Iranian Ransomware Group Attacks U.S. Businesses

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced yesterday that it has imposed sanctions on 10 individuals and two entities affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for their involvement in a ransomware attack.

The U.S. Treasury Department claims that these individuals have been implicated in multiple ransomware attacks over the past two years that have breached the networks of organizations in the United States and elsewhere around the world.

These malicious activities also intersect with state-sponsored hacking activities tracked by several network vendors, including APT35, Charming Kitten, Phosphorus, DEV-0270, Tunnel Vision, and Nemesis Kitten.

The U.S. Treasury Department said, “Multiple cybersecurity firms have identified that these intrusions are indeed linked to the Iranian government. They have previously carried out a variety of malicious cyberattacks, including ransomware and cyberespionage.”

“The gang has launched a wide range of attacks against organizations and officials around the world, focusing on defense, diplomatic and government workers in the United States and the Middle East, as well as private sectors such as media, energy, business services and telecommunications.”

Three members information was offered a reward of 30 million US dollars

As an affiliate of the Iranian Islamic Revolutionary Guard Corps, the members of the gang are mainly employees of Iran-based Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd (Afkar System), including:

Mansour Ahmadi: Legal Person, Managing Director and Chairman of the Board of Najee Technology

Ahmad Khatibi Aghda: Managing Director and Board Member of Afkar System

Other employees and colleagues: Ali Agha-Ahmadi, Mohammad Agha Ahmadi, Mo’in Mahdavi, Aliakbar Rashidi-Barjini, Amir Hossein Nikaeen Ravari, Mostafa Haji Hosseini, Mojtaba Haji Hosseini and Mohammad Shakeri-Ashtijeh

The U.S. Treasury Department previously sanctioned people associated with Net Peygard Samavat for their work with the Islamic Revolutionary Guard Corps and Iran’s Ministry of Intelligence and Security (MOIS) in 2019.

A year later, the U.S. Treasury Department sanctioned Rana Intelligence Computing and some of its employees, claiming that the company, under the guise of operating, was actually coordinating cyberattacks on behalf of the Iraqi Ministry of Intelligence and Security.

In the sanctions announcement, the U.S. State Department offered $30 million for information on three sanctioned Iranians, Mansour Ahmadi, Ahmad Khatibi Aghda and Hossein Nikaeen Ravari. The three also face charges from the U.S. Justice Department for their alleged involvement in a ransomware attack targeting U.S. critical infrastructure groups.

American security company provides traceability evidence chain

Yesterday, cybersecurity agencies in the US, Canada, UK and Australia also issued a joint announcement describing the threat group’s malicious activities and revealing technical details.

Security firm Secureworks followed suit with a report corroborating the U.S. Treasury Department’s information.

Secureworks said it succeeded in linking the Nemesis Kitten (also known as Cobalt Mirage) gang with Iran’s Najee Technology, Afkar System, and Another entity called Secnerd was connected.

A similar malicious attack involving Nemesis Kitten (an intersection with the Phosphorus APT gang) was also mentioned in a May report by Secureworks’ Counter Threat Unit (CTU).

Last week, Microsoft said the Nemesis Kitten (also known as DEV-0270) gang had been quietly “obtaining illicit income for individuals or companies as a subdivision of the Iran-backed Phosphorus cyber espionage gang (aka Charming Kitten and APT35).”

Microsoft linked the gang to a number of Iranian businesses, including Najee Technology, Secnerd and Lifeweb.

“The gang’s targets are very random: they scan the Internet first for vulnerable servers and devices, so organizations with vulnerable servers and devices that are exposed online are more likely to be affected,” Microsoft explained.
Data breaches harm even security vendors, much alone regular businesses and individuals. As a result, our companies and individuals must take proactive efforts to safeguard data. Data can be backed up for disaster recovery to prevent all threats. Data protection software is now widely available and simple to use. Consider the popular virtual machine backup method. Virtual machines may run many operating systems at the same time, conserving both real and virtual resources. Virtual machine backup systems such as VMware Backup, RHV backup, Xenserver Backup, Hyper-V Backup, and others are now commonly used.

Leave a Comment