3 Months for the Cybercrime Books
From July through September, US law enforcement handed down major indictments or sanctions against foreign threat groups at least six times.
October 2, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbb76fc232accacab/64f0d3cdbe198337dfd98eda/01-indictment.jpg?width=700&auto=webp&quality=80&disable=upscale)
In a somewhat unusual flurry of activity this summer, the US government indicted or sanctioned multiple cyber threat actors and groups thought to be working on behalf of foreign governments.
In announcing charges, US officials rarely minced words, describing the countries in which the individuals and groups were operating from as sponsors of cyber-enabled crime and espionage. A majority of the legal actions involved threat groups and actors working out of — and allegedly on behalf of — Iran and China, two countries at loggerheads with the US on various geopolitical issues. Two other countries that the US has openly accused of sponsoring cybercrime and espionage are Russia and North Korea.
In the past, such indictments and sanctions have done little to slow down the activity of cybercriminals operating with impunity in countries with no extradition agreements with the US or hostile to US interests. Even so, by naming and charging individual operatives and groups within these countries, US law enforcement is demonstrating its ability to attribute attacks, says Austin Berglas, global head of professional services at BlueVoyant.
"The US Department of Justice, law enforcement, and intelligence community are no doubt under a lot of pressure to 'do something' about the constant barrage of cyberattacks from our foreign adversaries," says Berglas, former head of cyber for the FBI in NYC.
The practice of obtaining "name and shame" indictments, where individuals are charged even though there's only a very slim chance of them ever being brought to justice, is nothing new, he says.
"The intent behind these efforts is for the US to showcase their very powerful capability to identify the actual human being behind the keyboard, and not just attributing an attack to a certain nation-state," Berglas says.
But in order for these charges and announcements to serve as significant deterrents, it is imperative the US supports these indictments with whatever political or economic sanctions or penalties are deemed appropriate, he adds.
The following are six indictments or sanctions the US government announced this summer against foreign-based cyberattackers and groups.
In mid-September the DoJ unsealed indictments against five members of APT41, a China-based threat actor associated with a long string of attacks on organizations in multiple industries around the world. The indictments charged the five individuals with stealing or attempting to steal trade secrets, IP, and other sensitive data from telecommunications firms, computer hardware makers, software developers, video game companies, and other firms.
Three of the individuals were charged with various cybercrime activities they carried out via a company they operated in China named Chengdu 404 Network Technology. Two of the other APT41 members who were indicted were charged with collaborating with a pair of Malaysian businessman on a scheme to defraud video game companies.
Security researchers consider APT41, which is also tracked as Winnti, Barium, Wicked Panda, and Wicked Spider, as one of the most active -- and dangerous -- APT groups currently operating. Security vendor FireEye and others have described the group as conducting cybercrime activities for its own benefit and carrying out cyber espionage activities on behalf of China's military intelligence services."
The DoJ identified the five alleged APT41 members as Tan Dailin, 35, Qian Chuan, 39, Zhang Haoran, 35, Jiang Lizhi, 35, and Fu Qiang, 37.
In mid-September the US government announced charges against three Iranian nationals for their alleged involvement in the theft of sensitive data from satellite tracking and aerospace companies.
Mohammad Reza Espargham, 25, Said Pourkarim Arabi, 34, and Mohammad Bayati, 34, are alleged to have used malware and social engineering tricks to steal credentials belonging to targeted individuals working for these companies in the US and other countries. They are then accused of using the stolen credentials to illegally access protected systems and steal intellectual property, sensitive commercial information, and personal data from compromised systems. Victims of the trio included a satellite voice and data communication firm and a satellite tracking company.
Indictment papers charged the three individuals with conducting cyber espionage on behalf of Iran's Islamic Revolutionary Guard Corps -- an outfit the US government has designated as a terrorist organization.
The same week that indictments were handed down against Espargham, Pourkarim, and Bayati, the US took legal action against two other Iranian nationals for alleged cybercrimes. On Sept. 15, the DoJ announced charges against Behzad Mohammadzadeh, 19, of Iran, and Marwan Abusrour, 25, of the Palestine Authority, for defacing US websites in retaliation for the US killing of Qasem Soleimani, head of the Islamic Revolutionary Guard Corps-Quds Force.
In July, two Chinese nationals, allegedly working for their own profit and for China's Ministry of State Security (MSS), were charged with attempting to steal IP and trade secrets, including COVID-19 research from organizations around the world. In an 11-count indictment, the DoJ accused LI Xiaoyu, 34, and Dong Jiazhi, 33, of breaking into systems at hundreds of companies, government and nongovernment organizations, individual human rights activists, dissidents, and clergy.
The two are accused of conducting a hacking campaign that has been going on for at least 10 years. According to the DoJ, the two individuals have been targeting organizations in multiple industries, including high-tech manufacturing, industrial engineering, solar energy, defense, and pharmaceuticals. Their victims have included companies in the US, Germany, Japan, the Netherlands, South Korea, and Sweden.
In announcing the indictments, the DoJ accused China's government of not only condoning but actively supporting cyber-enabled theft as part of a campaign to rob, replicate, and replace technology developed by other companies.
One DoJ official described China as belonging to a small group of nations that include Russia and Iran in actively harboring cybercriminals in exchange for them working for the government.
On Sept. 17 the US Treasury Department announced sanctions against Iranian threat group APT39 and 45 members allegedly associated with the outfit. Also named in the action was Rana Intelligence Computing Company, an operation the US government has accused of serving as a front for the government of Iran's clandestine cyber operations.
According to the Treasury Department, Iran's Ministry of Intelligence and Security (MOIS) used APT39/Rana to spy on and steal data from hundreds of individuals across 30 countries that were perceived as threats to Tehran's interests. It described the 45 cyber actors as having materially assisted or sponsored the MOIS in carrying out cyber spying activity against the targeted individuals worldwide.
