On Wednesday, an indictment was unsealed charging Mansour Ahmadi, aka “Mansur Ahmadi,” Ahmad Khatibi Aghda, aka “Ahmad Khatibi,” and Amir Hossein Nickaein Ravari, aka “Amir Hossein Nikaeen,” aka “Amir Hossein Nickaein,” aka “Amir Nikayin,” with one count of conspiring to commit computer fraud and related activity in connection with computers, one count of intentionally damaging a protected computer, and one count of transmitting a demand in relation to damaging a protected computer. Ahmadi faces charges for one additional count of intentionally damaging a protected computer.
According to an indictment unsealed on Wednesday, the three individuals, all Iranian nationals and residents, allegedly led a cyberattack that involved hacking into the computer networks of multiple U.S. victims, including small businesses, government agencies, non-profit programs, and educational and religious institutions. Their scheme affected multiple critical infrastructure sectors, including healthcare centers, transportation services, and utility providers. According to the DOJ’s announcement, the threat actors “engaged in a scheme to gain unauthorized access to the computer systems of hundreds of victims in the United States, the United Kingdom, Israel, Iran, and elsewhere, causing damage and losses to the victims.”
The attack exploited known vulnerabilities in commonly used network devices and software applications to gain access to the victims’ networks. Once they had successfully infiltrated the organizations’ infrastructures, data was exfiltrated from victims’ computer systems and encrypted. Access to the stolen systems and data was then denied to victims unless they complied with the hackers’ demands for a ransom payment.
The indictment details that in February 2021 the three defendants targeted a township in Union County, New Jersey in their hacking campaign. They were able to illegally access the township’s network and data using the process outlined above, and “used a hacking tool to establish persistent remote access to a particular domain that was registered to Ahmadi.”
Approximately one year later, in or before February 2022, the defendants carried out the same actions against an accounting firm based in Morris County, New Jersey. In March 2022 the three individuals and their conspirators executed an encryption attack, leveraging the stolen data, and denied the firm access to its systems. Khatibi demanded a ransom payment of $50,000 in cryptocurrency, threatening to sell the data on the black market if this demand was not met.
The full announcement from the DOJ can be found here.