Cyberattacks, The UN offers $10 million reward: Help us identify the hackers

The individuals and entities designated today are all linked to Iran's Islamic Revolutionary Guard Corps (IRGC). This action continues a series of OFAC appointments aimed at protecting American people from the activity of the ransomware, facilitators of ranasomware activity and other cybercrimes.

The State Rewards for Justice Programme offers a reward of up to $10m for information leading to the identification or location of every person participating in malicious cyber activities against US critical infrastructure.

“Ransomware actors and other cyber criminals, regardless of their national origin or base of operations, have targeted critical businesses and infrastructure across the board, directly threatening physical security and the economy of the United States and other countries”, Treasury Undersecretary for Terrorism and Financial Intelligence Brian E. Nelson. “We will continue to take co-ordinating action with our global partners to fight and prevent the threats of sandsomware, including those related to IRC”.

Ransomware incidents have cut off services and businesses critically globally, including schools, government offices, hospitals and emergency services, transportation, energy and food companies. The reported payments of the ranasomware in the United States reached over $590m in 2021, compared with a total of $416 million in 2020. The US government estimates that these payments represent only part of the economic damage caused by malicious cyber activities. In addition to millions of dollars paid directly in reward and anchored for response and recovery, the break-up in the critical sectors highlights the goals of those who seek to arm technology for personal gain, damaging our economy and damaging companies, households and individuals dependent on it for their livelihood, savings and future.

Today's action shows the American government's commitment to disrupting its infrastructure and ranomware actors. The United States will not tolerate malicious cyber activity, including cybercrime divisive activities, victimising the backbone of the American economy and critical infrastructure.

ACT O CIBERNET UNITEDS LIBLE WITH IGRC
Today, OFAC, as part of an entire government response, took action against a group of Iranian-based malicious cyber actors who have compromised networks based in the United States and other countries since at least 2020. This IRC-related group is known for using software weaknesses to carry out their ransomware activities, as well as to get involved in unauthorized computer access, efiling data and other malicious cyber activities. Private cyber security firms make routine appointments for specific cyber campaigns, and while the individuals sanctioned today are not directly linked to a group called advanced threats, some of their malicious cyber activities may be partly attributed to some designated intervention groups, such as “APT 35 , “Sex2>, “Kitten Nemesis”, “Fosfor” and “Tunnel Vision.

This group has launched extensive campaigns against organisations and officials around the globe, especially aimed at US and Middle Eastern defence, diplomatic and government personnel, as well as private industries, including media, energy, business services and telecommunications.

In February 2021, this group of malicious cyber actors victimized a New Jersey municipality through a computer network using a specific vulnerability to Fortine. These actors used their access to create unauthorized accounts, scale their privileges, and carry out side movements in other parts of the network. They also used a quick reverse representative on one of the municipal servers to establish continued remote access to a certain domain that was recorded by Mansour Ahmadi (Mansour). The group also established tools such as Mimikatz and Filezilla to advance their malicious activity.

In March and April 2021, this vicious cyber group launched the first known group of their encryption activities by compromising networks, activating Microsoft BitLocker without authorization and keeping the keys to the acquisition for ransom. During this time, a number of small businesses were influenced, including a legal studio, a accounting firm, and a construction contractor.

In June 2021, the group gained unauthorized access to supervisory control and intelligence systems linked to a US-based hospital for children. After the group compromised the network, they created unauthorized accounts, escalated privileges, moved sides through the network, established continued access, ekfilron data and coded at least one device with BitLocker. U.S. government law enforcement partners gave a report to the children's hospital before having any impact on patient care or medical services.

From June to August 2021, the group accelerated their malicious activity by targeting a wide range of US-based victims, including transport providers, health care practices, emergency service providers and educational institutions. U.S. government agencies were able to warn potential victims of this activity and prevented or facilitated damage or compromise of computer networks in many cases.

From September 2021 to the present day, this group gained mainly unauthorized access to the victims' networks by exploiting Microsoft Exchange's weaknesses and related to ProxyShell, including an incident in October 2021 when they compromised the network of an electric service company serving in a rural area of the United States. and used BitLocker's ill intention to stop operations.

This group connected to IRC consists of employees and associates of Najee Technology Hooshmand Futter LLC and Afcar System Yazd Company. Mansour is owner, manager and chairman of the Naje Technology Board. Ahmad Khatib Agda (Kahatib) is the manager and member of the Afkar System board. Workers and additional associates of Najee Technology and/or Afkar System include: Ali Agga-Ahmadi (Ali Ahmad); Mohammad Aga Ahmadi (Mohammed Ahmad); Mojin Mahdavi (Mehdavi); Aliakbar Rashidi-Barjini (Rashid); Amir Josein Nikaeen Ravari (Nikaeen) ; Mostafa Hazi Hossain (Mostafa); Mojtaba Haxhi Hosseyin (Mojtaba); and Mohammad Shakeri-Astijeh (Saker).

