On Feb. 29, 2024, the U.S. Department of Justice charged Alireza Shafie Nasab, age 39, with involvement in a multi-year hacking campaign. He and his co-conspirators targeted the Treasury and State Departments as well as more than a dozen American companies, including defense contractors. They tried to infiltrate more than 200,000 devices. Shafie Nasab participated in the campaign while working for Mahak Rayan Afraz, a front company for the Revolutionary Guards. Nasab was charged with:
- One count of conspiracy to commit computer fraud (maximum penalty of five years in prison)
- One count of conspiracy to commit wire fraud (maximum penalty of 20 years in prison)
- One count of wire fraud (maximum penalty of 20 years in prison)
- One count of aggravated identity theft (mandatory consecutive term of two years in prison)
“Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure,” said Assistant Attorney General Matthew Olsen. The State Department Rewards for Justice Program offered a reward of up to $10 million for information leading to the identification or location of Nasab. The following is the Justice Department press release.
Justice Department
The Justice Department unsealed an indictment charging an Iranian national with involvement in a cyber-enabled campaign to compromise U.S. governmental and private entities, including the U.S. Departments of the Treasury and State, defense contractors, and two New York-based companies.
According to court documents, from at least in or about 2016 through in or about April 2021, Alireza Shafie Nasab, 39, of Iran, and other co-conspirators were members of a hacking organization that participated in a coordinated multi-year campaign to conduct and attempt to conduct computer intrusions. These intrusions targeted more than a dozen U.S. companies and the U.S. Departments of the Treasury and State. Nasab remains at large.
“While purporting to work as a cybersecurity specialist for Iran-based clients, Mr. Nasab allegedly participated in a persistent campaign to compromise U.S. private sector and government computer systems,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure. Our National Security Cyber Section remains focused on disputing these cross-border hacking schemes and holding those responsible to account.”
“As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information,” said U.S. Attorney Damian Williams for the Southern District of New York. “Cyber intrusion schemes such as the one alleged threaten our national security, and I’m proud of our law enforcement partners and the career prosecutors of this office for using innovative technologies and investigative measures to disrupt and track down these cybercriminals.”
“The FBI will leverage all of its capabilities in combating the threat posed by Iranian hacker organizations to America’s public and private sectors,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “The close collaboration with partners that led to today’s unsealed indictment of Alireza Shafie Nasab will continue to keep the pressure on cyber adversaries.”
The hacking group’s private sector victims were primarily cleared defense contractors, which are companies that support U.S. Department of Defense programs. In addition, the group targeted a New York-based accounting firm and a New York-based hospitality company.
According to the indictment, in conducting their hacking campaigns, the group used spear phishing — that is, tricking an email recipient into clicking on a malicious link — to infect victim computers with malware. In the course of their campaigns against one victim, the group compromised more than 200,000 victim employee accounts. At another victim, the conspirators targeted 2,000 employee accounts. In order to manage their spearphishing campaigns, the group created and used a particular computer application, which enabled the conspirators to organize and deploy their spear phishing attacks.
In the course of these spear phishing attacks, the conspirators compromised an administrator email account belonging to a defense contractor (Defense Contractor-1). Access to this administrator account empowered the conspirators to create unauthorized Defense Contractor-1 accounts, which the conspirators then used to send spear phishing campaigns to employees of a different defense contractor and a consulting firm.
In addition to spearphishing, the conspirators utilized social engineering, which involved impersonating others, generally women, in order to obtain the confidence of victims. These social engineering contacts were another means the conspiracy used to deploy malware onto victim computers and compromise those devices and accounts.
Nasab took part in these schemes. During his participation in the scheme, he was employed by Mahak Rayan Afraz, an Iran-based company that purported to provide cybersecurity services, but which was, in fact, a front for the conspirators’ operations. Nasab was responsible for procuring infrastructure used by the conspiracy. During the course of this conduct, Nasab used the stolen identity of a real person in order to register a server and email accounts used in the course of the cyber campaigns.
Nasab is charged with one count of conspiracy to commit computer fraud, which carries a maximum penalty of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum penalty of 20 years in prison; one count of wire fraud, which carries a maximum penalty of 20 years in prison and one count of aggravated identity theft, which carries a mandatory consecutive term of two years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Concurrent with the unsealing of the indictment, the U.S. Department of State’s Rewards for Justice Program is offering a reward of up to $10 million for information leading to the identification or location of Nasab.
Anyone with information on Nasab and his malicious cyberactivity should contact Rewards for Justice via their Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (the Tor browser is required).
The FBI New York Field Office and Cyber Division are investigating the case.
Assistant U.S. Attorneys Ryan B. Finkel, Dina McLeod and Daniel G. Nessim for the Southern District of New York’s Complex Frauds and Cybercrime Unit are prosecuting the case, with valuable assistance from Trial Attorney Matthew Chang of the National Security Division’s National Security Cyber Section.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.