The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran’s Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020.
The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked under the names APT35, Charming Kitten, Nemesis Kitten, Phosphorus, and TunnelVision.
“This group has launched extensive campaigns against organizations and officials across the globe, particularly targeting U.S. and Middle Eastern defense, diplomatic, and government personnel, as well as private industries including media, energy, business services, and telecommunications,” the Treasury said.
The Nemesis Kitten actor, which is also known as Cobalt Mirage, DEV-0270, and UNC2448, has come under the scanner in recent months for its pattern of ransomware attacks for opportunistic revenue generation using Microsoft’s built-in BitLocker tool to encrypt files on compromised devices.
Microsoft and Secureworks have characterized DEV-0270 as a subgroup of Phosphorus (aka Cobalt Illusion), with ties to another actor referred to as TunnelVision. The Windows maker also assessed with low confidence that “some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation.”
What’s more, independent analyses from the two cybersecurity firms as well as Google-owned Mandiant has revealed the group’s connections to two companies Najee Technology (which functions under the aliases Secnerd and Lifeweb) and Afkar System, both of which have been subjected to U.S. sanctions.
It’s worth noting that Najee Technology and Afkar System’s connections to the Iranian intelligence agency were first flagged by an anonymous anti-Iranian regime entity called Lab Dookhtegan earlier this year.
“The model of Iranian government intelligence functions using contractors blurs the lines between the actions tasked by the government and the actions that the private company takes on its own initiative,” Secureworks said in a new report detailing the activities of Cobalt Mirage.
While exact links between the two companies and IRGC remain unclear, the method of private Iranian firms acting as fronts or providing support for intelligence operations is well established over the years, including that of ITSecTeam (ITSEC), Mersad, Emennet Pasargad, and Rana Intelligence Computing Company.
On top of that, the Secureworks probe into a June 2022 Cobalt Mirage incident showed that a PDF file containing the ransom note was created on December 17, 2021, by an “Ahmad Khatibi” and timestamped at UTC+03:30 time zone, which corresponds to the Iran Standard Time. Khatibi, incidentally, happens to be the CEO and owner of the Iranian company Afkar System.
Ahmad Khatibi Aghda is also part of the 10 individuals sanctioned by the U.S., alongside Mansour Ahmadi, the CEO of Najee Technology, and other employees of the two enterprises who are said to be complicit in targeting various networks globally by leveraging well-known security flaws to gain initial access to further follow-on attacks.
- Fortinet FortiOS path traversal vulnerability (CVE-2018-13379)
- Fortinet FortiOS default configuration vulnerability (CVE-2019-5591)
- Fortinet FortiOS SSL VPN 2FA bypass vulnerability (CVE-2020-12812)
- ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and
- Log4Shell (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105)
“Khatibi is among the cyber actors who gained unauthorized access to victim networks to encrypt the network with BitLocker and demand a ransom for the decryption keys,” the U.S. government said, in addition to adding him to the FBI’s Most Wanted list.
“He leased network infrastructure used in furtherance of this malicious cyber group’s activities, he participated in compromising victims’ networks, and he engaged in ransom negotiations with victims.”
Coinciding with the sanctions, the Justice Department separately indicted Ahmadi, Khatibi, and a third Iranian national named Amir Hossein Nickaein Ravari for engaging in a criminal extortion scheme to inflict damage and losses to victims located in the U.S., Israel, and Iran.
All three individuals have been charged with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi has also been charged with one more count of intentionally damaging a protected computer.
“These defendants may have been hacking and extorting victims – including critical infrastructure providers – for their personal gain, but the charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,” Assistant Attorney General Matthew Olsen said.
The development comes close on the heels of sanctions imposed by the U.S. against Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies.