The feds have moved to sanction the Iranian government for its cybercrime activities, which they allege have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.
US Department of the Treasury's Office of Foreign Assets Control (OFAC) is specifically designating Iran's Ministry of Intelligence and Security (MOIS) for "engaging in cyber-enabled activities against the United States and its allies," since at least 2007.
The sanctions mean that US citizens and visitors to the US are prohibited from doing business or carrying out any transactions involving funds, goods, or services with the designated entities or their proxies.
Albanian Cyberattack Sparks US Action
The Treasury Department cited a recent cyberattack in July that disrupted the Albanian government as emblematic of Iran's tactics; that incident resulted in the leaking of documents purported to be from the Albanian government and personal information associated with Albanian residents.
"Iran's cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public," Brian Nelson, undersecretary of the treasury for terrorism and financial intelligence, said in a statement on Friday. "We will not tolerate Iran’s increasingly aggressive cyber-activities targeting the United States or our allies and partners."
John Hultquist, vice president at Mandiant Intelligence, notes that Iran has a history of targeting the MeK, the group at the center of the Albanian incident. "These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain," he says. "Those operations were a template for the Albania attack."
Calling Out MuddyWater & APT34
The sanctions also extend to Minister of Intelligence Esmail Khatib, who the Treasury Department said is responsible for directing APT groups from within MOIS. The Friday announcement specifically mentions his weapon as including the MuddyWater APT (aka OilRig or APT34, specializing in espionage on rival governments) and APT39 (aka Chafer, which the US says supports Iran's human rights abuses).
“MOIS carries out cyber-espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service, the IRGC," says Hultquist, who notes that Mandiant has previously linked both APTs to Tehran. "They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable personally identifiable information (PII)."