TWO IRANIAN NATIONALS CHARGED IN CYBER THEFT AND DEFACEMENT CAMPAIGN AGAINST COMPUTER SYSTEMS IN UNITED STATES, EUROPE, AND MIDDLE EAST
September 16, 2020
Two Iranian nationals have been charged in connection with a coordinated cyber intrusion campaign – sometimes at the behest of the government of Iran – targeting computers in New Jersey and around the world, U.S. Attorney Craig Carpenito announced today.
Hooman Heidarian, a/k/a “neo,” 30, and Mehdi Farhadi, a/k/a “Mehdi Mahdavi” and “Mohammad Mehdi Farhadi Ramin,” 34, both of Hamedan, Iran, are each charged in a 10-count indictment returned Sept. 15, 2020, with: one count each of conspiracy to commit fraud and related activity in connection with computers and access devices; computer fraud – unauthorized access to protected computers: computer fraud, unauthorized damage to protected computers; conspiracy to commit wire fraud; and access device fraud; and five counts of aggravated identity theft.
“These Iranian nationals allegedly conducted a wide-ranging campaign on computers here in New Jersey and around the world,” U.S. Attorney Carpenito said. “They brazenly infiltrated computer systems and targeted intellectual property and often sought to intimidate perceived enemies of Iran, including dissidents fighting for human rights in Iran and around the world. This conduct threatens our national security, and as a result, these defendants are wanted by the FBI and are considered fugitives from justice.”
“We will not bring the rule of law to cyberspace until governments refuse to provide safe harbor for criminal hacking within their borders,” Assistant Attorney General for National Security John C. Demers said. “Unfortunately, our cases demonstrate that at least four nations—Iran, China, Russia and North Korea—will allow criminal hackers to victimize individuals and companies from around the world, as long as these hackers will also work for that country’s government—gathering information on human rights activists, dissidents and others of intelligence interest. Today’s defendants will now learn that such service to the Iranian regime is not an asset, but a criminal yoke that they will now carry until the day they are brought to justice.”
“The indictment of two Iranian nationals charged with computer hacking, fraud, and aggravated identity theft demonstrates how the FBI continues to work relentlessly with our law enforcement partners to identify cybercriminals who seek to do harm to American citizens, businesses, and universities, regardless of where those criminals may reside and hold them accountable,” George M. Crouch Jr., Special Agent in Charge of the FBI Newark Division, said. “Mehdi Farhadi and Hooman Heidarian are now fugitives and have been added to the FBI website for charges in connection with a massive, coordinated cyber intrusion campaign. These actions demonstrate how imposing risks and consequences on our cyber adversaries will continue to be a top priority for the FBI.”
According to the indictment:
Beginning in at least 2013, the defendants were responsible for a coordinated campaign of cyber intrusions into computer systems in New Jersey and around the world. The victims included several American and foreign universities, a Washington, D.C.-based think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities identified as rivals or adversaries to Iran around the world.
Heidarian and Farhadi conducted many of these intrusions on behalf of the Iranian government. The stolen data was typically highly protected and extremely sensitive, and included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research. The defendants also often vandalized websites using the pseudonym “Sejeal” and posted messages that appeared to signal the demise of Iran’s internal opposition, foreign adversaries, and countries identified as rivals to Iran, including Israel and Saudi Arabia.
Tactics and Techniques
The defendants conducted online reconnaissance to carefully select their victims, gathering data and intelligence to determine their areas of expertise, and assessing computer networks in preparation for launching cyber-attacks. They often used information obtained at this stage in latter phases of their hacking activities to complete a picture of processes, organizational structure, and potential soft spots of victim networks. The defendants used vulnerability-scanning tools to test the victim networks and to reveal security holes.
The defendants gained and maintained unauthorized access to victim networks using various tools, including: session hijacking, where a valid computer session was exploited to gain unauthorized access to information or services in a computer system; SQL injection, in which they used malicious code to access information that was not intended to be displayed, such as sensitive government data, user details, and personal identifiers; and malicious programs installations, which allowed the defendants to maintain unauthorized access to computers.
The defendants then used key-loggers and “remote access Trojans” to maintain access and monitor the actions of users of the victim networks. They also developed a botnet tool, which facilitated the spread of malware, denial of service attacks, and spamming to victim networks. In some instances, the defendants used their unauthorized access to victim networks or accounts to establish automated forwarding rules for compromised victim accounts, whereby new outgoing and incoming emails were automatically forwarded from the compromised accounts to accounts controlled by defendants
Using these methods, the defendants stole hundreds of terabytes of data, including confidential victim work product and intellectual property, and personal identifying information, such as access credentials, names, addresses, phone numbers, Social Security numbers, and birthdates. The defendants marketed stolen data on the black market.
In addition to stealing intellectual property and other data, the defendants, using the pseudonym “Sejeal,” replaced the publicly available contents of websites with political and other ideological content, thereby defacing websites, for the apparent purpose of projecting Iranian influence and threatening perceived enemies of Iran. The defacements featured, among other things, images of burning Israeli flags and threats forecasting the death or demise of citizens in the United States, Israel, and elsewhere.
U.S. Attorney Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Crouch in Newark, with the investigation leading to the charges.
The counts of conspiracy to commit computer fraud and related activity in connection with computers and access devices, unauthorized access to protected computers, and computer fraud – unauthorized damage to protected computers, each carry a maximum sentence of five years in prison. The count of conspiracy to commit wire fraud carries a maximum sentence of 20 years in prison. The counts of aggravated identity theft each carry a mandatory sentence of two years in prison. The count of access device fraud carries a maximum sentence of 10 years in prison.
The government is represented by Assistant U.S. Attorney Dean C. Sovolos of the U.S. Attorney’s Office National Security Unit, Daniel V. Shapiro, Deputy Chief of the U.S. Attorney’s Office Criminal Division, and Trial Attorney Scott McCulloch of the National Security Division.
The charges and allegations contained in the indictment are merely accusations and the defendants are considered innocent unless and until proven guilty.