The Justice Department indicted three Iranian men linked to the country’s Islamic Revolutionary Guard Corps over allegations that they hacked computer systems and demanded hundreds of thousands of dollars in ransom from entities in the United States and other countries, according to a federal grand jury indictment unsealed Wednesday in New Jersey and a statement by the Treasury Department.
The victims include a Pennsylvania-based domestic violence shelter, municipal governments in New Jersey and Wyoming, and a public housing corporation in Washington state.
Justice Department officials said the suspects — who are not accused of disrupting any power or critical infrastructure — also allegedly targeted entities in Iran and Russia.
The men — Mansur Ahmadi, 34; Ahmad Khatibi Aghda, 45; and Amir Hossein Nickaein, 30 — were acting on their own and not on behalf of the Iranian government, Justice Department officials said. But the officials said they believe the Revolutionary Guard Corps (IRGC) continues to ignore this type of malicious activity, enabling it to happen over and over again.
Ahmadi, Aghda and Nickaein are believed to be living in Iran, making it highly unlikely that the United States would be able to take them into custody. But Justice Department officials say the indictment would prevent the suspects from easily leaving their country and would limit their career prospects — a consequence the officials said could dissuade others from committing similar crimes.
The federal government also said the Treasury Department would sanction 10 people and two entities affiliated with the Revolutionary Guard Corps over their roles in the cyberattacks. As part of the sanctions, any American assets affiliated with those individuals would be frozen.
“We are not going to sit quietly,” a Justice Department official said.
According to an indictment unsealed Wednesday, the three Iranians illegally accessed hundreds of computer systems in the United States, Russia, the United Kingdom, Iran, Israel and elsewhere between October 2020 and August 2022. They allegedly took control of those systems and demanded ransoms in exchange for allowing the victims to regain access to their computers. Some of the victims, according to the indictment, paid the ransoms.
In December 2021, for example, the suspects allegedly gained access to a domestic violence shelter’s computer system and then blocked the shelter’s access to some of its systems and data. They then allegedly used their access to print a note on a printer in the domestic violence shelter that said: “Hi. Do not take any action for recovery. Your files may be corrupted and not recoverable. Just contact us.”
The hackers then demanded $13,000 paid in bitcoin so the shelter could restore access to its systems. The shelter sent the payment.
A month later, hackers gained access to a housing authority’s computer system in Washington state. They stole data from the authority and, similar to what they allegedly did to the domestic violence shelter, launched an encryption attack that blocked the authority from accessing some of its data and systems.
In February, the accused hackers allegedly emailed with housing authority representatives and threatened to sell their data if they did not pay them.
“I want this to end,” Aghda allegedly wrote in an email, “and if you do not want to pay, let me know so that I can make money by selling data.”
The FBI did not say how much had been paid in ransom in these attacks in total and said it did not freeze any of the bitcoin that was paid.
John Hultquist, vice president of intelligence analysis for Mandiant, a cybersecurity firm, warned that even though the suspects are not accused of performing the cyberattacks for the Revolutionary Guard Corp, the Iranian military group could still benefit from the alleged perpetrators’ online access.
“This is not just a ransomware issue. These are Iranian contractors who moonlight their skills but are ultimately associated with a dangerous state security organization,” Hultquist said. “The access they’re gaining is being used for crime, but the IRGC will likely also try to use it for its own interests, perhaps for disruptive attack.”
Multiple U.S. government agencies and offices released an advisory Wednesday informing individuals and organizations how to protect themselves from cyberattacks. Among the tips are maintaining offline backups of data, creating a cyberattack response plan, running available updates on software, implementing multifactor authentication on log-ins and more.
This memo was jointly sent with the governments of Canada, Australia, and the United Kingdom.
“This advisory points to specific instances in which IRGC-affiliated cyber actors have used publicly known vulnerabilities to gain access to U.S. critical infrastructure networks,” David Luber, deputy cybersecurity director at the National Security Agency, said in a statement. “We implore our net defenders and our partners to detect and mitigate this threat before your organization is the next ransomware victim.”
This is not the first time the United States has indicted Iranians for deploying cyberattacks on the country systems.
In November 2021, the Justice Department indicted two Iranians accused of a brazen hacking and disinformation campaign that targeted American voters in the run-up to the 2020 U.S. presidential election. Before these indictments, the U.S. Cyber Command and the National Security Agency had taken actions to ensure that Iran and other foreign actors did not interfere in the 2020 election.
Overall, the Treasury Department reports that the amount of money American victims pay to cyberattacks has grown from $416 million in 2020 to $590 million in 2021. The government estimates that these payments reflect just a fraction of the economic cost of cyberattacks.
A previous version of this article misspelled John Hultquist's name. The article has been corrected.