US Sanctions Iran Over APT Cyberattack Activity

The Treasury Department links the MuddyWater APT and APT39 to Iran's intelligence apparatus, which is now blocked from doing business with US entities.

Tehran's city center against snowcapped mountains
Tehran's city centerSource: Emily Marie Wilson via Alamy Stock Photo

The feds have moved to sanction the Iranian government for its cybercrime activities, which they allege have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

US Department of the Treasury's Office of Foreign Assets Control (OFAC) is specifically designating Iran's Ministry of Intelligence and Security (MOIS) for "engaging in cyber-enabled activities against the United States and its allies," since at least 2007.

The sanctions mean that US citizens and visitors to the US are prohibited from doing business or carrying out any transactions involving funds, goods, or services with the designated entities or their proxies.

Albanian Cyberattack Sparks US Action

The Treasury Department cited a recent cyberattack in July that disrupted the Albanian government as emblematic of Iran's tactics; that incident resulted in the leaking of documents purported to be from the Albanian government and personal information associated with Albanian residents.

"Iran's cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public," Brian Nelson, undersecretary of the treasury for terrorism and financial intelligence, said in a statement on Friday. "We will not tolerate Iran’s increasingly aggressive cyber-activities targeting the United States or our allies and partners."

John Hultquist, vice president at Mandiant Intelligence, notes that Iran has a history of targeting the MeK, the group at the center of the Albanian incident. "These actors have also been involved in ransomware incidents that may have been ultimately designed for disruptive purposes rather than financial gain," he says. "Those operations were a template for the Albania attack."

Calling Out MuddyWater & APT34

The sanctions also extend to Minister of Intelligence Esmail Khatib, who the Treasury Department said is responsible for directing APT groups from within MOIS. The Friday announcement specifically mentions his weapon as including the MuddyWater APT (aka OilRig or APT34, specializing in espionage on rival governments) and APT39 (aka Chafer, which the US says supports Iran's human rights abuses).

“MOIS carries out cyber-espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service, the IRGC," says Hultquist, who notes that Mandiant has previously linked both APTs to Tehran. "They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable personally identifiable information (PII)."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights