3 Iranian nationals charged in ransomware attacks in New Jersey

WABC logo
Wednesday, September 14, 2022
ABC7 New York 24/7 Eyewitness News Stream
Stream New York's #1 news - Accuweather - original content 24/7

NEWARK, New Jersey (WABC) -- Three Iranian nationals attempted to hack into hundreds of computers in the US and around the world, including in New Jersey, demanding -- and sometimes getting -- a ransom, according to an indictment unsealed Wednesday.

The four-count grand jury indictment returned in Newark Federal Court charged the trio with hacking conspiracy, two counts of computer hacking, and one count of computer extortion over an alleged ransomware conspiracy that targeted a range of organizations and critical infrastructure sectors such as healthcare centers, power companies and transportation services inside the U.S. and abroad.

The counts apply specifically to victims in New Jersey, which include a Union County township and an accounting firm in Morris County.

Mansour Ahmadi, Ahmad Aghda, and Amir Ravari hacked into hundreds of computers inside the U.S. and around the world by often exploiting known vulnerabilities in network devices or software programs, the indictment said.

Once they gained access to an organization or company's software, they would use a program known as BitLocker to encrypt data on their victims' systems and demand a ransom either by threatening to release stolen data or keeping the data encrypted unless they were paid -- at times making demands for hundreds of thousands of dollars.

The three men would often send their demands to office printers, officials said, and prosecutors detailed some of the correspondence they had with their victims.

In Morris County, hackers launched an encryption attack in in February and March, causing the accounting firm's network to connect with their server.

"Are you ready to pay?" Ahmad Khatibi Aghda allegedly wrote in a March 8 email to the company.

Prosecutors say he wrote again the next day, stating that he had "locked more than 20 systems" and demanding $50,000.

"If you don't want to pay, I can sell your data on the black market," he allegedly wrote, followed up on March 16 with, "This choice is yours."

In Union County, authorities say the hackers infiltrated a township government's website in February, "gaining control and access to the township's network and data...using this unauthorized access, a member of the conspiracy installed FRP on the Township's network to establish an unauthorized connection from the Township's network to Domain 1."

"Ransom-related cyberattacks, like what happened here, are a particularly destructive form of cybercrime," U.S. Attorney Philip Sellinger said. "No form of cyber-attack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security. Hackers like these defendants go to great lengths to keep their identities secret, but there is always a digital trail. And we will find it."

The indictment did not allege involvement by the government of Iran. Instead, the three demanded the money be paid to themselves, though a U.S. official told reporters the Iranian government's lax laws could share the blame for failing go after actors who engage in this type of conspiracy.

The official said all three men are still believed to be within Iran and have not been arrested, and the official acknowledged it's unlikely any will see the inside of a U.S. courtroom.

Accompanying the announcement of the indictment, the FBI released a new joint cybersecurity bulletin with international partners that identifies the tactics, techniques and procedures of advanced cyber threat actors believed to be affiliated with the Iranian government's Iranian Revolutionary Guard Corps, or IRGC.

The hackers are believed to be "actively targeting" a broad range of entities across multiple critical infrastructure sectors inside the U.S., Australia, Canada and the U.K., the bulletin said, and have even targeted victims within Iran.

Specifically in the U.S, the IRGC-affiliated actors carried out ransomware attacks against a police department, a regional transportation system, a municipal government and a U.S. aerospace company.

The advisory included mitigating steps for partner countries that will seek to disrupt any further attacks the hackers can carry out, a U.S. official said.

MORE NEWS | CDC warns rare condition in kids could rise this fall

This condition pops up every other year usually affecting the most children between August and November.


* Get Eyewitness News Delivered

* More New Jersey news

* Send us a news tip

* Download the abc7NY app for breaking news alerts

* Follow us on YouTube

Submit a tip or story idea to Eyewitness News

Have a breaking news tip or an idea for a story we should cover? Send it to Eyewitness News using the form below. If attaching a video or photo, terms of use apply.