Khataib has been linked to Afkar System since at least 2007 and serves as manager and is a board member. Khatib is among the cyber actors who acquired unauthorized access to the victims' networks to upload the BitLocker network and ask for a reward for the deciphering keys. He rented the network infrastructure used to advance the activities of this malicious cyber group, he participated in compromising the victims' networks and engaged in the ransom negotiations with victims.

Nikaeen was an employee of Afkar System between 2015 and at least 2019. Nikaeen rented and registered the network infrastructure used to further the activities of this vicious cyber group and participated in compromising the victims' networks.

Ali Ahmad has been an employee of Najee Technology since at least 2019. Rashid worked for Mansour at least since February 2021.

Workers linked to IRC-Mansour, Ali Ahmad, Mohammad Ahmad, Mahdavid, Rashid, Khatib, Nikaeen, Mostafa, Mojataba and Shackeri- of companies associated with IRC, Najee Technology and Afkar System are responsible or accomplices in, or are involved, directly or indirectly, in the global targeting of various networks, including critical infrastructure, exploiting weaknesses known to gain initial access to ill intentional activities, including ransom operations.

Mansour, Ali Ahmad, Mohammad Ahmad, Mahdavi, Rashid, Khatib, Nikaeen, Mostafa, Mojtaba and Shackeri were appointed in accordance with Executive Order (EO) 13694, changed, to be responsible or collaborator, either by engaging in, directly or indirectly, a possible cyber activity identified at the base of OE 13694, changed.

Najee Technology was assigned in line with OE 13694, modified, to help materially, sponsor or provide financial, material or technological support for, or goods or services for or in support of, cyber-enabled activity identified in line with OE 13694, changed.

The Afkar system was designated under OE 13694, modified, to be owned or controlled by, or to act on either name, directly or indirectly, Khatib, a person whose property and property interests are blocked based on OE 13694, changed.

In addition to imposing sanctions, the US Attorney's Office for the District of New Jersey opened an indictment accusing Mansour, Khatib and Nikaeen of violating the Deception and Computer Abuse Act (CFAA) and plotting to violate CFAA.

The State Rewards Programme (RFJ) offers a reward of up to $10m for information leading to Mansour's identification or whereabouts, Khatib, Nikaeen, or any other person acting in the direction or control of a stranger. The government, participates in malicious cyber activities against US critical infrastructure in opposition to CFAA.

Furthermore, a joint advice for cyber security (CSA) ) results from an analytical effort between the Treasury Department, The FBI, the NSA, USSCYBERCOM, Australia's Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS) and the National Cyber Security Centre of the United Kingdom (NCSC) has been published to highlight the ongoing malicious activities by advanced players of the ongoing threat (APT) that author agencies estimate are connected to IRC.

EFFECTS SANXION
As a result of today's action, all properties and interests on the property of the individuals described above in the United States are blocked and reported to OFAC. Also, any subject that is directly or indirectly owned, individually or in total, 50 percent or more by one or more people blocked are also blocked. All transactions by American persons or within (or transit) of the United States involving any property or interest in the property of designated persons or blocked are prohibited unless authorized by a general or specific license issued by OFAC, or excluded. The bans include making any contributions or offering funds, goods or services from, for either the benefit of any person blocked, or making any contributions or offering funds, goods or services from any such person. In addition, financial institutions and others engaged in transactions or specific activities with subjects and sanctioned individuals can be exposed to sanctions or subject to a permanent action.

The power and integrity of OFAC sanctions stem not only from OFAC's ability to appoint and add persons to the DSN List, but also from its readiness to remove persons from the DSN List in accordance with the law. The final purpose of sanctions is not punishment, but bringing a positive change in behavior. For information about the search process to remove from an O-list FAC, including the DSN list, please refer to the often-made 897 OFAC question here. For detailed information on the process, you must submit a request for removal from the OFAC sanctions list.

Click here for more information on individuals and subjects designated today.

Look at OFAC's up-to-date counseling on the risk of possible sanctions for easing Ransomware payments here, for information on actions OFAC would consider a facilitator factor in any implementation action linked to the payments of sandsomware with a possible risk of sanctions. For information on the respect of applicable sanctions for virtual currency, see the Stability Guide with OFAC Sanctions for the virtual currency industry here.