Justice Department Announces Charges Against Four Iranian Nationals For Multi-Year Cyber Campaign Targeting U.S. Companies

Damian Williams, the United States Attorney for the Southern District of New York; Merrick B. Garland, the Attorney General of the United States; Christopher A. Wray, the Director of the Federal Bureau of Investigation ("FBI"); Matthew G. Olsen, the Assistant Attorney General of the Justice Department's National Security Division; and James Smith, the Assistant Director in Charge of the New York Field Office of the FBI, announced today the unsealing of an Indictment charging Iranian nationals HOSSEIN HAROONI (حسین هارونی), REZA KAZEMIFAR (رضا کاظمی فر), KOMEIL BARADARAN SALMANI (کمیل برادران سلمانی), and ALIREZA SHAFIE NASAB (علیرضا شفیعی نسب) for their involvement in a cyber-enabled campaign to compromise U.S. government and private entities, including the U.S. Departments of Treasury and State, defense contractors, and two New York-based companies. The case has been assigned to U.S. District Judge Mary Kay Vyskocil. NASAB was charged for the same conduct in a previous Indictment that was unsealed on February 29, 2024. The defendants remain at large.

U.S. Attorney Damian Williams said: "As alleged, the defendants participated in a cyber campaign using spearphishing and other hacking techniques in an attempt to compromise private companies with access to defense-related information. Cyber intrusion schemes such as the one alleged threaten our national security, and I'm proud of our law enforcement partners and the career prosecutors of this Office for continuing to use innovative technologies and investigative measures to disrupt and track down these cybercriminals. If you have information leading to the to the identification or location of Harooni, Kazemifar, Salmani, or Nasab, please reach out to the Department of State at rewardsforjustice.net."

Attorney General Merrick B. Garland said: "Criminal activity originating from Iran poses a grave threat to America's national security and economic stability. These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign from Iran targeting more than a dozen American companies and the U.S. Treasury and State Departments. This case represents just one part of the U.S. government's effort to counter the range of threats originating from Iran that endanger the American people."

FBI Director Christopher A. Wray said: "The FBI is constantly working to detect and counter cyber campaigns like the one described in today's indictment. From enabling lethal plots, and repressing our citizens and residents, to targeting our critical infrastructure, we've often seen the trail of dangerous cyber-criminal activity lead back to Iran. Today's announcement demonstrates the FBI's commitment to using every lawful tool at our disposal, together with our domestic and international partners, to disrupt the threats posed from Iran to American businesses and citizens."

FBI Assistant Director in Charge James Smith said: "Hostile threat actors have become increasingly aggressive in their attempts to infiltrate and disrupt our country's cyber infrastructure. These four defendants allegedly employed sophisticated techniques in a multi-year cyber hacking campaign targeting the U.S. Departments of Treasury and State and several private sector companies entrusted with supporting the work of the Department of Defense. These charges send a clear message - the FBI prioritizes cybersecurity to protect our sensitive information and will not tolerate threats or cyber-attacks by anyone."

According to the allegations contained in the Indictment:[1]

From at least in or about 2016 through at least in or about April 2021, HAROONI, KAZEMIFAR, SALMANI, NASAB, and other conspirators were members of a hacking organization that participated in a coordinated multi-year campaign to conduct and attempt to conduct computer intrusions. These intrusions targeted more than a dozen U.S. companies and the U.S. Departments of the Treasury and State.

During the conspiracy, KAZEMIFAR, SALMANI, and NASAB were employed by Mahak Rayan Afraz (محک رایان افراز), an Iran-based company that purported to provide cybersecurity services, but which was, in fact, a front for the conspirators' operations.

The hacking group's private sector victims were primarily cleared defense contractors, which are companies that have been granted security clearances by the U.S. Department of Defense to access, receive, and store classified information for the purpose of conducting activities in support of U.S. Department of Defense programs. In addition, the group targeted a New York-based accounting firm and a New York-based hospitality company.

