The US has filed charges and is seeking the arrest of two Iranian nationals believed to have carried out cyber-intrusions at the behest of the Iranian government and for their own personal financial gain.
In an indictment unsealed today, prosecutors accused Hooman Heidarian and Mehdi Farhadi, both from Hamedan, Iran, of launching cyber-attacks against a wide range of targets since at least 2013.
Past victims included several US and foreign universities, a Washington think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran, with most targets located in the US, Israel, and Saudi Arabia.
US officials said Heidarian and Farhadi focused on gaining access to their victims' accounts, computers, and internal networks, from where they stole confidential data and communications pertaining to topics such as national security, foreign policy, nuclear energy, and aerospace.
Financial data and personally identifiable information wasn't off-limits, and the two also stole intellectual property, such as unpublished scientific research.
In addition, the two also targeted and stole personal information and communications of Iranian dissidents, human rights activists, and opposition leaders, according to George M. Crouch Jr., Special Agent in Charge of the FBI Newark Division.
Prosecutors believe that some of the stolen data was handed over to Iranian government intelligence officials, but that other information was also sold on black markets for the hackers' personal gains.
Hacking tactics evolved across the years
Heidarian and Farhadi's hacking skills and tactics also evolved across the years. According to court documents, US officials said that Heidarian previously also operated under the hacker monicker of Sejeal, under which he defaced more than 1,000 websites with pro-Iranian messages.
However, Heidarian and Farhadi eventually moved on from these skid-level hacks to adopting the tactics of regular state-sponsored and cybercrime groups.
This included performing online reconnaissance before launching attacks, using vulnerability scanners to find weak spots in a victim's network, and using SQL injection exploits to take over vulnerable servers.
They also dabbled with malware, also deploying keyloggers and remote access trojans (RATs), and eventually built their own botnet for spamming victims and launching DDoS attacks.
Further, the two also used session hijacking to gain access to accounts using stolen cookie files, and in some instances, they also set up hidden forwarding rules for compromised email accounts.
Each hacker risks more than 20 years in prison for their crimes, if caught, extradited, and found guilty.
The DOJ trifecta
The Heidarian and Farhadi charges come to complete a DOJ trifecta today, with US prosecutors also unsealing indictments against five Chinese hackers believed to be part of China's APT41 hacker group, and two Russian hackers, involved in the theft of $16.8 million from cryptocurrency users via phishing sites.
According to Kaspersky researchers, Farhadi is suspected to have been a member of Iranian hacker group APT34. His name was shared on a Telegram channel where a mysterious group leaked the source code of APT34 malware.
Iranian state-sponsored hackers dabbling in both espionage and financially-motivated cybercrime isn't anything new. The US previously charged another Iranian hacker group in March 2018, which similarly operated as a hacker-for-hire group for the Iranian regime, and also stole and sold academic research and papers from western universities on dedicated Iranian websites.