U.S. Attorney Announces Charges Against Iranian National For Multi-Year Cyber Campaign Targeting U.S. Defense Contractors And Private Sector Companies

Damian Williams, the United States Attorney for the Southern District of New York; Matthew G. Olsen, the Assistant Attorney General for National Security; Bryan Vorndran, the Assistant Director of the Cyber Division of the Federal Bureau of Investigation (“FBI”); and James Smith, the Assistant Director in Charge of the New York Field Office of the FBI, announced today the unsealing of an Indictment charging Iranian citizen and resident ALIREZA SHAFIE NASAB for his involvement in a cyber-enabled campaign to compromise U.S. government and private entities, including the U.S. Departments of the Treasury and State, defense contractors, and two New York-based companies.  The case has been assigned to U.S. District Judge Mary Kay Vyskocil.  NASAB remains at large.

U.S. Attorney Damian Williams said: “As alleged, Alireza Shafie Nasab participated in a cyber campaign using spearphishing and other hacking techniques to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information.  Cyber intrusion schemes such as the one alleged threaten our national security, and I’m proud of our law enforcement partners and the career prosecutors of this Office for using innovative technologies and investigative measures to disrupt and track down these cybercriminals.”

Assistant Attorney General for National Security Matthew G. Olsen said: “While purporting to work as a cybersecurity specialist for Iran-based clients, Mr. Nasab allegedly participated in a persistent campaign to compromise U.S. private sector and government computer systems.  Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure.  Our National Security Cyber Section remains focused on disputing these cross-border hacking schemes and holding those responsible to account.”

FBI Cyber Division Assistant Director Bryan Vorndran said: “The FBI will leverage all of our capabilities in combatting the threat waged by Iranian hacker organizations against America’s public and private sector.  We encourage everyone to practice proper cyber hygiene to mitigate the risk of becoming vulnerable to malicious actors like Nasab.  The close collaboration with partners that led to today’s unsealed indictment does not end there, and we are looking forward to continued teamwork in this space.”

FBI New York Assistant Director in Charge James Smith said: “Hostile cybercriminals are determined to use hacking campaigns to harm public safety and threaten our national security.  Alireza Nasab, over an extended number of years, allegedly participated in an aggressive campaign of cyberattacks targeting U.S. government agencies, defense contractors, and New York-based companies working closely with the Department of Defense.  This case is a reminder that we all need to maintain proper cybersecurity and awareness to avoid falling victim to malicious cyber actors.  The FBI will continue to lead the fight against hostile nation state actors attempting to harm our country in cyberspace.”

According to the allegations contained in the Indictment unsealed today in Manhattan federal court:[1]

From at least in or about 2016 through at least in or about April 2021, ALIREZA SHAFIE NASAB and other conspirators were members of a hacking organization that participated in a coordinated multi-year campaign to conduct and attempt to conduct computer intrusions.  These intrusions targeted more than a dozen U.S. companies and the U.S. Departments of the Treasury and State.

The hacking group’s private sector victims were primarily cleared defense contractors, which are companies that support U.S. Department of Defense programs.  In addition, the group targeted a New York-based accounting firm and a New York-based hospitality company.

In conducting their hacking campaigns, the group used spearphishing — that is, tricking an email recipient into clicking on a malicious link — to infect victim computers with malware.  In the course of their campaigns against one victim, the group compromised more than 200,000 employee accounts.  At another victim, the conspirators targeted 2,000 employee accounts.  In order to manage their spearphishing campaigns, the group created and used a particular computer application, which enabled the conspirators to organize and deploy their spearphishing attacks.

In the course of these spearphishing attacks, the conspirators compromised an administrator email account belonging to a defense contractor (“Defense Contractor-1”).  Access to this administrator account empowered the conspirators to create unauthorized Defense Contractor-1 accounts, which the conspirators then used to send spearphishing campaigns to employees of a different defense contractor and a consulting firm.

In addition to spearphishing, the conspirators utilized social engineering, which involved impersonating others, generally women, in order to obtain the confidence of victims.  These social engineering contacts were another means the conspiracy used to deploy malware onto victim computers and compromise those devices and accounts.

NASAB took part in these schemes.  During his participation in the scheme, he was employed by Mahak Rayan Afraz, an Iran-based company that purported to provide cybersecurity services, but which was, in fact, a front for the conspirators’ operations.  NASAB was responsible for procuring infrastructure used by the conspiracy.  During the course of this conduct, NASAB used the stolen identity of a real person in order to register a server and email accounts used in the course of the cyber campaigns.

*                *                *

NASAB, 39, of Iran, is charged with one count of conspiracy to commit computer fraud, which carries a maximum sentence of five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; one count of wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory consecutive term of two years in prison.    

The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the assigned judge.

Concurrent with the unsealing of the Indictment, the Department of State’s Rewards for Justice Program is offering a reward of up to $10 million for information leading to the identification or location of NASAB.  Anyone with information on NASAB and his malicious cyberactivity should contact Rewards for Justice via their Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (the Tor browser is required).

Mr. Williams praised the outstanding investigative work of the FBI, including the work of the FBI Cyber Division.    

The case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant U.S. Attorneys Ryan B. Finkel, Dina McLeod, and Daniel G. Nessim are in charge of the prosecution, with assistance from Trial Attorney Matthew Chang of the National Security Division’s Cyber Section.

The charges contained in the Indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty.