The U.S. Department of the Treasury today slapped sanctions on Iranian cyber threat group Advanced Persistent Threat 39 (APT39), 45 associated individuals, and one front company.
This comes amid Washington’s attempts to trigger a snapback mechanism in the 2015 Iran nuclear deal that would restore all UN sanctions on Tehran.
“Masked behind its front company, Rana Intelligence Computing Company (Rana), the Government of Iran (GOI) employed a years-long malware campaign that targeted Iranian citizens, particularly dissidents, Iranian journalists, former government employees, environmentalists, refugees, university students and faculty, and employees at international nongovernmental organizations,” the Treasury said in a statement September 17.
Concurrent with OFAC’s action, the U.S. Federal Bureau of Investigation (FBI) released detailed information about APT39 in a public intelligence alert.
Rana has allegedly used malicious cyber intrusion tools to target or compromise approximately 15 U.S. companies primarily in the travel sector. MOIS cyber actors targeted a wide range of victims, including global airlines and foreign intelligence services.
“The Iranian regime uses its Intelligence Ministry as a tool to target innocent civilians and companies, and advance its destabilizing agenda around the world,” said Treasury Secretary Steven T. Mnuchin. “”
Rana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security (MOIS) by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals the MOIS considers a threat.
The Treasury accused 45 cyber professionals for having materially assisted, sponsored, or providing financial, material, or technological support for, or goods or services to or in support of the MOIS. The 45 designated individuals served in various capacities while employed at Rana, including as managers, programmers, and hacking experts. These individuals provided support for ongoing MOIS cyber intrusions targeting the networks of international businesses, institutions, air carriers, and other targets that the MOIS considered a threat.
The FBI advisory, also being released today, details eight separate and distinct sets of malware used by MOIS through Rana to conduct their computer intrusion activities. This is the first time most of these technical indicators have been publicly discussed and attributed to MOIS by the U.S. government. By making the code public, the FBI is hindering MOIS’s ability to continue their campaign, ending the victimization of thousands of individuals and organizations around the world.
“The FBI, through our Cyber Division, is committed to investigating and disrupting malicious cyber campaigns, and collaborating with our U.S. government partners to impose risks and consequences on our cyber adversaries. Today, the FBI is releasing indicators of compromise attributed to Iran’s MOIS to help computer security professionals everywhere protect their networks from the malign actions of this nation state,” said FBI Director Christopher Wray.
The MOIS, camouflaged as Rana, has played a key role in the GOI’s abuse and surveillance of its own citizens. Some of these individuals were subjected to arrest and physical and psychological intimidation by the MOIS. APT39 actors have also victimized Iranian private sector companies and Iranian academic institutions, including domestic and international Persian language and cultural centers. Rana has also targeted at least 15 countries in the Middle East and North Africa region, the statement read.