Two Iranian men have been indicted for their alleged involvement in a hacking and malware scheme that spanned more than two years and crippled computer systems at hospitals and municipal offices across the country, the Justice Department announced on Wednesday.
Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, allegedly released a type of ransomware called “SamSam” designed to hold computer systems hostage – forcing victims to pay “ransom” to re-gain access, Deputy Attorney General Rod Rosenstein said at a news conference on Wednesday.
“The allegations in the indictment unsealed today – the first of its kind – outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney General Brian Benczkowski.
The duo allegedly acted inside Iran and collected over $6 million from more than 200 victims, causing more than $30 million in losses during a 34-month span. Among their alleged targets was the city of Atlanta, where segments of the municipal online infrastructure were ground to a halt for days in March because of the malware infection, disabling residents from paying water bills and forcing police officers to file reports by hand.
Other victims of the attack included the city of Newark, New Jersey, MedStar Health and the Colorado Department of Transportation, among others, according to Benczkowski, the head of the Justice Department’s criminal division.
On Wednesday, Newark Mayor Ras Baraka said the attacks “seriously compromised” their networks and “disrupted vital services that we provide to residents.”
“The hackers asked for payment of the bitcoin equivalent of $30,000 in ransom and we paid that as recommended by law enforcement officials in order to prevent long-term disruption,” Baraka said in a statement.
He added, “Both the FBI and Department of Justice were extremely helpful in guiding us every step of the way and assisting in a situation we had never faced before.”
The indictment does not allege that the men had any official connection to the Iranian government, according to Benczkowski.
The Justice Department plans to file notices with Interpol to restrict the men’s travel, Benczkowski said.
Benczkowski said Savandi and Mansouri face charges of “conspiracy to commit fraud and related activity in connection with computers, conspiracy to commit wire fraud, intentional damage to a protected computer, and, transmitting a demand in relation to damaging a protected computer.”
In a related move, the US Treasury Department on Wednesday also announced it was taking action against two others based in Iran, Ali Khorashadizadeh and Mohammad Ghorbaniyan.
According to the Treasury’s Office of Foreign Assets Control, Khorashadizadeh and Ghorbaniyan allegedly assisted Savandi and Mansouri convert the cryptocurrency Bitcoin into Iranian rial.
“Treasury is targeting digital currency exchangers who have enabled Iranian cyberactors to profit from extorting digital ransom payments from their victims,” said Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker in a statement. “As Iran becomes increasingly isolated and desperate for access to US dollars, it is vital that virtual currency exchanges, peer-to-peer exchangers, and other providers of digital currency services harden their networks against these illicit schemes.”
Despite common conception that cryptocurrency transactions are anonymous, they are pseudonymous – meaning there is a way to trace the transactions.
“The criminals believe they were masking their identities on the dark web, however this case shows that anonymizers may not make you as anonymous as you think you are. They use Bitcoin to avoid detection but this case shows that digital currency may be traceable,” said FBI Executive Assistant Director Amy S. Hess, the law enforcement agency’s top cyberofficial.
CrowdStrike CSO and former FBI executive assistant director Shawn Henry tells CNN that these types of indictments are examples of targeted operations where the FBI, NSA and CIA are teaming up like never before to go after hackers.
In the statement, Mandelker also said they are publishing addresses linked to “illicit actors.”
“We are publishing digital currency addresses to identify illicit actors operating in the digital currency space. Treasury will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies and weaknesses in cyber and AML/CFT safeguards to further their nefarious objectives.”
Rosenstein on Wednesday called the cyberattacks a “high-tech, sophisticated extortion plot.”
“These defendants are now fugitives from American justice. American justice has a long arm and we will wait and eventually we’re confident that we will take these perpetrators into custody,” Rosenstein said.
CNN’s Jose Pagliery and Ahiza Garcia contributed to this report.