Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta

Two Iranians were behind the ransomware attack that crippled Atlanta’s government for days this year, the Justice Department said in an indictment unsealed on Wednesday, detailing a sophisticated scheme of attacks on hospitals, government agencies and other organizations.

The men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, chose targets with complex yet vulnerable systems — organizations that could afford to pay ransoms and needed to urgently restore their systems back online, prosecutors said.

In the case of Atlanta, one of the most sustained and consequential cyberattacks ever launched against a major American city, the pair broke into the city’s computer systems and held their data hostage for about $51,000 worth of the cryptocurrency Bitcoin, prosecutors said.

“They deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay,” Brian Benczkowski, the head of the criminal division of the Justice Department, said in a news conference on Wednesday.

The Treasury Department also imposed sanctions on two other Iranians, accusing them of changing the Bitcoin obtained by the hackers into Iranian rial.

Mr. Savandi and Mr. Mansouri, who are wanted by the F.B.I., created the malicious software SamSam Ransomware, prosecutors said, and began to gain access to their victims’ computers in January 2016. The software is well known to cybersecurity experts.

Atlanta officials said at the time that they would not pay the ransom, even as the attack ground court, parking and employment systems to a halt. For days, police officers wrote reports by hand, warrants were not validated, applications for city jobs sat unprocessed and government workers were unable to access basic administrative systems.

“Victims are encouraged not to pay the ransom,” said Amy Hess, a top F.B.I. cybercrime official. She added that there is no guarantee that the victims will get their data back.

Mr. Savandi and Mr. Mansouri collected more than $6 million in extortion payments, law enforcement officials said. The cities and businesses targeted lost more than $30 million as they scrambled to fix computer systems and recovered data, according to court documents.

Many of the victims were public agencies with missions that involve lifesaving and other critical functions. Among them were Allscripts Healthcare; Laboratory Corporation of America; the city of Newark; the University of Calgary; the Port of San Diego; the Colorado Department of Transportation; and hospitals and health care groups in Los Angeles, Kansas, Maryland and Nebraska.

In the case of Mr. Savandi and Mr. Mansouri, the Justice Department indictment indicated that they belonged to the SamSam group, which is well known to cybersecurity researchers.

The group was also known for meticulously encrypting its victims’ data, manually from file to file; changing file names to “I’m sorry”; demanding high ransom payments in Bitcoin; and giving victims only a week to pay before they made their data permanently inaccessible, according to major security firms like Symantec, the Crypsis Group and others.

Cybersecurity researchers said they were surprised to learn that the SamSam group was based in Iran. Other than the group’s name — Samsam Kandi is the name of a tiny Iranian village — no indicators showed that the group was based in Iran.

“They weren’t using any of the Iranian infrastructure or typical Iranian tools and, until now, ransomware was not a typical Iranian attack method,” said Allan Liska, an intelligence analyst at Recorded Future, a threat intelligence firm based in Boston.

The defendants had used Bitcoin exchanges to launder their ransomware profits. People in countries with heavily sanctioned governments like North Korea and Iran are increasingly turning to cryptocurrency to bypass sanctions, Mr. Liska said.

Though officials were careful to note that the suspects were not affiliated with the government of Iran, American officials and private-sector cybersecurity experts have been closely monitoring internet traffic out of Iran after President Trump’s decision to pull out of the deal over its nuclear program last May.

Within 24 hours, monitors in the United States and Israel picked up a notable shift in Iranian state hacking activity, including renewed attacks on diplomats and foreign affairs offices of American allies, as well as employees at major telecommunication companies.

Source link

more recommended stories

  • The Insults Trump Has Hurled at 2020 Democrats

    Joseph R. Biden Jr. is “sleepy,”.

  • Trump Opens Tokyo Visit With a Tweet Sure to Unnerve the Japanese

    TOKYO — President Trump kicked off.

  • Bernie Sanders, No Longer the Front-Runner, Brings Campaign Home to Vermont

    MONTPELIER, Vt. — Senator Bernie Sanders.

  • Fact-Checking Bernie Sanders on the Campaign Trail

    “Absolutely. In fact, climate change is.

  • A Lesson of Sandy Hook: ‘Err on the Side of the Victims’

    NEWTOWN, Conn. — Scarlett Lewis sees.

  • Iran Slams U.S. After Middle East Troop Buildup Is Announced

    LONDON — Iranian officials lashed out.

  • John Bolton Says North Korean Missile Tests Violated U.N. Resolutions

    TOKYO — North Korean weapons tests.

  • On Politics: The Biggest Stories of the Week

    • China’s Supply of Minerals for.

  • Supreme Court Blocks Two Rulings Striking Down Voting Maps

    WASHINGTON — The Supreme Court on.

  • Barr Got More Power to Review the Russia Inquiry. Here’s What We Know About Its Origins.

    WASHINGTON — President Trump has given.

  • Edited Pelosi Video vs. the Original: A Side-by-Side Comparison – Video

    Channels & Shows Home Search U.S..

  • Jay Inslee Is Running on Climate Change. The Issue Is Catching On, So Why Isn’t He?

    RAYMOND, N.H. — For years, climate.

  • News Quiz: Test Your Knowledge of the Week’s Headlines

    Did you stay up to date.

  • On Politics: The Trade War Is Here to Stay

    Good Friday morning. Here are some.

  • Hope Hicks Left the White House. Now She Must Decide Whether to Talk to Congress.

    A White House spokesman did not.

  • 2020 Democrats Join McDonald’s Workers Striking Over Wages and Harassment

    As McDonald’s held its annual shareholder.

  • Sanders’s Education Plan Renews Debate Over Charter Schools and Segregation

    When Senator Bernie Sanders delivered a.

  • Trump Administration to Announce Farm Aid to Ease Pain of Trade War

    He reached out to Canadian and.

  • Pentagon to Build Temporary Shelter for 7,500 Migrant Adults Facing Deportation

    WASHINGTON — The Pentagon said on.

  • On Politics: Trump Blows Up Meeting With Democrats

    • New York State lawmakers approved.

  • U.S. Yet to Find Evidence of New Chemical Weapons Attack in Syria

    WASHINGTON — The United States has.

  • Michael Avenatti Is Charged With Stealing Nearly $300,000 From Stormy Daniels

    Federal prosecutors on Wednesday charged the.

  • Trump’s Battles: Today’s State of Play

    congress and the presidency As Democrats.

  • Gillibrand Proposes Huge Investments in Maternal Health, Child Care and Education

    Senator Kirsten Gillibrand’s presidential campaign on.

  • On Politics: Trump May Impose Limits on Chinese Maker of Surveillance Tech

    Good Wednesday morning. Here are some.

  • Anita Hill Worries Female 2020 Candidates Are ‘Not Being Taken Seriously’

    Mr. Biden spoke with Ms. Hill.

  • U.S. Says Syria’s President May Be Using Chemical Weapons Again

    WASHINGTON — The State Department said.

  • Kentucky Has a Primary Election Today. Here’s What to Watch.

    Voters in Kentucky are choosing their.

  • ‘Our Subpoenas Are Not Optional,’ Nadler Warns McGahn – Video

    By REUTERS | May. 21, 2019.

  • As McGahn Prepares to Defy Subpoena, Democrats’ Anger Swells

    WASHINGTON — The House Judiciary Committee.

  • Lawmakers Break Ramadan Fast on Capitol Hill

    WASHINGTON — As the House’s day.

  • Fox News Welcomes Pete Buttigieg. Trump and ‘Fox & Friends’ Aren’t Pleased.

    Mr. Hume added, “Oh, and covering.