On March 23, the United States issued sanctions and criminal indictments against an Iranian hacker network that targeted hundreds of U.S. and foreign universities, dozens of U.S. companies and government agencies and the United Nations. The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned one Iranian entity and 10 individuals for theft of intellectual property and data. The Department of Justice indicted nine Iranians for conducting a massive cyber theft campaign on behalf of the Iranian Revolutionary Guard Corps (IRGC).
"The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data," said Treasury Under Secretary Sigal Mandelker. “We will not tolerate the theft of U.S. intellectual property, or intrusions into our research institutions and universities." It is one of the largest state-sponsored hacking campaigns ever prosecuted by the Justice Department. The following are the statements from OFAC and the Department of Justice.
Treasury Sanctions Iranian Cyber Actors for Malicious Cyber-Enabled Activities Targeting Hundreds of Universities
Today, in a coordinated action with the U.S. Department of Justice, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated one Iranian entity and 10 Iranian individuals under Executive Order (E.O.) 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” as amended. The entity and individuals designated today engaged in the theft of valuable intellectual property and data from hundreds of U.S. and third-country universities and a media company for private financial gain.
“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies. The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data,” said Treasury Under Secretary Sigal Mandelker. “We will not tolerate the theft of U.S. intellectual property, or intrusions into our research institutions and universities. Treasury will continue to systematically use our sanctions authorities to shine a light on the Iranian regime’s malicious cyber practices, and hold it accountable for criminal cyber-attacks.”
As a result of today’s action, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.
Today’s action designates one Iranian entity and 10 Iranian nationals pursuant to E.O. 13694, as amended, which targets malicious cyber activities, including those related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain.
The Mabna Institute is an Iran-based company that engaged in the theft of personal identifiers and economic resources for private financial gain. The organization was founded in or about 2013 to assist Iranian universities and scientific and research organizations in obtaining access to non-Iranian scientific resources. The Mabna Institute also contracted with Iranian governmental and private entities to conduct hacking activities on its behalf.
The Mabna Institute conducted massive, coordinated cyber intrusions into computer systems belonging to at least approximately 144 United States-based universities, in addition to at least 176 universities located in 21 foreign countries: Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, the Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the United Kingdom. The exfiltrated data and stolen login credentials acquired through these malicious cyber-enabled activities were used for the benefit of Iran’s Islamic Revolutionary Guard Corps (IRGC), and were also sold within Iran through at least two websites. The stolen login credentials belonging to university professors were used to directly access online university library systems.
Today, OFAC is also designating nine Iran-based individuals who were leaders, contractors, associates, hackers for hire, and affiliates of the Mabna Institute for engaging in malicious cyber-enabled activities related to the significant misappropriation of economic resources or personal identifiers for private financial gain.
Gholamreza Rafatnejad (Rafatnejad) was a founding member of the Mabna Institute and organized the Mabna Institute hacking campaign.
Ehsan Mohammadi (Mohammadi) was also a founding member of the Mabna Institute. Along with Rafatnejad,Mohammadi also helped organize Mabna’s university hacking campaign and received from others compromised account credentials belonging to university professors.
Seyed Ali Mirkarimi (Mirkarimi) was a hacker and Mabna Institute contractor. Mirkarimi engaged in a variety of phases of Mabna’s university hacking campaign, including the crafting and testing of malicious, spearphishing emails and organizing of stolen credentials.
Mostafa Sadeghi (Sadeghi) was a hacker and affiliate of the Mabna Institute. Sadeghi compromised more than 1,000 university professor accounts. Sadeghi exchanged credentials for compromised professor accounts with other Mabna-affiliated actors. Sadeghi was also involved in the operation of, and maintained a financial interest in, one of the websites selling access to the stolen university data.
Sajjad Tahmasebi (Tahmasebi) was a Mabna Institute contractor. He helped facilitate the spearphishing campaign targeting universities by, among other things, conducting online network surveillance of victim university computer systems and maintaining lists of credentials stolen from victim professors.
Abdollah Karima (Karima) was a businessman who owned and operated a company that sold, through a website, access to stolen academic materials obtained through computer intrusions. Karima contracted with the Mabna Institute to direct hackingactivities. Mabna affiliates regularly provided compromised university professor login credentials to Karima.
