US indicts Iranian man in cyber-espionage campaign against defense contractors

The U.S. Department of Justice has unsealed an indictment of an Iranian man allegedly instrumental in carrying out a cyber-espionage campaign against Defense Department contractors and the Treasury and State departments.

Alireza Shafie Nasab, 39, was allegedly involved in a hacking operation from 2016 until April 2021 that targeted more than a dozen companies, many of which were cleared defense contractors.

The breach of one New York accounting firm resulted in the infection of more than 200,000 devices, the DOJ said.

“While purporting to work as a cybersecurity specialist for Iran-based clients, Mr. Nasab allegedly participated in a persistent campaign to compromise U.S. private sector and government computer systems,” Assistant Attorney General Matthew Olsen said in a release. “Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure.”

The group allegedly primarily used spearphishing attacks to get a foothold within targeted systems. In 2019, Nasab and others were able to compromise a defense contractor’s administrator email account, prosecutors said. With that access, the attackers created two new email accounts and sent spearphishing emails to employees at another defense contractor and a consulting firm.

According to the indictment, they used an unnamed application to manage their campaigns and were able to obtain reports about whether the owners of targeted accounts had clicked malicious links, as well as details of their IP addresses, operating system and location.

The hackers also used social engineering tactics, adopting “female personas,” to send messages with links to malicious domains and attached documents with malware. One defense contractor was successfully breached with this tactic, the indictment alleges.

Nasab allegedly worked for several Iranian technology companies “and was responsible for procuring infrastructure used by the conspiracy, particularly infrastructure used in furtherance of social engineering campaigns.”

The indictment connects him to the company Mahak Rayan Afraz, which was accused in 2021 by Facebook of developing malware deployed by the hacking group Tortoiseshell, which is reportedly connected to Iran’s Islamic Revolutionary Guard Corps.

Nasab is charged with two counts of conspiracy to commit computer fraud and wire fraud, as well as wire fraud and aggravated identity theft. Combined, the charges carry a maximum of 47 years in prison.

The Department of State is offering up to $10 million for information on Nasab’s whereabouts through its Rewards for Justice Program.

In February, the Treasury Department sanctioned six Iranian government officials accused of being behind a string of cyberattacks on U.S. water facilities using technology made by an Israeli company.