On April 24, 2024, the United States sanctioned two companies and four men for launching operations against more than a dozen U.S. companies and government entities on behalf of Iran’s Revolutionary Guards. The “coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson. The two firms, Mehrsam Andisheh Saz Nik and Daded Afzar Arman, were front companies for the Revolutionary Guards Cyber Electronic Command.
Concurrently, the Department of Justice and the Federal Bureau of unsealed an indictment against the four Iranian nationals for their roles in cyber activity targeting U.S. entities. “Criminal activity originating from Iran poses a grave threat to America’s national security and economic stability,” said Attorney General Merrick B. Garland. The State Department's Rewards for Justice program also announced a reward of up to $10 million for information leading to the identification or location of the group and the defendants. The following are statements from the Treasury and Justice Departments.
Treasury Department
Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two companies and four individuals involved in malicious cyber activity on behalf of the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). These actors targeted more than a dozen U.S. companies and government entities through cyber operations, including spear phishing and malware attacks. In conjunction with today’s action, the U.S. Department of Justice and the Federal Bureau of Investigation is unsealing an indictment against the four individuals for their roles in cyber activity targeting U.S. entities.
“Iranian malicious cyber actors continue to target U.S. companies and government entities in a coordinated, multi-pronged campaign intended to destabilize our critical infrastructure and cause harm to our citizens,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States will continue to leverage our whole-of-government approach to expose and disrupt these networks’ operations.”
Iranian cyber actors continue to target the United States using a wide range of malicious cyber activity, from conducting ransomware attacks against critical infrastructure to conducting spear phishing and other social engineering campaigns against individuals, companies, and government entities. The IRGC-CEC, one of the Iranian government organizations behind malicious cyber activity, works through a series of front companies to target the United States and several other countries. Although front company management and key personnel know their operations support the IRGC-CEC, much of the Iranian public is not aware that some companies in Iran, such as Mehrsam Andisheh Saz Nik, are used as front companies to support the IRGC-CEC. The Iranian public should be aware that the IRGC-CEC uses private companies and their employees to achieve illegal goals.
Today’s action is being taken pursuant to the counterterrorism authority Executive Order (E.O.) 13224, as amended. OFAC designated the IRGC-CEC, also known as the IRGC Electronic Warfare and Cyber Defense Organization, pursuant to E.O. 13606 on January 12, 2018, for being owned or controlled by, or acting for or on behalf of, the IRGC, which itself was designated pursuant to E.O. 13224 on October 13, 2017. In February 2024, OFAC designated six IRGC-CEC officials in response to recent cyber operations in which IRGC-affiliated cyber actors manipulated programmable logic controllers, which impacted critical infrastructure systems, including in the United States. While these particular operations did not disrupt any critical services, unauthorized access to critical infrastructure systems can enable actions that harm the public and cause devasting humanitarian consequences.
IRGC-CEC FRONT COMPANIES AND AFFILIATED CYBER ACTORS
Mehrsam Andisheh Saz Nik (MASN), formerly known as Mahak Rayan Afzar, is an IRGC-CEC front company that has supported malicious cyber activity conducted by the IRGC-CEC. The company has been associated with multiple Iranian advanced persistent threat (APT) groups, including Tortoiseshell. The company is also associated with other malicious cyber activity, including a multi-year campaign targeting over a dozen U.S. companies and government entities, including the Department of the Treasury.
Alireza Shafie Nasab is an IRGC-CEC-affiliated cyber actor who was involved in the same multi-year cyber campaign targeting U.S. entities while employed by MASN’s predecessor, Mahak Rayan Afzar.
Reza Kazemifar Rahman (Kazemifar), another IRGC-CEC cyber actor, has been involved in operational testing of malware intended to target job seekers with a focus on military veterans. Kazemifar, while employed by MASN’s predecessor, Mahak Rayan Afzar, was also involved in the spear phishing campaign targeting multiple U.S. entities, including the Department of the Treasury.
IRGC-CEC front company Dadeh Afzar Arman (DAA) has also engaged in malicious cyber campaigns on behalf of the IRGC-CEC.
