The US Treasury has sanctioned several companies and individuals that have conducted cyber operations against American businesses and government entities on behalf of the Iranian regime.
The companies in question acted as “fronts” for the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) to attack US businesses and government entities using techniques like spear phishing and malware, according to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announcement on April 23.
The two companies designated by the US government are named Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA).
MASN has been associated with multiple Iranian APT groups, including Tortoiseshell, and has been linked to a multi-year campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury.
DAA has been engaged in various cyber campaigns on behalf of the IRGC-CEC.
OFAC said that although front company management and key personnel know their operations support the IRGC-CEC, much of the Iranian public is unaware that such companies are used in this way.
Read here: US Condemns Iran, Issues Sanctions for Cyber-Attacks on Critical Infrastructure
Four Iranian Nationals Charged by US Government
Four Iranian cyber actors affiliated to MASN and DAA have also been sanctioned.
Two of these are employed by MASN or its predecessor, Mahak Rayan Afzar.
- Alireza Shafie Nasab, an IRGC-CEC-affiliated cyber actor who was involved in the multi-year cyber campaign targeting US entities associated with MASN.
- Reza Kazemifar Rahman (Kazemifar), also an IRGC-CEC cyber actors, who has been involved in operational testing of malware intended to target job seekers with a focus on military veterans.
The other two are employed by DAA.
- Hosein Mohammad Haruni, who has been associated with various spear phishing and other social engineering operations, as well as malicious cyber activity targeting US entities and the Department of the Treasury.
- Komeil Baradaran Salmani, who has been associated with multiple IRGC-CEC front companies and involved in spear phishing campaigns targeting multiple US entities, including the Department of the Treasury.
In addition to the sanctions, these four individuals have been charged in a US federal court for their involvement in a cyber-enabled campaign to compromise US government and private entities, including the US Departments of Treasury and State, defense contractors, and two New York-based companies.
The defendants remain at large, and the US Department of State’s Rewards for Justice program (RFJ) is offering a reward of up to $10m for information leading to the identification or location of the group and the defendants.
Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson commented: “Iranian malicious cyber actors continue to target US companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens.”
He added: “The United States will continue to leverage our whole-of-government approach to expose and disrupt these networks’ operations.”
What the Sanctions Mean in Practice
Under the Treasury sanctions, all property or interests in property of the four individuals that are in the US or in the possession or control of US persons have been blocked.
Additionally, any entities that are owned, directly or indirectly, 50% or more by one or more of the sanctioned individuals are blocked.
Any transactions that involve any property or interests of the individuals by US citizens or people visiting the US are also prohibited under the sanctions.
Finally, financial institutions or other entities or individuals that engage in transactions or activities with the sanctioned companies and individuals may themselves be exposed to sanctions or face law enforcement action.
There has been a number of sanctions issued by Western governments to cyber threat actors in the past few years. These are designed to disrupt the abilities of malicious actors to operate, and attempt to create consequences for their actions as an alternative to arrest and imprisonment.
However, many experts acknowledge that sanctions alone generally have limited impacts on cyber threat groups and individuals.