Abuzar Gohari Moqadam (Gohari Moqadam) was a professor and affiliate of the Mabna Institute. Gohari Moqadam exchanged stolen credentials for compromised accounts with Mabna Institute founders Rafatnejad and Mohammadi.
Roozbeh Sabahi (Sabahi) was a contractor for the Mabna Institute. Roozbeh Sabahi assisted in the execution of the various Mabna hacking activities, including its university campaign by, among other things, organizing stolen credentials obtained by Mabna Institute hackers.
Mohammed Reza Sabahi (Sabahi) was a Mabna Institute contractor. Sabahi assisted in the carrying out of Mabna’s spearphishing campaign targeting universities. Among his activities, Mohammed Reza Sabahi created targeting lists of university professors and catalogued academic databases at targeted universities.
In addition to the designations above related to the activities of the Mabna Institute, OFAC today designated an additional Iranian national pursuant to E.O. 13694, as amended, for engaging in significant malicious cyber-enabled misappropriation of economic resources, personal identifiers, and financial information for private financial gain for activities targeting a U.S. media company.
Behzad Mesri (Mesri) compromised multiple user accounts belonging to a U.S. media and entertainment company in order to repeatedly gain unauthorized access to the company’s computer servers and steal valuable stolen data including confidential and proprietary information, financial documents, and employee contact information. Mesri then engaged in an attempt to extort the victim company for $6 million.
Mesri is the subject of an indictment announced by the U.S. District Court for the Southern District of New York on November 21, 2017.
Identifying information on the individuals and entity designated today.
DEPARTMENT OF JUSTICE ACTION
OFAC closely coordinated its action with the Department of Justice, which today released details regarding its law enforcement action against the nine leaders, contractors, associates, hackers for hire, and affiliates of the Mabna Institute designated today.
Click here to view the full statement.
Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps
Mabna Institute Hackers Penetrated Systems Belonging to Hundreds of Universities, Companies, and Other Victims to Steal Research, Academic Proprietary Data, and Intellectual Property
An Indictment charging Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah Karima, aka Vahid Karima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24; Abuzar Gohari Moqadam, 37; and Sajjad Tahmasebi, 30, all citizens and residents of Iran, was unsealed today. The defendants were each leaders, contractors, associates, hackers-for-hire or affiliates of the Mabna Institute, an Iran-based company that, since at least 2013, conducted a coordinated campaign of cyber intrusions into computer systems belonging to 144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund. Through the defendants’ activities, the Mabna Institute stole more than 31 terabytes of academic data and intellectual property from universities, and email accounts of employees at private sector companies, government agencies, and non-governmental organizations. The defendants conducted many of these intrusions on behalf of the Islamic Republic of Iran’s (Iran) Islamic Revolutionary Guard Corps (IRGC), one of several entities within the government of Iran responsible for gathering intelligence, as well as other Iranian government and university clients. In addition to these criminal charges, today the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated the Mabna Institute and the nine defendants for sanctions for the malicious cyber-enabled activity outlined in the Indictment.
The charges were announced by Deputy Attorney General Rod J. Rosenstein; Assistant Attorney General for National Security John C. Demers; U.S. Attorney Geoffrey S. Berman for the Southern District of New York; FBI Director Christopher A. Wray; Assistant Director in Charge William F. Sweeney Jr. of the FBI’s New York Field Division; and Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker.
“These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries,” said Deputy Attorney General Rosenstein. “For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps. The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants’ hacking operations and deter similar crimes.”
“Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said U.S. Attorney Berman. “As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard. The hackers targeted innovations and intellectual property from our country’s greatest minds. These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest. The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”
“This investigation involved a complex threat in a dynamic landscape, but today’s announcement highlights the commitment of the FBI and our partners to vigorously pursue those that threaten U.S. property and security,” said Director Wray. “Today, not only are we publicly identifying the foreign hackers who committed these malicious cyber intrusions, but we are also sending a powerful message to their backers, the Government of the Islamic Republic of Iran: your acts do not go unnoticed. We will protect our innovation, ideas and information, and we will use every tool in our toolbox to expose those who commit these cyber crimes. Our memory is long; we will hold them accountable under the law, no matter where they attempt to hide.”
