The Department of the Treasury announced economic sanctions Friday on an Iranian government intelligence agency and its head for engaging in cyberattacks against the United States and other countries.
The Office of Foreign Assets Control said that since at least 2007, the Iranian Ministry of Intelligence and Security, and hackers working as their proxy have targeted governments, private businesses and critical infrastructure entities around the world with malicious cyber operations, including ransomware and cyberespionage campaigns, to advance Iranian political goals.
The sanctions apply to the ministry as well as Minister of Intelligence Esmail Khatib. The designation freezes any assets the ministry or Esmail may have within U.S. jurisdiction and prohibits U.S. persons or companies from doing business with them. Iran and its government are already subject to multiple sanctions that would prevent or impede them from financial transactions with U.S. entities.
The notice also makes reference to the July 2022 hacking of Albanian government computer systems, which private U.S. threat intelligence companies like Mandiant attributed as a likely Iranian-directed campaign over the summer. This week, the Albanian government severed diplomatic ties with Iran in retaliation.
In a statement, Brian E. Nelson, under secretary of the treasury for terrorism and financial intelligence, backed up those assertions and accused Tehran of violating international cyber norms.
“Iran’s cyberattack against Albania disregards norms of responsible peacetime state behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” Nelson said. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
One of the proxies accused of working on Iran’s behalf is the group known as MuddyWater, which has targeted networks in the U.S., Middle East and Europe for cyberespionage campaigns. Last year, the U.S., UK and Australian governments put out a joint alert that accused the group of exploiting multiple, high-impact vulnerabilities in order to deploy BitLocker ransomware and conduct other post-exploitation activities against critical infrastructure.
John Hultquist, vice president of intelligence at Mandiant, said the Iranian Ministry of Intelligence and Security conducts cyber espionage and "disruptive" ransomware attacks in tandem with the Iranian Revolutionary Guard Corps. They have also targeted Mujahedin-e-Khalq, an anti-Iranian regime group that was referenced in ransom messages on Albanian government computers, in past operations. Mandiant has linked the ministry to least two other advanced persistent threat groups, APT34 and APT39.
“They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable PII. Furthermore, they have a history of targeting the MeK, the group at the center of the Albanian incident," Hultquist said in a statement. "These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain. Those operations were a template for the Albania attack."
It's the second set of U.S. sanctions placed on Iranian entities this week. On Sept. 8, Treasury also levied sanctions on the Tehran-based Safiran Airport Services and three Iranian drone-makers for shipping unmanned aerial vehicles to Russia for its war against Ukraine.
“We will also use all available tools, including sanctions, to prevent, deter, and dismantle the procurement networks that supply UAV-related material and technology to Iran, as well as the Iranian entities that engage in such proliferation,” said Secretary of State Antony Blinken. “We also warn any third country that seeks to purchase these drones from Iran that doing so implicates multiple U.S. sanction authorities.”