On Friday, the U.S. Department of Justice (DoJ) unsealed an indictment against an Iranian citizen for allegedly taking part in a cyber-enabled campaign that lasted for years and was meant to hack into U.S. government and private organizations.
It is said that more than a dozen groups were targeted, such as the U.S. Departments of the Treasury and State, defense contractors that work with the U.S. Department of Defense, and two New York-based businesses, an accounting firm and a hospitality company.
Alireza Shafie Nasab, who is 39 years old, said he was a cybersecurity expert for a company called Mahak Rayan Afraz. He was also part of a campaign that targeted the U.S. from at least 2016 to April 2021.
According to U.S. Attorney Damian Williams for the Southern District of New York, Alireza Shafie Nasab was part of a cyber campaign that used spear-phishing and other hacking methods to get into more than 200,000 victim devices. Many of these devices had sensitive or classified defense information on them.
A customized app was used to run the spear-phishing campaigns and help Nasab and his criminal partners plan and carry out their attacks.
The bad guys broke into an administrator email account of an unnamed defense contractor and then used the access to make fake accounts and send spear-phishing emails to employees of another defense contractor and a consulting firm.
In attacks other than spear-phishing, the hackers have posed as other people, usually women, to gain the trust of victims and put malware on their computers.
Nasab is thought to have gotten the infrastructure used in the campaign by registering a server and email accounts using the stolen identity of a real person while working for the front company.
He is accused of one count of wire fraud, one count of conspiracy to commit computer fraud, and one count of aggravated identity theft. Naasb could spend up to 47 years in prison if found guilty on all charges.
Nasab is still on the run, but the U.S. State Department has offered up to $10 million in rewards for information that leads to the identification or location of Nasab.
Meta first revealed in July 2021 that Mahak Rayan Afraz (MRA) was a company based in Tehran that had ties to the Islamic Revolutionary Guard Corps (IRGC), which is Iran’s military force tasked with protecting the country’s revolutionary government.
The activity cluster, which includes Tortoiseshell, has been linked to complex social engineering campaigns in the past. For example, someone pretended to be an aerobics instructor on Facebook to try to get malware on the computer of an employee of an aerospace defense contractor.
The news comes after German police said they were shutting down Crimemarket, a German-language illegal marketplace with more than 180,000 users that specialized in selling drugs, weapons, money laundering services, and other illegal goods and services.
Six people have been arrested in connection with the operation, including a 23-year-old who is thought to be the main suspect. Cell phones, IT equipment, one kilogram of marijuana, ecstasy tablets, and €600,000 in cash have also been seized.
