U.S. Treasury Sanctions Iranian Firms and Individuals Tied to Cyber Attacks

The US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two firms and 4 persons on Monday for their involvement in Iranian state-sponsored malicious cyber activities conducted for the Iranian Islamic Revolutionary Guard Corps (IRGC-CEC) from 2016 to April 2021. The companies being sanctioned include Mehrsam Andisheh Saz Nik (MASN) and Dadeh Afzar Arman (DAA) and the individuals sanctioned are Iranian nationals Alireza Shafie Nasab, Reza Kazemifar Rahman, Hossein Mohammad Harooni, and Komeil Baradaran Salmani. They targeted over a dozen organizations in the United States while under the guise of working for front company MASN, which has been associated with multiple Iranian APT groups, including Tortoiseshell, known for using malware to target IT providers in the Middle East, especially Saudi Arabia. The US DoJ has publicized an indictment against these four individuals for orchestrating targeted, multi-pronged attacks against US entities with the intent to destabilize US critical infrastructure utilizing spear phishing and other social engineering campaigns. OFAC designated six IRGC-CEC officials in response to recent cyber operations in which IRGC-affiliated cyber actors manipulated programmable logic controllers, which impacted critical infrastructure systems, including in the United States. While these particular operations did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devasting humanitarian consequences. One of the individuals, Nasab, claimed to be a cybersecurity specialist for a company named Mahak Rayan Afraz, was previously indicted for spear phishing campaigns using custom malware and still remains at large following these groups’ sanctions. These Iranian cyber actors have the resources to perform a wide range of malicious activity from ransomware attacks on critical infrastructure sectors to social engineering campaigns targeting individual citizens to gain initial access to sensitive data. Due to these sanctions, all property, interests in property, and entities of the designated persons described above that are in the United States or the possession or control of U.S. persons are blocked and must be reported to OFAC. Any financial institutions involved with these sanctioned entities could be subject to sanctions themselves for providing these companies with funding. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior for entities in the US. The defendants primarily singled out private sector defense contractors and other government entities, ultimately compromising more than 200,000 employee accounts. Furthermore, Harooni has been charged with knowingly damaging a protected computer, which carries a maximum penalty of 10 years in prison. Nasab, Harooni, and Salmani have also been charged with aggravated identity theft, which carries a mandatory consecutive term of two years in prison.

Security Officer Comments:
All defendants being sanctioned are still at large, with one of the individuals continuing to evade law enforcement after being indicted in March 2024. This article underscores the geopolitical tensions in the Middle East and how it affects countries like the United States. Amidst traditional military warfare in the Middle East, cyber threat campaigns such as this state-sponsored activity can become an afterthought despite that these cyber operations being meticulously conducted can have a longer-lasting effect on critical infrastructure.