Cyberwarfare / Nation-State Attacks , Forensics , Fraud Management & Cybercrime

2 Iranians Indicted for Lengthy Hacking Campaign

DOJ: Suspects Sold Data and Gave It to Iranian Government
2 Iranians Indicted for Lengthy Hacking Campaign
Iran nationals Mehdi Farhadi (left) and Hooman Heidarian are wanted on federal hacking charges. (Source: FBI)

Two Iranian nationals have been charged with participating in a yearslong hacking campaign that targeted vulnerable networks in the U.S., Europe and the Middle East to steal "hundreds of terabytes" of data, the U.S. Department of Justice has announced.

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

Hooman Heidarian, 30, and Mehdi Farhadi, 34, both allegedly profited from the sale of stolen information. They also provided the Iranian government with information on dissidents, human rights activists and opposition leaders, prosecutors say.

The two defendants face charges that include conspiracy to commit fraud and related activity in connection with computers and access devices, unauthorized access to protected computers, unauthorized damage to protected computers, conspiracy to commit wire fraud, access device fraud and aggravated identity theft, according to the federal indictment unsealed this week.

The most serious of the charges - conspiracy to commit wire fraud - carries a maximum 20-year federal prison term, according to the Justice Department. The two men, who are wanted by the FBI, are believed to be living in Iran, so they may never face prosecution in the U.S.

Diverse Targets

Heidarian and Farhadi allegedly started their hacking campaign in 2013, targeting a wide range of organizations in the U.S. and other nations, according to the Justice Department.

They targeted several universities, a Washington-based think tank, a defense contractor, an aerospace company, a foreign policy organization, nongovernmental organizations and nonprofits, prosecutors say. The pair also allegedly hacked government agencies that they viewed as hostile to Iran.

The defendants allegedly stole confidential communications pertaining to national security, foreign policy intelligence, nonmilitary nuclear information, aerospace data, human rights activist information, personal financial information and intellectual property - including unpublished scientific research, the indictment notes.

Heidarian and Farhadi sold this data on underground forums or handed it over to the Iranian government, prosecutors allege. "The defendants' scheme was often politically motivated and sometimes at the behest of Iran," according to the 10-count indictment.

The two defendants also allegedly defaced and vandalized websites under the pseudonym "Sejeal," sometimes posting derogatory messages about Iran's perceived enemies, the indictment states.

Hacking Methods

Starting in 2013 or earlier, Heidarian and Farhadi began targeting organizations around the world, prosecutors say. They used publicly available data and open source intelligence to select victims and learn more about their areas of expertise, according to the indictment.

The two men allegedly used scanning tools to check for vulnerabilities in the networks they wanted to hack. Once they picked a target, Heidarian and Farhadi allegedly used various means to gain a foothold within a network, prosecutors say. For example, they used session hijacking to take over victims' devices and deployed SQL injection.

Once the two men gained access to a network, they deployed keyloggers to capture data from employees and then used remote access Trojans to persist in their efforts, according to the Justice Department. The two are also suspected of creating forwarding rules within victims' outboxes to steal copies of emails or help better map the day-to-day operations of an organization.

Heidarian and Farhadi sometimes would deploy a homemade botnet to infect vulnerable systems with malware, distributed denial-of-service attacks or spam, according to the indictment. The pair also allegedly marketed their abilities and techniques to others.

"After the theft of victim data, defendants shared, priced and marketed for sale clusters of data to customers, including Iran," according to the indictment. "Some of this information was related to Iran’s state-sponsored surveillance efforts of dissidents, human rights activists and opposition leaders."

Focus on Iran

Over this past week, the Justice Department and other U.S. government agencies released additional information about Iranian hacking activities.

On Tuesday, the Justice Department indicted Behzad Mohammadzadeh, of Iran, along with Marwan Abusrour, a stateless national of the Palestinian Authority, for defacing a number of U.S. websites following the death of Iranian Major General Qasem Soleimani earlier this year (see: 2 Alleged Hackers Indicted for Defacing US Websites).

Also on Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency warned that a hacking group called "Pioneer Kitten," which has suspected ties to the Iranian government, is taking advantage of several unpatched vulnerabilities and using open source tools to target U.S. businesses as well as federal government agencies (see: Iranian Hackers Exploiting Unpatched Vulnerabilities).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.