friday.

“They hacked the computer systems of approximately 320 universities in 22 countries. One-hundred forty-four of the victims are American universities. The defendants stole research that cost the universities approximately $3.4bn to procure and maintain.”

The US indictment revealed a coordinated effort from 2013 through the end of 2017 involving online cyber espionage on academics with the intent to discover their research interests.

Iranians hackers launched spear phishing attack using messages that would appear to be sent from another professor. The messages usually embedded a malicious link to a bogus domain using to steal victim’s login credentials.

Mabna Institute employees “engaged in the theft of valuable intellectual property and data from hundreds of US and third-country universities… for private financial gain.”  said Deputy Attorney General Rod Rosenstein. 

“For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps,” 

Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.

The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.

The stolen data included “research, and other academic data and documents, including, among other things, academic journals, theses, dissertations, and electronic books.”

One of the 10 Iranians subject to sanctions, Behzad Mesri was already known to the US authorities. In November 2017, the United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO hack, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data unless HBO paid a $6 million ransom in Bitcoin.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

Experts discovered that Masri and Charming Kitten were linked through the member of Turk Black Hat group “ArYaIeIrAN.” another member of Turk Black Hat.

Back to the present, the Justice Department said that besides targeting university professors in the United States, the hackers also compromised accounts in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom.

Pierluigi Paganini

March 26, 2018

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...