The 45 individuals served in various capacities at Rana, including as hacking experts, programmers, and operations managers. They helped Iran's MOIS target networks of international businesses, air carriers, and other institutions that the government perceived as hostile to Iran's national interests, the Treasury Department said. APT39 actors also allegedly targeted domestic private-sector companies, academic institutions, and cultural centers.
In announcing the sanctions, the Treasury Department, in collaboration with the FBI, released indicators of compromise and details on eight different malware sets that the MOIS allegedly used in its campaigns using APT39/Rana as a front.
On Sept. 10 the Treasury Department's Office of Foreign Assets Control announced sanctions against four Russia-linked individuals for allegedly attempting to interfere in the 2020 US presidential election.
One of them was Andrii Derkach, a member of the Ukrainian Parliament, who Treasury officials described as waging a "covert influence campaign centered on cultivating false and unsubstantiated narratives concerning U.S. officials in the upcoming 2020 Presidential Election."
Between late 2019 through mid-2020, Derkach's disinformation campaigns spurred corruption investigations in the US and Ukraine and were designed to undermine the 2020 US general elections, the Treasury Department said. Between May and July 2020, he is alleged to have released doctored audio takes and other information designed to discredit US political figures and officials. The Treasury Department described Derkach as an active Russian agent with close connections to the country's intelligence services.
In addition to Derkach, the Treasury Department also slapped sanctions on Russian nationals Artem Lifshits, Anton Andreyev, and Darya Aslanova for their roles as employees of the Internet Research Agency (IRA) Russian troll factory that the US government has previously sanctioned. The DoJ also filed a criminal complaint against Lifshits for allegedly using stolen identities belonging to US individuals and using them to create fraudulent banking and cryptocurrency accounts.
Among the several indictments the DoJ handed down in September against hackers from other countries was one that charged Hooman Heidarian, 30, and Mehdi Farhadi, 34, of Iran with computer hacking, aggravated ID theft, and fraud. In a 10-count indictment Sept. 16, the US accused Heidarian and Farhadi of breaking into systems belonging to various universities, commercial entities, and government and nongovernment organizations and stealing highly protected and sensitive data from them.
Beginning at least in 2013, the two individuals are alleged to have stolen data pertaining to foreign policy intelligence, nonmilitary nuclear data, aerospace data, and data on human rights activists and others perceived as hostile to the Iranian government. The hundreds of terabytes of data they stole included personal identity information such as Social Security numbers, names, addresses, phone numbers, and online access credentials. Victims included a Washington DC-based think tank, an aerospace company, and a defense contractor.
In addition, Heidarian and Farhadi also defaced websites of targeted organizations and replaced original content on these websites with ideological and political content designed to project Iranian influence and threaten perceived enemies of the state. The messages often featured images of burning Israeli flags and death threats directed at citizens of the US and Israel.
Among the several indictments the DoJ handed down in September against hackers from other countries was one that charged Hooman Heidarian, 30, and Mehdi Farhadi, 34, of Iran with computer hacking, aggravated ID theft, and fraud. In a 10-count indictment Sept. 16, the US accused Heidarian and Farhadi of breaking into systems belonging to various universities, commercial entities, and government and nongovernment organizations and stealing highly protected and sensitive data from them.
Beginning at least in 2013, the two individuals are alleged to have stolen data pertaining to foreign policy intelligence, nonmilitary nuclear data, aerospace data, and data on human rights activists and others perceived as hostile to the Iranian government. The hundreds of terabytes of data they stole included personal identity information such as Social Security numbers, names, addresses, phone numbers, and online access credentials. Victims included a Washington DC-based think tank, an aerospace company, and a defense contractor.
In addition, Heidarian and Farhadi also defaced websites of targeted organizations and replaced original content on these websites with ideological and political content designed to project Iranian influence and threaten perceived enemies of the state. The messages often featured images of burning Israeli flags and death threats directed at citizens of the US and Israel.
In a somewhat unusual flurry of activity this summer, the US government indicted or sanctioned multiple cyber threat actors and groups thought to be working on behalf of foreign governments.
In announcing charges, US officials rarely minced words, describing the countries in which the individuals and groups were operating from as sponsors of cyber-enabled crime and espionage. A majority of the legal actions involved threat groups and actors working out of — and allegedly on behalf of — Iran and China, two countries at loggerheads with the US on various geopolitical issues. Two other countries that the US has openly accused of sponsoring cybercrime and espionage are Russia and North Korea.
In the past, such indictments and sanctions have done little to slow down the activity of cybercriminals operating with impunity in countries with no extradition agreements with the US or hostile to US interests. Even so, by naming and charging individual operatives and groups within these countries, US law enforcement is demonstrating its ability to attribute attacks, says Austin Berglas, global head of professional services at BlueVoyant.
"The US Department of Justice, law enforcement, and intelligence community are no doubt under a lot of pressure to 'do something' about the constant barrage of cyberattacks from our foreign adversaries," says Berglas, former head of cyber for the FBI in NYC.
The practice of obtaining "name and shame" indictments, where individuals are charged even though there's only a very slim chance of them ever being brought to justice, is nothing new, he says.
"The intent behind these efforts is for the US to showcase their very powerful capability to identify the actual human being behind the keyboard, and not just attributing an attack to a certain nation-state," Berglas says.
But in order for these charges and announcements to serve as significant deterrents, it is imperative the US supports these indictments with whatever political or economic sanctions or penalties are deemed appropriate, he adds.
The following are six indictments or sanctions the US government announced this summer against foreign-based cyberattackers and groups.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024