According to the allegations contained in the Indictment unsealed today in Manhattan federal court:
Background on the Mabna Institute
Gholamreza Rafatnejad and Ehsan Mohammadi, the defendants, founded the Mabna Institute in approximately 2013 to assist Iranian universities and scientific and research organizations in stealing access to non-Iranian scientific resources. In furtherance of its mission, the Mabna Institute employed, contracted, and affiliated itself with hackers-for-hire and other contract personnel to conduct cyber intrusions to steal academic data, intellectual property, email inboxes and other proprietary data, including Abdollah Karima, aka Vahid Karima, Mostafa Sadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam, and Sajjad Tahmasebi. The Mabna Institute contracted with both Iranian governmental and private entities to conduct hacking activities on their behalf, and specifically conducted the university spearphishing campaign on behalf of the IRGC. The Mabna Institute is located at Tehran, Sheikh Bahaii Shomali, Koucheh Dawazdeh Metri Sevom, Plak 14, Vahed 2, Code Posti 1995873351.
University Hacking Campaign
The Mabna Institute, through the activities of the defendants, targeted more than 100,000 accounts of professors around the world. They successfully compromised approximately 8,000 professor email accounts across 144 U.S.-based universities, and 176 universities located in foreign countries, including Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom. The campaign started in approximately 2013, continued through at least December 2017, and broadly targeted all types of academic data and intellectual property from the systems of compromised universities. Through the course of the conspiracy, U.S.-based universities spent more than approximately $3.4 billion to procure and access such data and intellectual property.
The members of the conspiracy used stolen account credentials to obtain unauthorized access to victim professor accounts, which they used to steal research, and other academic data and documents, including, among other things, academic journals, theses, dissertations, and electronic books. The defendants targeted data across all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical, and other professional fields. The defendants stole at least approximately 31.5 terabytes of academic data and intellectual property, which they exfiltrated to servers outside the United States that were under the control of members of the conspiracy.
In addition to stealing academic data and login credentials for the benefit of the Government of Iran, the defendants also sold the stolen data through two websites, Megapaper.ir (Megapaper) and Gigapaper.ir (Gigapaper). Megapaper was operated by Falinoos Company, a company controlled by Abdollah Karima, aka Vahid Karima, the defendant, and Gigapaper was affiliated with Karima. Megapaper sold stolen academic resources to customers within Iran, including Iran-based public universities and institutions, and Gigapaper sold a service to customers within Iran whereby purchasing customers could use compromised university professor accounts to directly access the online library systems of particular U.S.-based and foreign universities.
Accompanying Mitigation Efforts
Prior to the unsealing of the Indictment, the FBI provided foreign law enforcement partners with detailed information regarding victims within their jurisdictions, so that victims in foreign countries could be notified and foreign partners could assist in remediation efforts.
Also, in connection with the unsealing of the Indictment, today the FBI provided private sector partners detailed information regarding the vulnerabilities targeted and the intrusion vectors used by the Mabna Institute in their campaign against private sector companies. This information will assist the public in its network defense and mitigation efforts.
* * *
Rafatnejad, Mohammadi, Karima, Sadeghi, Mirkarimi, Sabahi, Sabahi, Moqadam and Tahmasebi was each is charged with one count of conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; two counts of unauthorized access of a computer, each of which carries a maximum sentence of five years in prison; two counts of wire fraud, each of which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison. The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencings of the defendants will be determined by the assigned judge.
Mr. Rosenstein and Mr. Berman praised the outstanding investigative work of the FBI, the assistance of the United Kingdom’s National Crime Agency (NCA), and the support of the OFAC. Assistant U.S. Attorneys Timothy T. Howard, Jonathan Cohen and Richard Cooper are in charge of the prosecution, with assistance provided by Trial Attorneys Heather Alpino and Jason McCullough of the National Security Division’s Counterintelligence and Export Control Section.
The charges contained in the Indictment are merely accusations and the defendants are presumed innocent unless and until proven guilty.
Click here to view the full statement.