In conducting their hacking campaigns, the group used spearphishing - tricking an email recipient into clicking on a malicious link - to infect victim computers with malware. During their campaigns against one victim, the group compromised more than 200,000 employee accounts. In another campaign, the conspirators targeted 2,000 employee accounts. In order to manage their spearphishing operations, the group created and used a particular computer application that enabled the conspirators to organize and deploy their spearphishing attacks.

In the course of these spearphishing attacks, the conspirators compromised an administrator email account belonging to a defense contractor ("Defense Contractor-1"). Access to this administrator account empowered the conspirators to create unauthorized Defense Contractor-1 accounts, which the conspirators then used to send spearphishing campaigns to employees of a different defense contractor and a consulting firm.

In addition to spearphishing, the conspirators utilized social engineering, which involved impersonating others, generally women, to obtain the confidence of victims. These social engineering contacts were another means the conspiracy used to deploy malware onto victim computers and compromise those devices and accounts.

KAZEMIFAR was responsible for testing the tools utilized by the conspiracy to execute its cyber campaigns. For example, KAZEMIFAR was involved in testing spearphishing emails used to target victim companies and was involved in developing malware utilized by the conspiracy in social engineering initiatives. During the course of his involvement in the conspiracy, from at least in or about 2014 through at least in or about 2020, KAZEMIFAR also worked for the Iranian Organization for Electronic Warfare and Cyber Defense ("EWCD"). EWCD is a component of the Islamic Revolutionary Guard Corps ("IRGC"), which is itself a component of the Iranian Armed Forces. Among other things, the IRGC is responsible for Iran's offensive cyber capabilities. The U.S. has designated the IRGC as a foreign terrorist organization.

HAROONI was responsible for procuring, administering, and managing the online network infrastructure, including computer servers and customized software used to facilitate the computer intrusions. HAROONI also fraudulently used the identity of a real person ("Individual-1"), including his use of a copy of Individual-1's true passport, to conceal his role in procuring online infrastructure used by the conspiracy to facilitate the computer intrusion campaign.

SALMANI was responsible for testing tools utilized by the conspiracy to execute spearphishing campaigns, including the campaign against a hospitality company. SALMANI was also involved in maintaining infrastructure used by the conspirators.

NASAB was responsible for procuring infrastructure used by the conspiracy, particularly infrastructure used in furtherance of social engineering campaigns. NASAB also used Individual-1's identity, including Individual-1's name and passport, to register server and email accounts that were used during malicious cyber campaigns.

Concurrent with the unsealing of the Indictment, the U.S. Department of State's Rewards for Justice program ("RFJ") is offering a reward of up to $10 million for information leading to the identification or location of the group and the defendants. The RFJ program seeks information on any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities in violation of the Computer Fraud and Abuse Act.

Anyone with information on these malicious cyber actors, or associated individuals or entities, please contact Rewards for Justice via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion . More information about this RFJ reward offer is located on the Rewards for Justice website.

* * *

KAZEMIFAR, 36, of Iran, is charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; and one count of wire fraud, which carries a maximum sentence of 20 years in prison.

HAROONI, 34, of Iran, is charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; one count of knowingly damaging a protected computer, which carries a maximum sentence of 10 years in prison; one count of wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory consecutive term of two years in prison.

SALMANI, 38, of Iran, is charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; one count of wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory consecutive term of two years in prison.

NASAB, 39, of Iran, is charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; one count of wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory consecutive term of two years in prison.

The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendants will be determined by a judge.

Mr. Williams praised the outstanding investigative work of the FBI, including the work of the FBI Cyber Division.

The case is being handled by the Office's Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Ryan B. Finkel, Dina McLeod, and Daniel G. Nessim are in charge of the prosecution, with assistance from Trial Attorney Matthew Chang of the National Security Division's National Security Cyber Section.

The charges contained in the Indictment are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

Public link

Please use the above public link if you want to share this noodl on another website.