Hosein Mohammad Haruni was employed by DAA and has been associated with various spear phishing and other social engineering operations, in addition to malicious cyber activity targeting U.S. entities and the Department of the Treasury.
Komeil Baradaran Salmani has been associated with multiple IRGC-CEC front companies and involved in spear phishing campaigns targeting multiple U.S. entities, including Department of the Treasury.
Mehrsam Andisheh Saz Nik, Dadeh Afzar Arman, Alireza Shafie Nasab, Komeil Baradaran Salmani, and Reza Kazemifar Rahman are all being designated pursuant to E.O. 13224, as amended, for having acted or purported to act for or on behalf of, directly or indirectly, the IRGC-CEC. Hosein Mohammad Haruni is being designated pursuant to E.O. 13224, as amended, for having acted or purported to act for or on behalf of, directly or indirectly, Dadeh Afzar Arman.
SANCTIONS IMPLICATIONS
As a result of today’s action, all property and interests in property of the designated persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.
In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person.
The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the Specially Designated Nationals and Blocked Persons List (SDN List), but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list, please click here.
Click here for more information on the individuals and entities designated today.
Justice Department
An indictment was unsealed today in Manhattan federal court charging Iranian nationals Hossein Harooni (حسین هارونی), Reza Kazemifar (رضا کاظمی فر), Komeil Baradaran Salmani (کمیل برادران سلمانی), and Alireza Shafie Nasab (علیرضا شفیعی نسب) for their involvement in a cyber-enabled campaign to compromise U.S. government and private entities, including the U.S. Departments of Treasury and State, defense contractors, and two New York-based companies. Nasab was charged for the same conduct in a previous indictment that was unsealed on Feb. 29. The defendants remain at large.
Concurrent with today’s unsealing, the U.S. Department of State’s Rewards for Justice program (RFJ) is offering a reward of up to $10 million for information leading to the identification or location of the group and the defendants. The RFJ program seeks information on any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities in violation of the Computer Fraud and Abuse Act (CFAA). Additionally, the Treasury Department announced sanctions against the four defendants, among other malicious cyber actors.
“Criminal activity originating from Iran poses a grave threat to America’s national security and economic stability,” said Attorney General Merrick B. Garland. “These defendants are alleged to have engaged in a coordinated, multi-year hacking campaign from Iran targeting more than a dozen American companies and the U.S. Treasury and State Departments. This case represents just one part of the U.S. government’s effort to counter the range of threats originating from Iran that endanger the American people.”
“The FBI is constantly working to detect and counter cyber campaigns like the one described in today’s indictment. From enabling lethal plots and repressing our citizens and residents to targeting our critical infrastructure, we’ve often seen the trail of dangerous cyber-criminal activity lead back to Iran,” said FBI Director Christopher Wray. “Today’s announcement demonstrates the FBI’s commitment to using every lawful tool at our disposal, together with our domestic and international partners, to disrupt the threats posed from Iran to American businesses and citizens.”
“Today’s charges pull back the curtain on an Iran-based company that purported to provide ‘cybersecurity services’ while in actuality scheming to compromise U.S. private and public sector computer systems, including through spearphishing and social engineering attacks,” said Assistant Attorney General Matthew G. Olsen of the Department of Justice’s National Security Division. “The Department is committed to using a whole of government approach to disrupt such malicious activities and impose consequences on the individuals that carry them out. Employees that continue to work at these companies risk arrest and prosecution or a lifetime as an international fugitive from justice.”
“As alleged, the defendants participated in a cyber campaign using spearphishing and other hacking techniques in an attempt to compromise private companies with access to defense-related information,” said U.S. Attorney Damian Williams for the Southern District of New York. “Cyber intrusion schemes such as the one alleged threaten our national security, and I’m proud of our law enforcement partners and the career prosecutors of this office for continuing to use innovative technologies and investigative measures to disrupt and track down these cybercriminals. If you have information leading to the identification or location of Harooni, Kazemifar, Salmani, or Nasab, please reach out to the Department of State at rewardsforjustice.net.”
