Iranian hackers with ties to the nation’s military are responsible for carrying out “hundreds” of ransomware attacks on victims in the U.S. and other countries over multiple years, U.S. federal authorities said Wednesday. The attacks are said to have targeted nearly every kind of organization you could think of—from local governments to non-profits to small businesses, churches, and schools.
On Wednesday, the Justice Department unsealed an indictment against three men it says are responsible for the attacks. Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari are a trio of Iranian tech executives who also appear to have ties to the nation’s military. At least two of the men—Ravari and Aghda—are members of Iran’s Islamic Revolutionary Guard Corps (IRGC) and their companies are also said to be “affiliated” with the IRGC. The trio has been active since 2020, officials said.
According to the indictment, victims of the group’s attacks are diverse, including electrical utility companies in Indiana and Mississippi, a domestic violence shelter in Pennsylvania, a public housing corporation in Washington, a county government in Wyoming, and many others.
“These defendants may have been hacking and extorting victims – including critical infrastructure providers – for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,” Assistant Attorney General Matthew Olsen said Wednesday. “According to the Indictment, even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals.”
All of the men are facing a bevy of charges, including conspiracy to commit computer fraud, but since there’s pretty much zero chance that Iran is going to extradite them, they are unlikely to face any sort of legal punishment.
However, the U.S. Treasury has leveraged international sanctions against the alleged culprits’ companies in an effort to hamper their access to financial opportunities. On Wednesday, the Treasury blacklisted several bitcoin wallet addresses that belonged to Ravari and Aghada and that are alleged to have been used in connection with the attacks. CoinDesk reports that the addresses did not have any crypto in them at the time of the blacklisting, as their contents were drained earlier this year.
“Ransomware actors and other cybercriminals, regardless of their national origin or base of operations, have targeted businesses and critical infrastructure across the board—directly threatening the physical security and economy of the United States and other nations,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson, in a statement. “We will continue to take coordination action with our global partners to combat and deter ransomware threats, including those associated with the IRGC.”
In recent years, ransomware attacks have gotten bigger and messier. Last year, incidents like the ones involving major American companies like Colonial Pipeline and Kaseya helped propel ransomware from a commonplace scourge affecting industry to a high-profile national security threat that warranted government action. Since then, the feds have clearly been busy ramping up efforts to identify and disrupt cybercriminal organizations though, as this case suggests, finding the bad guys is usually easier than bringing them to justice.