The U.S. Department of Justice (DoJ) on Friday unsealed an indictment against an Iranian national for his alleged involvement in a multi-year, cyber-based campaign designed to compromise U.S. government and private entities.
More than a dozen entities are said to have been targeted, including the U.S. Departments of Treasury and State, defense contractors that support U.S. Department of Defense programs, an accounting firm and a corporation of hospitality, both based in New York.
Alireza Shafie Nasab, 39, said he was a cybersecurity specialist for a company called Mahak Rayan Afraz while participating in a persistent campaign against the United States from at least 2016 until about April 2021.
“As alleged, Alireza Shafie Nasab participated in a cyber campaign using spear-phishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information,” said U.S. Attorney Damian Williams for the Southern District of New York.
The spear-phishing campaigns were managed via a customized application that allowed Nasab and his co-conspirators to organize and launch their attacks.
In one case, threat actors hacked into an administrator email account belonging to an unnamed defense contractor, then exploited the access to create unauthorized accounts and send spear-phishing emails to employees of another defense contractor and a consulting firm.
Outside of spear-phishing attacks, conspirators have disguised themselves as other people, typically women, to gain victims’ trust and deploy malware on victims’ computers.
It is believed that Nasab, while working for the front company, was responsible for acquiring the infrastructure used in the campaign by using the stolen identity of a real person to register a server and email accounts.
He was charged with one count of conspiracy to commit computer fraud, one count of conspiracy to commit wire fraud, one count of wire fraud and one count of aggravated identity theft. If convicted on all counts, Nasab could face up to 47 years in prison.
While Nasab remains at large, the U.S. State Department has announced cash rewards of up to $10 million for information leading to the identification or location of Nasab.
Mahak Rayan Afraz (MRA) was first reported by Meta in July 2021 as a Tehran-based company with ties to the Islamic Revolutionary Guard Corps (IRGC), the Iranian armed force tasked with defending the country’s revolutionary regime .
The activity cluster, which also overlaps with Tortoiseshell, has previously been linked to elaborate social engineering campaigns, including posing as an aerobics instructor on Facebook in an attempt to infect the machine of an aerospace defense contractor employee with malware.
The development comes as German law enforcement announced the removal of Crimemarket, a German-language illicit trading platform with more than 180,000 users specializing in the sale of narcotics, weapons, money laundering and other criminal services.
Six people were arrested in connection with the operation, including a 23-year-old considered the main suspect, while authorities also seized mobile phones, IT equipment, one kilogram of marijuana, ecstasy tablets and 600,000 euros in cash.