Editor’s note: Readers may also be interested in David Aaron’s analysis of the indictment.
On Friday, the Department of Justice announced charges in another state-sponsored cyber campaign against the United States. Similar to some we have seen before, the indictment of three Iranian government operatives describes the use of cybercrime tactics in furtherance of strategic, political objectives.
The indictment describes a conspiracy that began more than four years ago, in January 2020. It charges three individuals – Masoud Jalili, Seyyed Ali Aghamiri, and Yasar Balaghi – with conspiring to commit computer crimes, identity theft, and wire fraud to promote a range of objectives on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), a U.S. designated Foreign Terrorist Organization that serves as an unconventional internal and external security force of the Iranian regime.
Objectives of the criminal activity
To support the indictment’s charges of conspiracy and wire fraud, DOJ detailed the defendants’ shared objectives, the steps they took to advance those objectives, and specific misrepresentations they made. The indictment begins by describing the scope of targets and objectives. Victims included current and former officials of the U.S. government, members of the media and non-governmental organizations, and a presidential political campaign (the Trump Campaign). According to the grand jury, the IRGC operatives selected those targets as part of a scheme to interfere with the U.S. political process by undermining confidence in elections and exacerbating divisions within the country; to steal information about U.S. foreign policy and disrupt that policy; to steal and operationalize information about current and former U.S. officials; and to undermine the Trump 2024 Campaign.
The alleged conduct thus spanned the cyber, political, and physical worlds – one particularly disturbing allegation is that information about U.S. officials could be used to “advance the malign activities of the IRGC, including ongoing efforts to avenge the death of Qasem Soleimani,” the former commander of the IRGC’s external military and special operations arm killed by a U.S. strike in January 2020. That allegation could very well refer to reconnaissance to facilitate a real-world attack, particularly in light of the recent arrest of a suspected agent of Iran plotting to conduct assassinations in the United States and the 2022 charging of an IRGC operative for plotting to assassinate a former National Security Advisor. The new indictment references the latter as well as the IRGC’s “target[ing] nationals of the United States and its allies living in countries around the world for kidnapping and/or execution” as part of the background of IRGC activities.
Attribution to paramilitary group
Prosecutors allege that the three defendants worked for the Basij, which it describes as a “paramilitary volunteer militia of the IRGC.” This affiliation both attributes the defendants’ online activity to the Iranian government and provides an organizational structure to the conspiracy charges.
Cybercrime methods
According to the indictment, the defendants used a variety of cybercrime obfuscation and “social engineering” techniques to compromise targets, install malware, and steal information. To disguise the fact that their malicious activity emanated from Iran – which would be a red flag to cyber defenders – they used infrastructure such as Virtual Private Networks (VPNs) and Virtual Private Servers (VPSs). By connecting to these services, the operatives concealed their Internet Protocol (IP) addresses, which can be used to infer location, and other technical identifiers that could undermine their fraudulent online stories. They then created fraudulent online accounts to impersonate people that their targets would trust. This is not the same as taking over someone’s actual account. It is easier to just create a new email or social media account that includes the name of the person or organization being impersonated and pretend to be that person or a representative of that organization.
Using those fake accounts, the operatives set up domains. Domains are basically human-readable web addresses. The operatives used a combination of fraudulent accounts and domains to trick their victims into downloading malware or unknowingly giving access to their own (real) accounts. At that point, the operatives were in. They could do what cyber criminals do: install malware, steal information, send fake messages from real accounts, log in to other websites, and so on. One particularly sinister, and unfortunately common, use of this access is exploiting the trust that already exists between the user of the compromised account and their associates. The malicious actor can send a message that does not simply appear to be from the compromised user, but really is from the compromised user’s account. If the malicious actor takes their time, they can craft that message to appear authentic, which can in turn induce the recipient to disclose information, click on a link, or open an attachment.
The indictment describes other technical aspects of the cyber operation, such as defeating multi-factor authentication (MFA) by presenting fake login pages into which targets input their MFA codes, using cloud-based resources to host malware and command-and-control (C2) platforms, and maintain long-term persistent access to victims’ computers and online accounts. And the indictment alleges that the operators used these techniques, in part, to steal information from what is reported to be the Trump campaign and provide it to the media and to what is reported to be the Harris campaign (“U.S. Presidential Campaign 1” and “U.S. Presidential Campaign 2,” in the words of the indictment).
The criminal operation’s targets
The targets of the conspiracy, many of whose personal email accounts were compromised, included former high-level U.S. government officials, such as a former Homeland Security Advisor, a former CIA Deputy Director, and former Ambassador to Israel. They also included an author, a journalist, a human rights advocate, and individuals affiliated with the Trump campaign.The indictment lists targets of successful and unsuccessful attempts. (Notably, despite news reports that the FBI and U.S. intelligence community has concluded that Iranian operatives also unsuccessfully attempted to hack into the Biden-Harris Campaign (see also Google’s Threat Analysis Group report), this indictment does not mention it – but there could be another indictment coming.)
The federal offenses
The first count alleges Conspiracy to commit a variety of cyber crimes: Computer Fraud and Abuse Act (CFAA) violations; Wire Fraud; Aggravated Identity Theft; and frauds involving authentication features and access devices. These charges lay out the building blocks of the defendant’s technical and social engineering activities. The CFAA in particular is packed with definitions and subsections describing different distinct prohibited acts, and prosecutors detail how particular activity by the IRGC-backed operatives violated specific subsections. This may appear to be numbingly specific, but this is what allows prosecutors to take an adversary’s wide-ranging intelligence operation, charge it as criminal conduct, and present a detailed (and unclassified) description to the world.
The second count alleges Conspiracy to Provide Material Support to a Designated Foreign Terrorist Organization, specifically the IRGC. The particular material support the defendants are charged with providing includes personnel (including themselves), expert advice and assistance (including their hacking expertise), facilities, services, and tangible and intangible property.
The remaining counts allege eight distinct acts of Wire Fraud and eight distinct acts of Aggravated Identity Theft. These represent specific transmissions of wire signals (such as electronic communications between computers) and specific unauthorized uses of login credentials or other identifying information of victims.