The United States Department of the Treasury Office of Foreign Assets Control (OFAC) in a statement on Thursday announced it has imposed sanctions on the Iranian regime’s cyber threat group Advanced Persistent Threat 39 (APT39), 45 associated individuals, and one front company.
“Masked behind its front company, Rana Intelligence Computing Company (Rana), the Government of Iran (GOI) employed a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector. Concurrent with OFAC’s action, the U.S. Federal Bureau of Investigation (FBI) released detailed information about APT39 in a public intelligence alert,” read the Treasury’s statement.
“The Iranian regime uses its Intelligence Ministry as a tool to target innocent civilians and companies, and advance its destabilizing agenda around the world,” said Treasury Secretary Steven T. Mnuchin. “The United States is determined to counter offensive cyber campaigns designed to jeopardize security and inflict damage on the international travel sector.”
The U.S. remains committed to countering the Iranian regime’s malign agenda, including its use of illicit cyber intrusion tools to target and surveil Iranian dissidents and others. Today, @USTreasury took action: https://t.co/Tzu1626df3
— Steven Mnuchin (@stevenmnuchin1) September 17, 2020
Mike Pompeo, the U.S. Secretary of State, in a tweet, while welcoming these new sanctions said: “Today, the U.S. sanctioned 47 Iranian individuals and entities involved in the Iranian regime’s global cyber threat network. We will continue to expose Iran’s nefarious behavior and we will never relent in protecting our homeland and allies from Iranian hackers.”
Today, the U.S. sanctioned 47 Iranian individuals and entities involved in the Iranian regime’s global cyber threat network. We will continue to expose Iran’s nefarious behavior and we will never relent in protecting our homeland and allies from Iranian hackers.
— Secretary Pompeo (@SecPompeo) September 17, 2020
According to the U.S. Treasury Department: “Rana advances Iranian national security objectives and the strategic goals of Iran’s Ministry of Intelligence and Security (MOIS) by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals the MOIS considers a threat. APT39 is being designated pursuant to E.O. 13553 for being owned or controlled by the MOIS, which was previously designated on February 16, 2012 pursuant to Executive Orders 13224, 13553, and 13572, which target terrorists and those responsible for human rights abuses in Iran and Syria, respectively.”
“The 45 designated individuals served in various capacities while employed at Rana, including as managers, programmers, and hacking experts. These individuals provided support for ongoing MOIS cyber intrusions targeting the networks of international businesses, institutions, air carriers, and other targets that the MOIS considered a threat,” read the statement.
“The FBI, through our Cyber Division, is committed to investigating and disrupting malicious cyber campaigns, and collaborating with our U.S. government partners to impose risks and consequences on our cyber adversaries. Today, the FBI is releasing indicators of compromise attributed to Iran’s MOIS to help computer security professionals everywhere protect their networks from the malign actions of this nation state,” said FBI Director Christopher Wray. “Iran’s MOIS, through their front company Rana, recruited highly educated people and turned their cyber talents into tools to exploit, harass, and repress their fellow citizens and others deemed a threat to the regime. We are proud to join our partners at the Department of Treasury in calling out these actions. The sanctions announced today hold these 45 individuals accountable for stealing data not just from dozens of networks here in the United States, but from networks in Iran’s neighboring countries and around the world,” he added.
“The MOIS, camouflaged as Rana, has played a key role in the GOI’s abuse and surveillance of its own citizens. Through Rana, on behalf of the MOIS, the cyber actors designated today used malicious cyber intrusion tools to target and monitor Iranian citizens, particularly dissidents, Iranian journalists, former government employees, environmentalists, refugees, university students and faculty, and employees at international nongovernmental organizations. Some of these individuals were subjected to arrest and physical and psychological intimidation by the MOIS. APT39 actors have also victimized Iranian private sector companies and Iranian academic institutions, including domestic and international Persian language and cultural centers. Rana has also targeted at least 15 countries in the Middle East and North Africa region,” the U.S. Treasury Department added in its statement.
As a result of Treasury’s action on Thursday, “All property and interests in property of the individuals and entities above, and of any entities that are owned, directly or indirectly, 50 percent or more by them, individually, or with other blocked persons, that are in the United States or in the possession or control of U.S. persons, are blocked and must be reported to OFAC. Unless authorized by a general or specific license issued by OFAC or otherwise exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person or the receipt of any contribution or provision of funds, goods or services from any such person.”