Crime & Justice

Iranian spy ministry blacklisted over malicious cyber acts

By Babak Dashti

Members of the Albanian scientific police unit enter Iran's embassy in Tirana on September 8. Albania broke diplomatic ties with Iran one day earlier over an alleged cyber-attack. [Gent Shkullaku/AFP]

Members of the Albanian scientific police unit enter Iran's embassy in Tirana on September 8. Albania broke diplomatic ties with Iran one day earlier over an alleged cyber-attack. [Gent Shkullaku/AFP]

An Iranian government ministry is facing US sanctions, along with several individuals and entities in Iran, over malign cyber activities that have caused damage and losses to hundreds of people in at least four countries.

On September 14, the US Treasury blacklisted 10 Iranian nationals and two entities for their roles in conducting malicious cyber acts, including ransomware activity.

Three of the individuals had engaged in a scheme to gain unauthorised access to computer systems in countries including the United States, United Kingdom, Israel and Iran, inflicting damage and loss on hundreds of people, it said.

"The government of Iran has created a safe haven where cyber criminals acting for personal gain flourish," US Assistant Attorney General Matthew G. Olsen said in a statement.

Iranian Intelligence Minister Esmaeil Khatib, seen here in an undated photo, is under US government sanctions. [Hamshahrionline.ir]

Iranian Intelligence Minister Esmaeil Khatib, seen here in an undated photo, is under US government sanctions. [Hamshahrionline.ir]

A police officer stands guard outside the Iranian embassy in Tirana, Albania, on September 7, the day Albania cut diplomatic ties with Iran. [Gent Shkullaku/AFP]

A police officer stands guard outside the Iranian embassy in Tirana, Albania, on September 7, the day Albania cut diplomatic ties with Iran. [Gent Shkullaku/AFP]

Cyber criminals "are able to hack and extort victims, including critical infrastructure providers", Olsen said.

"This indictment makes clear that even other Iranians are less safe because their own government fails to follow international norms and stop Iranian cyber criminals," he added.

Cyber-attacks on Albania

In July, "cyber threat actors" sponsored by Iran's Ministry of Intelligence and Security (MOIS) disrupted Albanian government computer systems, forcing the government to suspend online public services for its citizens.

After the findings of an investigation into the incident came to light on September 7, Albania severed diplomatic relations with Iran and ordered Iranian diplomats to leave Tirana, Albanian Prime Minister Eddi Rama said.

The Albanian response to the incident is "fully proportionate to the gravity and risk of the cyber-attack", said Rama.

The MOIS-linked attack "threatened to paralyse public services, erase digital systems, hack into state records, steal government intranet electronic communication, and stir chaos and insecurity in the country", he said.

A few days later, on September 9, the US Treasury blacklisted MOIS and Intelligence Minister Esmaeil Khatib for engaging in cyber-enabled activities against the United States and its allies.

"Iran's cyber attack against Albania disregards norms of responsible peacetime state behaviour in cyberspace," said US Treasury Under-Secretary for Terrorism and Financial Intelligence Brian E. Nelson in a statement.

These include "refraining from damaging critical infrastructure that provides services to the public", Nelson said.

"We will not tolerate Iran's increasingly aggressive cyber activities targeting the United States or our allies and partners," he added.

Albania and Iran have been foes since 2013, when the Balkan state began hosting some 3,000 members of the opposition group Mujahedeen-e-Khalq (MEK) in Camp Ashraf, about 30km west of Tirana.

Iran's cyber-attacks, which temporarily shut down online platforms of several Albanian government institutions, were reportedly carried out to disrupt the MEK gathering in Albania.

Uptick in cyber-attacks

In recent years, Iran has invested heavily in cyber-attacks on other countries, including members of the North Atlantic Treaty Organisation (NATO).

The Islamic Republic has chosen cyber warfare as an inexpensive means to strike other countries, security analyst Esfandyar Habibi told Al-Mashareq.

Cyber wars do not require expensive hardware, and they are capable of causing grave damage, he said, adding that the perpetrators of cyber-attacks are tough to track, which works in Tehran's favour.

Moreover, Habibi said, the Iranian regime enjoys the support and expertise of Russia and North Korea for malign cyber acts.

On September 6, Islamic Revolutionary Guard Corps (IRGC) commander Hossein Salami said the IRGC "has 2,000 active cyber battalions that produce content and execute operations".

Israeli media had previously accused "Pay2Key," a hacking group linked to Iran, of attacking its cybersecurity companies.

IRGC-sponsored cyber-attacks intensified in 2021.

Camouflaged cyber battalions

"The Iranian regime has organised what it calls cyber battalions inside the country to disseminate its propaganda anonymously while camouflaging as social media users," said cybersecurity analyst Alireza Behbahani.

"For instance, IRGC hackers broke into the Google [Gmail] accounts of Iranian civil activists, dissidents and journalists in March 2018," he said.

Google's latest report on state-sponsored cyber threats, published in August, revealed "Charming Kitten" as an Iranian government cyberwarfare group.

Several companies and government officials described the group as an "advanced persistent threat".

"Charming Kitten" has reportedly hacked into many Gmail accounts in Iran.

Regime-affiliated hackers hacked into Yahoo and Microsoft Outlook emails as well, using a software called HyperScript, the report said.

The Iranian regime has regularly restricted the public's access to the internet, in an apparent attempt to crack down on domestic protests and dissent.

Meanwhile, it has steadily intensified its interference in the affairs of other countries via the cyber realm, as recent incidents have made clear.

Do you like this article?

0 Comment(s)

Comment Policy * Denotes Required Field 1500 / 1500