The U.S. Justice Department unsealed a criminal indictment on Wednesday accusing three Iranian nationals of hacking the networks of hundreds of victims in the United States and around the world in what officials described as a "ransomware-style" cyber campaign.
Although the indictment does not allege the hackers acted on behalf of the Iranian government, U.S. law enforcement agencies released a joint advisory warning about "continued malicious cyber activity" by actors affiliated with Iran's Islamic Revolutionary Guard Corps, while the Treasury Department blacklisted bitcoin addresses tied to two of the defendants.
The cybersecurity advisory was issued jointly by U.S., Australian, British and Canadian law enforcement agencies.
In a video statement, FBI Director Christopher Wray said the advisory underscored the "broader threat" posed by Iranian cyber actors.
"To these sorts of actors, nothing is off limits, not even, for example, Boston Children's Hospital, which they set their sights on in the summer of 2021," Wray said in a video statement.
The three Iranian nationals — identified as Mansour Ahmadi, Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari — are accused of carrying out "computer intrusions and ransomware-style extortion" between October 2020 and August 2022, according to a 30-page indictment unsealed Wednesday.
The men remain at large and are believed to be in Iran, according to U.S. law enforcement officials.
The State Department's Rewards for Justice Program announced a reward of up to $10 million for information about the three.
Although the charging document does not accuse the Iranian government of sponsoring their activity, the Treasury Department said in a statement that all three defendants were affiliated with the IRGC, a branch of the Iranian military that operates a number of cyber threat actors tracked by the FBI.
"These IRGC-affiliated actors are actively targeting a broad range of entities across multiple U.S. critical infrastructure sectors, as well as organizations in Australia, Canada and the United Kingdom," a senior FBI official said during a background call with reporters, speaking on condition of anonymity.
This is not the first time Iranian hackers have been charged in a broad cybercrime conspiracy. But the indictment comes as the Biden administration has mounted a whole-of-government effort over the past year to combat what is widely seen as a growing threat to U.S. national security: cybercriminals targeting critical infrastructure and services in what are known as "ransomware attacks."
In a ransomware attack, cybercriminals encrypt a victim's computer files and then demand payments in cryptocurrency in exchange for decrypting them.
U.S. law enforcement officials described the Iranian campaign of hacking and extortion as a "ransom-related cyberattack."
Among the victims were a New Jersey township, two accounting firms, two power companies, a housing authority in Washington state and a domestic violence shelter in Pennsylvania.
Wray said many of the victims of the hacking campaign "offer critical services we all rely on every day."
"I'm talking about health care facilities, power companies, local governments in communities across the United States and around the globe," he said.
In some cases, the hackers demanded hundreds of thousands of dollars in payment, a Justice Department official said. Some victims made ransom payments. The domestic violence shelter paid $13,000 to restore access to its systems and data, according to the indictment.
Law enforcement officials said the victims were "targets of opportunity," identified because of vulnerabilities in their computer systems.
In addition to targeting victims in the U.S., the hackers targeted companies and organizations in the United Kingdom, Iran, Israel and Russia.
"No form of cyberattack is acceptable, but ransomware attacks that target critical infrastructure services, such as health care facilities and government agencies, are a threat to our national security," said U.S. Attorney Philip R. Sellinger for the District of New Jersey.