{ "id": "db4b7113-8732-4f3d-affb-009e86b5e709", "created_at": "2026-04-06T00:15:45.824342Z", "updated_at": "2026-04-10T13:11:28.114048Z", "deleted_at": null, "sha1_hash": "e3e6b161782f7fe52fb69c9a1d81694d26303f8a", "title": "Department of Justice and Partner Departments and Agencies Conduct Coordinated Actions to Disrupt and Deter Iranian Malicious Cyber Activities Targeting the United States and the Broader International Community", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40780, "plain_text": "Department of Justice and Partner Departments and Agencies\r\nConduct Coordinated Actions to Disrupt and Deter Iranian\r\nMalicious Cyber Activities Targeting the United States and the\r\nBroader International Community\r\nPublished: 2020-09-17 · Archived: 2026-04-02 12:24:20 UTC\r\nStarting on Sept. 14, 2020 and continuing through today, the Department of Justice, the Federal Bureau of\r\nInvestigation, the Department of Homeland Security, and the Department of the Treasury have engaged in a\r\ncoordinated effort to disrupt and deter malicious cyber activities by actors associated with the Islamic Republic of\r\nIran’s (Iran) Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC), as\r\nwell as other Iran-based individuals.  These malicious cyber actors targeted victims in Australia, Europe, the\r\nMiddle East, Southeast Asia, and the United States. \r\n“This week’s unsealing of indictments and other disruptive actions serves as another reminder of the breadth and\r\ndepth of Iranian malicious cyber activities targeting not only the United States, but countries all over the world,”\r\nsaid Assistant Attorney General for National Security John C. Demers.  “Whether directing such hacking\r\nactivities, or by offering a safe haven for Iranian criminal hackers, Iran is complicit in the targeting of innocent\r\nvictims worldwide and is deepening its status as a rogue state.  By contrast, the Department of Justice and its U.S.\r\ngovernment partners stand with such victims, regardless of their location, and we will continue our cooperative\r\nefforts domestically and internationally to disrupt Iranian hacking activities.”\r\n“The FBI is using its unique partnerships and world-class capabilities to hold Iranian cyber actors publicly\r\naccountable for their actions,” said Executive Assistant Director Terry Wade of the FBI's Criminal, Cyber,\r\nResponse, and Services Branch. “Those malicious activities, as once again outlined this week, highlight Iran’s\r\npersistent use of cyber methods to harm the citizens of the United States and its allies. No cyber actor should think\r\nthey can compromise U.S. networks, steal our intellectual property, or hold our critical infrastructure at risk\r\nwithout incurring risk themselves. The FBI will continue to work with our partners to protect U.S. interests and to\r\nimpose consequences on those cyber actors working on behalf of the Government of Iran in furtherance of their\r\nnefarious goals.”\r\nOn Sept. 14, 2020, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security\r\nAgency jointly published a Cybersecurity Advisory regarding tactics, techniques, and procedures (TTPs) of an\r\nIran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks.\r\nOn Sept. 15, 2020, in the District of Massachusetts, the Department announced the unsealing of a three-count\r\nindictment charging two hackers in relation to their intrusions into, and defacements of, websites hosted in the\r\nUnited States.  The hackers, Behzad Mohammadzadeh, aka “Mrb3hz4d,” a citizen and resident of the Iran, and\r\nMarwan Abusrour, aka “Mrwn007,” a stateless national under the jurisdiction of the Palestinian Authority,\r\nconspired to and subsequently damaged computers in perceived retaliation for the January 2, 2020 U.S. military\r\nstrike that killed Qasem Soleimani, the head of the IRGC-Quds Force, a U.S.-designated Foreign Terrorist\r\nhttps://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt\r\nPage 1 of 3\n\nOrganization.  These defacements were a subset of the over 1,400 defacements around the world for which the\r\ndefendants claimed responsibility between in or around June 2016 and July 2020.\r\nOn Sept. 16, 2020, in the District of New Jersey, the Department announced the unsealing of a 10-count\r\nindictment charging two hackers, who sometimes operated under the using the pseudonym “Sejeal,” in relation to\r\ncoordinated cyber intrusions and hacking campaigns targeted computer systems in Europe, the Middle East, and\r\nthe United States.  