Three Iranian nationals have been indicted on charges of hacking US aerospace and satellite companies, the US Department of Justice announced today.
Federal prosecutors accused Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati of orchestrating a years-long hacking campaign on behalf of the Iranian government.
The hacking spree started in July 2015 and targeted a broad spectrum of victim organizations from both the US and abroad, from where they stole commercial information and intellectual property, officials said today.
According to court documents, the three hackers operated by creating fake online profiles and email accounts in order to assume the identities of individuals, usually US citizens, working in the satellite and aerospace fields.
The hackers would reach out via email using their fake identities to individuals working at the organizations they wanted to target, and tried to lure the victims into clicking on a link in their emails, leading to malware payloads.
Prosecutors say the group chose their targets from a list of 1,800 online accounts belonging to individuals associated with aerospace and satellite companies, and even government organizations. The 1,800 individuals resided in countries such as Australia, Israel, Singapore, the US, and the UK.
After infecting victims, the FBI, which investigated these intrusions, said the hackers used tools like Metasploit, Mimikatz, NanoCore, and a generic Python backdoor to search victim devices for valuable data and to maintain a foothold on their systems for future access.
Hacker group led by an IRGC officer
US officials said the group was led by Arabi, a 34-year-old who they identified as a member of Iran’s Islamic Revolutionary Guard Corps (IRGC), the country’s de-facto intelligence service.
According to investigators, Arabi lived in IRGC housing and listed past hacks on his resume, such as the hack of US and UK companies.
The second member was Espargham, who is best known for his work as a white-hat security researcher. Across the years, Espargham crafted a career as a white-hat hacker, currently being part of the OWASP Foundation, an eminent organization in the field of cyber-security.
Espargham was mostly known for his work as a bug hunter, having disclosed several security vulnerabilities, including a major WinRAR bug that we covered here at ZDNet back in 2015.
But according to US officials, Espargham also allegedly lived a double life as a black-hat hacker. He also went online under nicknames such as “Reza Darkcoder” and “M.R.S.CO,” and he was the leader of the Iranian Dark Coders Team, a group of website defacers.
It is unclear how Arabi recruited Espargham, but officials said the two started working together to breach aerospace and satellite companies. As part of this scheme, Espargham provided Arabi with malware and aided in the hacks, and even created a tool named VBScan that scanned vBulletin forums for vulnerabilities.
Espargham later open-sourced the tool, which he heavily advertised via his Twitter account.
Bayati, the third hacker, also had a similar role to Espargham, providing the group with malware to use in their intrusions.
All three remain at large in Iran and have been added to the FBI’s Cyber Most Wanted List.
Third Iranian charges in three days
Today marks the third consecutive day in which DOJ officials have charged Iranian hackers.
The DOJ previously charged an Iranian hacker on Tuesday for defacing US websites following the US killing of an Iranian military general, and two other hackers on Wednesday for orchestrating a similar years-long hacking campaign at the behest of the Iranian government, but also for their own personal financial gains.
Earlier today, the US Treasury also imposed sanctions on the Rana Intelligence Computing Company, a front company for a group of state-sponsored Iranian hackers tracked by the cyber-security industry as APT39.
All in all, DOJ officials have been busy this week in the real of cyber-space, having also indicted five Chinese hackers believed to be part of China’s APT41 hacker group, and two Russian hackers involved in the theft of $16.8 million from cryptocurrency users via phishing sites.