Home inContext Iranian Hackers Charged in Ransomware Attack

Iranian Hackers Charged in Ransomware Attack

Michael Johnson
Deputy Attorney General Rod Rosenstein speaks during a news conference announcing the indictment against international computer hackers, at the Department of Justice in Washington, Wednesday, Nov. 28, 2018. (Photo: AP)

The  U.S. Department Justice (DOJ) announced this week that it had filed indictments against two Iranian men for a 2016 hacking attack against Western companies and institutions. Officials contend that the perpetrators earned six million dollars in the scheme, named SamSam, while causing major disruptions to its victims.

The attack worked by gaining access to computers through classic vulnerabilities, such as weak passwords or known weaknesses on unpatched systems. A Trojan file would spread through a network looking for other machines to infect. Then the malicious code would encrypt a user’s data making him or her unable to access documents and important files. The infected computer would then prompt the victim to send the attacker ransom money in the form of BitCoin, a hard-to-trace digital currency, to receive the password to unlock the files.

More than 200 institutions, including local governments, universities, and healthcare providers in the U.S., Canada, and the United Kingdom fell victim to the SamSam ransomware attack. One of the agencies affected, the Atlanta Police Department, was forced to hand write reports after being locked out of its files. Meanwhile, a Los Angeles hospital paid about $17,000 in ransom to regain access to its files.

Prosecutors contended that two men, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, earned six million dollars from the scheme. The indictment includes charges of conspiracy to commit wire fraud as well as other cyber-crimes. Meanwhile, in a first, the Treasury Department also sanctioned the BitCoin address Mansouri and Savandi used to receive the extorted funds, prohibiting online exchange operators from conducting transactions with it. The Office of Foreign Assets Control also sanctioned Ali Khorashadizadeh and Mohammed Ghorbaniyan, who acted as intermediaries, exchanging the BitCoins into local rials, although they are not named in the indictment. Prosecutors did not reveal the sources or methods they used to obtain the perpetrators’ BitCoin accounts but did confirm that they had acquired chat logs of the men’s communication with their exchange operator.

DOJ officials did not indicate that the Iranian government was behind the SamSam attack, but Tehran has attempted its own offensive cyber-attacks against Western interests. Earlier this year, Washington accused Iran’s Islamic Revolutionary Guard Corps of organizing the hacking of academic accounts at 144 American universities. After successfully compromising more than 3,700 logins, nine Iranians stole an estimated $3 billion worth of intellectual property and sold the information online. Additionally, in March 2016, U.S. authorities charged seven Iranians with IRGC links with launching denial-of-service attacks against New York-based financial institutions.

Since Washington does not have an extradition treaty with Tehran and without any political goodwill between the two nations, it remains unlikely that the hackers will be brought in front of an American court. However, DOJ officials reiterated the persistence of the long arm of U.S. law enforcement during their press conference Wednesday. Moreover, Washington hopes that “naming and shaming” hackers makes it politically costlier for governments who aid or harbor them. The DOJ has taken similar action with cybercriminals and spooks from Russia and China, which facilitate the theft of intellectual property, conduct industrial espionage, and probe U.S. critical infrastructure for access.