The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Monday sanctioned two firms and four individuals for their involvement in malicious cyber activities on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) from at least 2016 to April 2021.
This includes the front companies Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA), as well as the Iranian nationals Alireza Shafie Nasab, Reza Kazemifar Rahman, Hossein Mohammad Harooni, and Komeil Baradaran Salmani.
“These actors targeted more than a dozen U.S. companies and government entities through cyber operations, including spear-phishing and malware attacks,” the Treasury Department said.
Concurrent with the sanctions, the U.S. Department of Justice (DoJ) unsealed an indictment against the four individuals for orchestrating cyber attacks targeting the U.S. government and private entities.
Furthermore, a reward of up to $10 million has been announced as part of the U.S. Department of State’s Rewards for Justice program for information leading to the identification or location of the group and the defendants.
It’s worth noting that Nasab, who worked for MASN, was charged in a previous indictment that was unsealed on February 29, 2024. The defendants remain at large.
Rahman, also employed by MASN, is alleged to have worked on testing malware intended to target job seekers with a focus on military veterans. He also purportedly worked for the Iranian Organization for Electronic Warfare and Cyber Defense (EWCD), a component of IRGC, from about 2014 through 2020.
MASN (formerly Mahak Rayan Afraz and Dehkadeh Telecommunication and Security Company) is tracked by the cybersecurity community under the name Tortoiseshell and is one of the many contracting companies that act as a cover for malicious campaigns orchestrated by IRGC. It was liquidated in June 2023.
The U.S. Treasury Department said the second sanctioned company also “engaged in malicious cyber campaigns on behalf of the IRGC-CEC,” noting that Harooni was employed by DAA and has carried out spear-phishing and social engineering attacks against U.S. organizations.
Salmani is said to be associated with multiple IRGC-CEC front companies, including MASN, and involved in spear-phishing campaigns targeting U.S. entities. Nasab, Harooni, and Salmani have also been responsible for procuring and maintaining the online network infrastructure used to facilitate the intrusions, the DoJ said.
In all, in the coordinated multi-year hacking spree, the defendants primarily singled out private sector defense contractors and other government entities, ultimately compromising more than 200,000 employee accounts.
Each of the defendants has been charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and wire fraud. If convicted, they face up to five years in prison for the computer fraud conspiracy, and up to 20 years in prison for each count of wire fraud and conspiracy to commit wire fraud.
Furthermore, Harooni has been charged with knowingly damaging a protected computer, which carries a maximum penalty of 10 years in prison. Nasab, Harooni, and Salmani have also been charged with aggravated identity theft, which carries a mandatory consecutive term of two years in prison.
“Criminal activity originating from Iran poses a grave threat to America’s national security and economic stability,” said Attorney General Merrick B. Garland in a statement.
“These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign from Iran targeting more than a dozen American companies and the U.S. Treasury and State Departments.”
The development comes amid geopolitical tensions in the Middle East after an Israeli air strike bombed Iran’s embassy in Syria, prompting the latter to launch a drone-and-missile attack on Israel, which, in turn, led to an Israeli missile strike hitting an air defense radar system near Isfahan.