DoJ charges two Iranians

The US Justice Department unsealed charges accusing two Iranian men of hacking into American hospitals, universities, government agencies and the city of Atlanta, causing tens of millions of dollars in damages.

Background

The United States Department of Justice (DOJ) is a federal executive department of the U.S. government, responsible for the enforcement of the law and administration of justice in the United States.

The Department of Justice administers several federal law enforcement agencies including the Federal Bureau of Investigation (FBI), and the Drug Enforcement Administration (DEA). The department is responsible for investigating instances of financial fraud and representing the United States government in legal matters.

In 2016, a new strain of ransomware emerged that was targeting JBoss servers. This strain, named "SamSam", was found to bypass the process of phishing or illicit downloads in favour of exploiting vulnerabilities on weak servers. The malware uses a Remote Desktop Protocol brute-force attack to guess weak passwords until one is broken. The virus has been behind attacks on government and healthcare targets, with notable hacks occurring against the town of Farmington, New Mexico, the Colorado Department of Transportation, Davidson County, North Carolina, and most recently, a major breach of security on the infrastructure of Atlanta.

Analysis

The United States Department of Justice has unveiled charges against two Iranian nationals, accusing them of hacking into a range of American institutions. Their charges include the hacking into the systems of the City of Atlanta, GA which alone resulted in $9 million in damages.

More than 200 victims were affected, more than $6 million in ransom was collected and damages exceeded $30 million, officials said. Ransomware encrypts data on affected systems, making it impossible for victims to access their own computer files unless they pay a ransom demand.

Officials said the case marks the first time federal prosecutors have charged individuals with writing their own ransomware and deploying it themselves as part of a criminal scheme to extort money. There is no allegation that the defendants were linked to or working on behalf of the Iranian government.

What made this scheme different from other ransomware operations is the nature of the targeting and the sophisticated way in which the alleged hackers penetrated systems first, then deployed the malware, officials said.

The 25-page indictment charges that the men’s scheme was for their personal profit. The defendants, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, were accused of conspiring to hack and extort victims between December 2015 and November 2018. The suspects are believed to be in Iran.

Savandi and Mansouri allegedly extorted victims by demanding a ransom paid in the virtual currency bitcoin in exchange for decryption keys to recover the data. They then allegedly exchanged the bitcoin proceeds into Iranian rial using Iran-based bitcoin exchangers.

In addition, the Treasury Department sanctioned two Iran-based men, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who the department said helped exchange the bitcoin ransom payments into rial. The department also listed the digital currency addresses the men used. Anyone who conducts business with either of the men could be subject to secondary sanctions, officials said.

The ransomware in this case, called SamSam, was used in attacks against Atlanta; the city of Newark; the port of San Diego; the Colorado Department of Transportation and six health care-related entities. The ransomware, first identified in 2015, gained prominence after it afflicted Atlanta in March, hobbling computers in the court system, shutting down WiFi at the international airport, preventing residents from paying water bills online, and forcing police for several days to file reports on paper instead of electronically.

The SamSam ransomware is not as well-known as WannaCry, a computer virus paired with ransomware that in May 2017 affected more than 300,000 computers in 150 countries. However, in some ways, it is more sophisticated. WannaCry, which U.S. officials said was created by North Korea, spread on the open Internet and hit targets indiscriminately. With SamSam, by contrast, the hackers chose vulnerable targets and then infiltrated their networks, pre-positioning the ransomware on key servers before triggering it.

Assessment

Our assessment is that the existing international legal system is not sufficiently equipped to tackle cyber crimes which are spread across various national jurisdictions. We believe that the DoJ’s charges on the two Iranian nationals is of little consequence as the US and Iran do not have diplomatic relations. However, we also feel that these charges will be used as precedent in the future to charge cyber criminals in the USA.