NEW JERSEY
Two Iranian nationals have been charged in connection with a coordinated cyber intrusion campaign – sometimes at the behest of the government of the Islamic Republic of Iran.
The targeted computers in New Jersey, elsewhere in the United States, Europe and the Middle East, the Department of Justice announced today.
According to a 10-count indictment returned on Sept. 15, 2020, Hooman Heidarian, a/k/a “neo,” 30, and Mehdi Farhadi, a/k/a “Mehdi Mahdavi” and “Mohammad Mehdi Farhadi Ramin,” 34, both of Hamedan, Iran, stole hundreds of terabytes of data.
This data typically included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information, and personally identifiable information, and intellectual property, including unpublished scientific research.
In some instances, the defendants’ hacks were politically motivated or at the behest of Iran, including instances where they obtained information regarding dissidents, human rights activists, and opposition leaders.
In other instances, the defendants sold the hacked data and information on the black market for private financial gain.
“These Iranian nationals allegedly conducted a wide-ranging campaign on computers here in New Jersey and around the world,” said U.S. Attorney Carpenito for the District of New Jersey. “They brazenly infiltrated computer systems and targeted intellectual property and often sought to intimidate perceived enemies of Iran, including dissidents fighting for human rights in Iran and around the world. This conduct threatens our national security, and as a result, these defendants are wanted by the FBI and are considered fugitives from justice.”
According to the indictment:
Beginning in at least 2013, the defendants were responsible for a coordinated campaign of cyber intrusions into computer systems in New Jersey and around the world.
The victims included several American and foreign universities, a Washington, D.C.-based think tank, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and foreign government and other entities the defendants identified as rivals or adversaries to Iran.
In addition to the theft of highly protected and sensitive data, the defendants also vandalized websites, often under the pseudonym “Sejeal,” and posted messages that appeared to signal the demise of Iran’s internal opposition, foreign adversaries, and countries identified as rivals to Iran, including Israel and Saudi Arabia.
To select their victims, the defendants conducted online reconnaissance, including gathering public data and intelligence to determine a victim’s areas of expertise, and using vulnerability scanning tools and other means to assess computer networks.
The defendants gained and maintained unauthorized access to victim networks using various tools, including session hijacking, where a valid computer session was exploited to gain unauthorized access to information or services in a computer system; SQL injection, in which they used malicious code to access information that was not intended to be displayed, such as sensitive government data, user details, and personal identifiers; and malicious programs installations, which allowed the defendants to maintain unauthorized access to computers.
The defendants then used key-loggers and “remote access Trojans” to maintain access and monitor the actions of users of the victim networks.
They also developed a botnet tool, which facilitated the spread of malware, denial of service attacks, and spamming to victim networks.
In some instances, the defendants used their unauthorized access to victim networks or accounts to establish automated forwarding rules for compromised victim accounts, whereby new outgoing and incoming emails were automatically forwarded from the compromised accounts to accounts controlled by defendants.
Defendants are presumed innocent unless proven guilty.