According to court documents, from at least in or about 2016 through at least in or about April 2021, Harooni, Kazemifar, Salmani, Nasab, and other conspirators were members of a hacking organization that participated in a coordinated multi-year campaign to conduct and attempt to conduct computer intrusions. These intrusions targeted more than a dozen U.S. companies and the U.S. Departments of Treasury and State.
During the conspiracy, Kazemifar, Salmani, and Nasab were employed by Mahak Rayan Afraz (محک رایان افراز), an Iran-based company that purported to provide cybersecurity services, but which was, in fact, a front for the conspirators’ operations.
The hacking group’s private sector victims were primarily cleared defense contractors, which are companies that have been granted security clearances by the U.S. Department of Defense to access, receive, and store classified information for the purpose of conducting activities in support of U.S. Department of Defense programs. In addition, the group targeted a New York-based accounting firm and a New York-based hospitality company.
In conducting their hacking campaigns, the group used spearphishing — tricking an email recipient into clicking on a malicious link — to infect victim computers with malware. During their campaigns against one victim, the group compromised more than 200,000 employee accounts. In another campaign, the conspirators targeted 2,000 employee accounts. In order to manage their spearphishing operations, the group created and used a particular computer application that enabled the conspirators to organize and deploy their spearphishing attacks.
In the course of these spearphishing attacks, the conspirators compromised an administrator email account belonging to a defense contractor (Defense Contractor-1). Access to this administrator account empowered the conspirators to create unauthorized Defense Contractor-1 accounts, which the conspirators then used to send spearphishing campaigns to employees of a different defense contractor and a consulting firm.
In addition to spearphishing, the conspirators utilized social engineering, which involved impersonating others, generally women, to obtain the confidence of victims. These social engineering contacts were another means the conspiracy used to deploy malware onto victim computers and compromise those devices and accounts.
Kazemifar was responsible for testing the tools utilized by the conspiracy to execute its cyber campaigns. For example, Kazemifar was involved in testing spearphishing emails used to target victim companies and was involved in developing malware utilized by the conspiracy in social engineering initiatives. During the course of his involvement in the conspiracy, from at least in or about 2014 through at least in or about 2020, Kazemifar also worked for the Iranian Organization for Electronic Warfare and Cyber Defense (EWCD). EWCD is a component of the Islamic Revolutionary Guard Corps (IRGC), which is itself a component of the Iranian Armed Forces. Among other things, the IRGC is responsible for Iran’s offensive cyber capabilities. The United States has designated the IRGC as a foreign terrorist organization.
Harooni was responsible for procuring, administering, and managing the online network infrastructure, including computer servers and customized software used to facilitate the computer intrusions. Harooni also fraudulently used the identity of a real person (Individual-1), including his use of a copy of Individual-1’s true passport, to conceal his role in procuring online infrastructure used by the conspiracy to facilitate the computer intrusion campaign.
Salmani was responsible for testing tools utilized by the conspiracy to execute spearphishing campaigns, including the campaign against a hospitality company. Salmani was also involved in maintaining infrastructure used by the conspirators.
Nasab was responsible for procuring infrastructure used by the conspiracy, particularly infrastructure used in furtherance of social engineering campaigns. Nasab also used Individual-1’s identity, including Individual-1’s name and passport, to register server and email accounts that were used during malicious cyber campaigns.
The defendants are each charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud, and wire fraud. If convicted, they face up to five years in prison for the computer fraud conspiracy, and up to 20 years in prison for each count of wire fraud and conspiracy to commit wire fraud. Harooni is additionally charged with knowingly damaging a protected computer, which carries a maximum penalty of 10 years in prison. Harooni, Salamani, and Nasab are additionally charged with aggravated identity theft, which carries a mandatory consecutive term of two years in prison. A federal district judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
The FBI Cyber Division is investigating the case.
Assistant U.S. Attorneys Ryan B. Finkel, Dina McLeod, and Daniel G. Nessim for the Southern District of New York are prosecuting the case, with assistance from Trial Attorney Matthew Chang of the National Security Division’s National Security Cyber Section.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.