Three Iranian citizens have been charged in the United States in an international ransomware conspiracy to defraud hundreds of corporate and government victims across the world, federal prosecutors in New Jersey, which saw a Union County township and a Morris County firm hit, said as they unsealed the indictment Wednesday.
Prosecutors said the hackers encrypted and stole data from victims' networks and threatened to release it unless exorbitant ransom payments were made. In some cases, the victims made those payments, the department said.
According to the indictment, the defendants -- Mansour Ahmadi (also known as Mansur Ahmadi), Ahmad Khatibi Aghda, (Ahmad Khatibi) and Amir Hossein Nickaein Ravari (Amir Hossein Nikaeen, Amir Hossein Nickaein) and their conspirators allegedly targeted a Union County township in February 2021, exploiting known vulnerabilities to control its network and data. They used a hacking tool to make their remote access permanent, the indictment alleges.
About a year later, prosecutors say they hit a Morris County-based accounting firm, again exploiting a known vulnerability to get access and using a hacking tool to establish a connection and steal data. This past March, they launched an encryption attack against the same firm, the indictment says. After denying the firm access to some of its systems, Khatibi allegedly demanded $50,000 in cryptocurrency and threatened to sell the data on the black market.
Get Tri-state area news and weather forecasts to your inbox. Sign up for NBC New York newsletters.
"I want the people of New Jersey, and across the country, to know that the FBI is working tirelessly every day to protect you from people and things you may never see," FBI Special Agent in Charge of the Newark Division James Dennehy said in a statement. "This coordinated, global effort amongst law enforcement and the intelligence community should send a clear message to those actors who think they can’t be found in cyberspace: the days of hiding behind a keyboard and perpetrating crimes against the American people without consequence are waning, and we will bring the full force of the American Justice system to disrupt your criminal behavior."
The trio also allegedly compromised, and often encrypted and extorted, hundreds of other victims, including an accounting firm based in Illinois; a regional electric utility company based in Mississippi; a regional electric utility company based in Indiana; a public housing corporation in the State of Washington; a shelter for victims of domestic violence in Pennsylvania; a county government in Wyoming; a construction company located in the State of Washington that was engaged in critical infrastructure project work; and a state bar association, according to prosecutors.
The hackers are not believed to have been working on behalf of the Iranian government but instead for their own financial gain, and some of the victims were even in Iran, officials said. But the activity exists because hackers are permitted by the Iranian government to largely operate with impunity.
The three accused hackers are thought to be in Iran and have not been arrested, but the Justice Department says the charges make it "functionally impossible" for them to leave the country.
"Ransom-related cyberattacks — like what happened here — are a particularly destructive form of cybercrime," U.S. Attorney for the District of New Jersey Philip Sellinger said in a statement. "No form of cyber-attack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security. Hackers like these defendants go to great lengths to keep their identities secret, but there is always a digital trail. And we will find it."
Ahmadi, 34, Khatibi, 45, and Nickaein, are each charged by indictment with one count of conspiring to commit computer fraud and related activity in connection with computers; one count of intentionally damaging a protected computer; and one count of transmitting a demand in relation to damaging a protected computer.
Ahmadi is also charged with one additional count of intentionally damaging a protected computer.
The conspiracy and transmission of ransom demand charges each carry maximum sentences of five years in prison, while the intentional damage to protected computers charge count carries a maximum sentence of 10 years. The offenses also carry a maximum fine of $250,000 or twice the gross amount of gain or loss resulting from the offenses, whichever is greatest, according to federal prosecutors.