The defendants, Hooman Heidarian, aka “neo,” and Medhi Farhadi, aka “Mehdi Mahdavi,”\r\nboth Iranian nationals residing in Iran, stole hundreds of terabytes of data, which typically included confidential\r\ncommunications pertaining to national security, foreign policy intelligence, non-military nuclear information,\r\naerospace data, human rights activist information, victim financial information and personally identifiable\r\ninformation, and intellectual property, including unpublished scientific research.  In some instances, the\r\ndefendants’ hacks were politically motivated or at the behest of the government of Iran, including instances where\r\nthey obtained information regarding dissidents, human rights activists, and opposition leaders.  In other instances,\r\nthe defendants sold the hacked data and information on the black market for private financial gain.\r\nOn Sept. 17, 2020, in the Eastern District of Virginia, the Department announced the unsealing of a nine-count\r\nindictment charging three hackers in relation to an approximately four-year campaign to steal and attempt to steal\r\ncritical information related to aerospace and satellite technology and resources, including sensitive commercial\r\ninformation, intellectual property, and personal data.  The defendants, Said Pourkarim Arabi, Mohammad Reza\r\nEspargham, and Mohammad Bayati, all Iranian nationals residing in Iran, conducted their activity at the direction\r\nof the IRGC, of which Arabi was a member.  The defendants primarily accomplished their intrusions through\r\nsocially engineered spearphishing campaigns, using at least one target list of over 1,800 individuals in Australia,\r\nIsrael, Singapore, the United States, and the United Kingdom.  Upon successfully enticing a victim to click on a\r\nlink in such a spearphishing e-mail, a member of the conspiracy would deploy malware that allowed the\r\nconspirators to gain access credentials, escalate their privileges, maintain their unauthorized access to victim\r\nnetworks, and ultimately steal the sought-after data.  To accompany the unsealing of this indictment, and to aid\r\npotential targets in the identification of malicious activity, the FBI released a Private Industry Notification (PIN)\r\nthat identified the conspiracy’s TTPs and indicators of compromise.\r\nAlso on Sept. 17, 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed\r\nsanctions against 45 individuals and one front company associated with the MOIS who comprised the cyber threat\r\ngroup known publicly as “Advanced Persistent Threat 39” (APT39), “Chafer,” “Remexi,” “Cadelspy,” or\r\n“ITG07.”   According to OFAC, masked behind its front company, Rana Intelligence Computing Company\r\n(Rana), the MOIS employed a years-long malware campaign that targeted Iran’s own citizens, the government\r\nnetworks of Iran’s neighboring countries, and U.S.-based travel services companies. Concurrent with OFAC’s\r\naction, and following a long-term FBI investigation, the FBI released technical indicators about Rana’s malware in\r\nan FBI FLASH alert.  This alert provides information to assist organizations and individuals in determining\r\nwhether they were targeted by Rana.\r\nThe above disruptive actions targeting Iranian malicious cyber activities were the result of investigations\r\nconducted by the FBI’s Boston, Newark, and Washington Field Offices and Cyber Division, the United States\r\nAttorney’s Offices for the Eastern District of Virginia, District of Massachusetts, and District of New Jersey, and\r\nthe National Security Division’s Counterintelligence and Export Control Section.  Several of the disruptive actions\r\nwere the result of the close partnership between these Department of Justice components and the Department of\r\nhttps://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt\r\nPage 2 of 3\n\nHomeland Security’s Cybersecurity and Infrastructure Security Agency and Department of the Treasury’s OFAC,\r\nand coordination through the National Cyber Investigative Joint Task Force.\r\nThe details contained in the above-described charging document are allegations.  The defendants are presumed\r\ninnocent until proven guilty beyond a reasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt\r\nhttps://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt" ], "report_names": [ "department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt" ], "threat_actors": [ { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434545, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e3e6b161782f7fe52fb69c9a1d81694d26303f8a.pdf", "text": "https://archive.orkl.eu/e3e6b161782f7fe52fb69c9a1d81694d26303f8a.txt", "img": "https://archive.orkl.eu/e3e6b161782f7fe52fb69c9a1d81694d26303f8a.jpg" } }