Iranian charged over attacks against US defense contractors, government agencies

The US Department of Justice has unsealed an indictment accusing an Iranian national of a years-long campaign that compromised hundreds of thousands of accounts and attempting to infiltrate US defense contractors and multiple government agencies.

It’s alleged [PDF] that Alireza Shafie Nasab and his co-conspirators, while doing business as a cybersecurity business called Mahak Rayan Afraz, were actually operating a criminal gang. Nasab and his accomplices reportedly used spear phishing, social engineering, and software built in-house to compromise US targets from sometime in 2016 to April 2021, the DoJ claims.

“Nasab participated in a cyber campaign using spear phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information,” said Damian Williams, US Attorney for the Southern District of New York. 

According to [PDF] the DoJ, Nasab and his accomplices primarily targeted US contractors cleared to work with the Department of Defense, though not exclusively. It’s alleged that Nasab also targeted an accounting firm and hospitality company based in New York, as well as the US Departments of State and the Treasury and an unnamed foreign country.

The indictment doesn’t state whether intrusion attempts at federal government departments were successful, though we note both the State and Treasury departments have been broken into in recent years. Those attacks were attributed to China and Russia respectively. 

The DoJ’s indictment doesn’t include much information on which of Nasab’s alleged breach attempts were successful, but it does state that the more than 200,000 employee accounts were compromised at the aforementioned accounting firm, and that the hospitality company had 2,000 employee accounts “targeted,” but not necessarily successfully breached.

It’s claimed that Nasab’s crew compromised an administrator email account belonging to a defense contractor, which was used to register a pair of fake accounts used to target employees at another contractor, as well as a consulting firm.

The DoJ alleged that Nasab’s crew also made use of social engineering tactics, generally posing as women “in order to obtain the confidence of victims.” 

This isn’t the first time Mahak Rayan Afraz has been fingered by cybersecurity researchers either. In 2021, Facebook said it had taken action against a group of Iranian cybercriminals dubbed “Tortoiseshell” by threat researchers at Symantec with links to Mahak Rayan Afraz.

According to Facebook, Tortoiseshell appeared to have outsourced its malware development, a portion of which it attributed to Nasab’s firm, which Facebook alleged has ties to Iran’s Revolutionary Guard Corps.

The DoJ claimed Nasab’s role involved procuring infrastructure for use by Mahak Rayan Afraz, and has charged him with one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud, a count of actually committing wire fraud, and one count of aggravated identity theft. 

If convicted on all counts, Nasab could face up to 47 years in prison, though the US might have trouble finding him. 

Nasab, a citizen of Iran, remains at large and the Department of State’s Rewards for Justice Program is offering $10 million for information leading to identification or Nasab’s whereabouts.

“Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten US sensitive information and critical infrastructure,” said Assistant Attorney General Matthew Olsen of the DoJ’s National Security division. “Our National Security Cyber Section remains focused on disputing these cross-border hacking schemes and holding those responsible to account.” ®

READ MORE HERE