FBI Releases Advisory on Previously Undisclosed Iranian Malware
The U.S. Department of the Treasury’s Office of Foreign Assets Control Thursday imposed sanctions on an Iranian advanced persistent threat group, 45 associated individuals and a front company the Iranian government allegedly used to run a years-long malware campaign that targeted Iranian dissidents, journalists and others.
The sanctions affect APT39 – also known as Chafer Remexi, Cadelspy and ITG07 – and the Rana Intelligence Computing Co., both of which are controlled by Iran’s Ministry of Intelligence and Security, the Treasury Departmentsays.
“Rana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals the MOIS considers a threat,” the Treasury Department says.
The sanctions mean that all property and interests owned by the entities and individuals that are in the United States are blocked and any transactions with those sanctioned are prohibited.
FBI Releases Code
In a related move, the FBI and the Cybersecurity Security and Infrastructure Security Agency on Thursday released code for eight separate sets of malware Rana used to conduct their computer intrusion activities.
“By making the code public, the FBI is hindering MOIS’s ability to continue their campaign, ending the victimization of thousands of individuals and organizations around the world,” the Treasury Department says.
The Treasury Department says Rana used malicious cyber intrusion tools to target and monitor Iranian citizens, particularly dissidents, journalists, former government employees, environmentalists, refugees, university students and faculty, and employees at international nongovernmental organizations. This activity led to some individuals being arrested as well as physical and psychological intimidation by MOIS, U.S. officials allege.
Rana also targeted at least 15 U.S. companies and hundreds of individuals and entities from more than 30 countries across Asia, Africa, Europe and North America, the FBI says.
“Iran’s MOIS, through their front company Rana, recruited highly educated people and turned their cyber talents into tools to exploit, harass and repress their fellow citizens and others deemed a threat to the regime,” says FBI Director Christopher Wray.
The 45 unnamed individuals who were sanctioned are Rana employees who work as managers, programmers and hackers providing support for ongoing MOIS cyber intrusions targeting the networks of international businesses, institutions, air carriers and other targets that MOIS considered a threat, the Treasury Department says.
“The sanctions announced today hold these 45 individuals accountable for stealing data not just from dozens of networks here in the United States, but from networks in Iran’s neighboring countries and around the world,” according to the Treasury announcement.
U.S. officials allege that APT39, which was identified in December 2018 by FireEye but has been active since 2014, attacked Iranian companies, academic institutions, cultural centers and others.
Also this week, two Iranians were indicted for conducting a lengthy hacking campaign.
CISA issued an alert that the Iranian hacking group Pioneer Kitten was taking advantage of several unpatched vulnerabilities and using open source tools to target U.S. businesses as well as federal government agencies. And two suspects were indicted for defacing U.S. websites.