The US Department of the Treasury on Thursday (September 17th) imposed sanctions on a "cyber threat group", 45 associated individuals, and a front company linked to Iran's Ministry of Intelligence and Security.
Rana Intelligence Computing Company (Rana) is a front company for the Iranian Ministry of Intelligence and Security, the Treasury said.
Masked behind this company, it said, "the government of Iran employed a years-long malware campaign that targeted Iranian dissidents, journalists and international companies in the travel sector".
The US Federal Bureau of Investigation (FBI) simultaneously released detailed information about the Iranian cyber threat group, known as Advanced Persistent Threat 39 (APT39), in a public intelligence alert.
“The Iranian regime uses its Intelligence Ministry as a tool to target innocent civilians and companies, and advance its destabilising agenda around the world,” said Treasury Secretary Steven T. Mnuchin.
“The US is determined to counter offensive cyber campaigns designed to jeopardise security and inflict damage on the international travel sector,” he said.
Front company for ministry
According to the Treasury, "Rana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security by conducting computer intrusions and malware campaigns".
These target "perceived adversaries", including foreign governments and other individuals the ministry considers a threat, the Treasury said.
APT39, which is owned or controlled by the ministry, was previously sanctioned on February 16th, 2012, pursuant to executive orders that target terrorists and those responsible for human rights abuses in Iran and Syria.
Rana is being designated for being owned or controlled by the ministry.
The 45 individuals are being designated for having materially assisted, sponsored or provided financial, material or technological support for, or goods or services to or in support of the ministry.
These individuals served in various capacities while employed at Rana, "including as managers, programmers and hacking experts", the Treasury said.
They provided support for ongoing cyber intrusions on behalf of the ministry by targeting the networks of international businesses, institutions, air carriers and other targets it considered a threat.
Iranian malware identified
The FBI advisory details eight separate and distinct sets of malware the ministry used, through Rana, to conduct computer intrusion activities.
This is the first time most of these technical indicators have been publicly discussed and attributed to Iran’s Ministry of Intelligence and Security by the US government.
By making the code public, the FBI is hindering the ministry's ability to continue its campaign, "ending the victimisation of thousands of individuals and organisations around the world", the Treasury said.
FBI director Christopher Wray said the agency was releasing indicators of compromise attributed to Iran "to help computer security professionals everywhere protect their networks from the malign actions of this nation state”.
Through Rana, he said, the ministry "recruited highly educated people and turned their cyber talents into tools to exploit, harass, and repress their fellow citizens and others deemed a threat to the regime".
The new sanctions "hold these 45 individuals accountable for stealing data" from dozens of networks in the US and from networks in Iran’s neighbouring countries and around the world, Wray said.
Abuse, surveillance of citizens
The Ministry of Intelligence and Security, camouflaged as Rana, has played a key role in the Iranian regime's abuse and surveillance of its own citizens, the Treasury said.
Through Rana, it said, cyber actors "used malicious cyber intrusion tools to target and monitor Iranian citizens, particularly dissidents, Iranian journalists, former government employees, environmentalists, refugees, university students and faculty, and employees at international non-governmental organisations".
"Some of these individuals were subjected to arrest and physical and psychological intimidation" by the ministry, the Treasury said.
APT39 actors also targeted Iranian private sector companies and academic institutions, including domestic and international language and cultural centres.
Rana’s targeting has been both internal to Iran and global in scale, including hundreds of individuals and entities from more than 30 countries across Asia, Africa, Europe and North America.
Cyber actors targeted a wide range of victims, including global airlines and foreign intelligence services. The unauthorised access obtained by the individuals enabled the ministry to track individuals it considers a threat.