FBI Boston
Kristen Setera
(857) 386-2905
September 17, 2020

FBI Releases Cybersecurity Advisory on Previously Undisclosed Iranian Malware Used to Monitor Dissidents and Travel and Telecommunications Companies

Today, the Federal Bureau of Investigation released a new cybersecurity advisory to academic, public, and private sector partners across the country about previously undisclosed malware attributed to Iranian nation state actors publicly known as Advanced Persistent Threat 39 (APT 39), Chafer, Remexi, Cadelspy, or ITG07. The goal is to make everyone aware of the threat and provide them with the necessary tools to defend their computer networks and mitigate this malicious cyber activity that has already cost companies in the United States and around the world millions of dollars.

Masked behind its front company, Rana Intelligence Computing Company (Rana), the Government of Iran’s Ministry of Intelligence and Security (MOIS) has employed a years-long malware campaign that targeted and monitored Iranian citizens, dissidents, and journalists, the government networks of Iran’s neighboring countries, and foreign organizations in the travel, academic, and telecommunications sectors. Some of these individuals were subjected to arrest and both physical and psychological intimidation. Through Rana, the MOIS also targeted some of the world’s largest travel services companies based here in the U.S. which store the records of millions of travelers. At least 15 U.S. companies were compromised by Rana’s malicious cyber intrusion tools, all of which the FBI has notified, along with hundreds of individuals and entities from more than 30 different countries across Asia, Africa, Europe, and North America.

In the advisory, the FBI is releasing eight separate and distinct sets of malware used by Rana (MOIS) to conduct their computer intrusion activities. Until now, most of these technical indicators have never been publicly discussed, nor attributed to the MOIS by the U.S. government. It is anticipated that by making this malicious code public, it will deal a significant blow to the MOIS and mitigate the ongoing victimization of thousands of individuals and organizations around the world, while also imposing risk and consequences on our cyber adversaries.

The release of this malware, coupled with the sanctions imposed today by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) against Rana and 45 individuals, many of whom were acting as managers, programmers, or hacking experts, is the result of a long-term investigation by the FBI Boston Division.

“These were calculated attacks by a group of individuals with ties to Iran’s Ministry of Intelligence and Security who were intent on harming America and its allies. Today, not only are we publicly identifying them for the first time, but as part of the FBI’s ongoing commitment to our academic, public, and private sector partners, we’re sharing this information with them so they can prevent malware attacks and further victimization,” said Joseph R. Bonavolonta, Special Agent in Charge of the FBI Boston Division.

The cybersecurity advisory referenced in this release can be found here: https://www.ic3.gov/media/news/default.aspx

More information on the sanctions imposed by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) can be found here: https://home.treasury.gov/news/press-releases/sm1127

View identifying information on the entities and individuals designated today: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20200917