The Biden administration announced charges against three Iranian hackers with suspected ties to an Iranian government attack group called “Charming Kitten” for ransomware and hacking operations, according to U.S. officials.
The hackers—which are affiliated with Iran’s Islamic Revolutionary Guard Corps, according to officials at the Department of Treasury—have gone after hundreds of organizations in the United States, the U.K., Israel, Iran, and elsewhere, including a shelter for victims of domestic violence in Pennsylvania, an electric utility company based in Indiana, and a public housing entity, according to court documents.
The hacking group has been running ransomware operations since at least 2020 by breaking into organizations around the globe, stealing data, and threatening victims they would publish stolen information unless paid hundreds of thousands of dollars. The hacking group, which is also known as “APT 35,” has historically conducted espionage operations for the Iranian government, and targeted Middle Eastern government, diplomatic, and military personnel, as well as journalists, and energy and telecommunications entities.
The hackers went after their targets for personal gain, Assistant Attorney General Matthew Olsen said. But the Iranian government has fostered and enabled them, he said.
“The charges reflect how criminals can flourish in the safe haven that the Government of Iran has created and is responsible for,” Olsen said.
The messages the hackers sent to their victims after they had been hacked directed them to contact the Iranians for instructions.
“Hi. Do not take any action for recovery. Your files may be corrupted and not recoverable. Just contact us,” the hackers sent to the domestic violence shelter.
After they received payment from the shelter, they sent the victims a decryption key to recover their information, according to the indictment.
Other threatening messages from the IRGC-tied hacking team get right to business.
“I locked more than 90 systems on your network,” the hackers wrote to a hacked construction company in February this year. “Are you ready to pay?"
“If you don't want to pay, I can sell your data on the black market,” the hackers wrote to an accounting firm. “This choice is yours.”
The Biden administration on Wednesday also sanctioned the three indicted Iranian hackers—Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein—and announced that the U.S. government will be issuing a $10 million reward for any information that leads to the identification or location of Mansour, Khatibi, or Nikaeen.
The Biden administration sanctioned seven other Iranians for their hacking operations with the IRGC as well. The other seven that were sanctioned include Ali Agha-Ahmadi, Mohammad Agha Ahmadi, Mo’in Mahdavi, Aliakbar Rashidi-Barjini, Mostafa Haji Hosseini, Mojtaba Haji Hosseini, and Mohammad Shakeri-Ashtijeh.
The FBI has been warning about the hackers for months now. In May of 2021 the agency issued an alert detailing concerning hacking coming from an attacker using the pseudonym “elie.”
The announcement of the charges and sanctions for the IRGC affiliates comes just weeks after U.S. prosecutors revealed an IRGC member was tasked to assassinate former U.S. national security adviser John Bolton for $300,000.
Just in the last several weeks the United States and cybersecurity researchers have identified other Iranian government-tied hacking campaigns. FBI Director Christopher Wray in June accused the Iranian government of hacking Boston Children’s Hospital. Iranian hackers tied with the IRGC have also targeted U.S. government officials, dissidents, and reporters, according to a new report from cybersecurity firm Mandiant.