Iranian hackers tied to companies DHS called a front for Tehran cyber unit

Jana Winter

The Iranian hackers accused by the U.S. government Wednesday of carrying out hundreds of ransomware attacks against American targets were working for two Iranian companies the Department of Homeland Security had previously identified as fronts for the Iranian regime’s hacking operations.

Yahoo News obtained a copy of a daily U.S. Customs and Border Protection intelligence bulletin dated June 25, citing DHS raw intelligence, that identified Akfar Systems and Najee Technology, the two Iranian-based companies used as fronts by the Iranian regime to carry out cyberattacks against international targets, singling out the companies believed to be connected to hackers linked to Iran.

The Justice Department announced Wednesday that it filed criminal charges against three Iranian nationals — Mansour Ahmadi, 34, Ahmad Khatibi Aghda, 45, and Amir Hossein Nickaein Ravari, 30 — who are accused of carrying out of hundreds of ransomware attacks against a variety of of targets in the United States, including local governments, power companies, small businesses and a nonprofit domestic violence shelter. The DOJ indictment did not, however, specifically name the companies that the men worked for.

But the Treasury Department sanctioned the alleged hackers and the two companies associated with the defendants on Wednesday.

U.S. Attorney General Merrick Garland
U.S. Attorney General Merrick Garland. (Leah Millis/Reuters) (Leah Millis / reuters)

The June 25 CBP document, citing raw DHS intelligence reporting, identifies the two companies as “a front for the Intelligence Organization of the Islamic Revolutionary Guard Corp to conduct cyber operations,” and cites posts and photos from an online instant messaging group associated with an anti-regime Iranian hacker group. Addresses for the companies alleged to be carrying out cyberattacks on behalf of the Iranian government were included in the CBP summary, which states that photos of company records were also posted. The addresses for Akfar Systems and Najee Technology included in this report match the addresses in Iran listed in the Treasury sanctions against those companies and the hackers charged with carrying out hundreds of ransomware attacks against U.S. and western targets.

The DHS and CBP did not return a Yahoo News request for comment.

According to a July 21 raw intelligence report produced by DHS and flagged for law enforcement in mid-July, Afkar Systems and Najee Technology are both fronts for the Iranian Intelligence Organization of the Iranian Islamic Revolutionary Guards Corp.

Department of Justice headquarters in Washington, D.C.
Department of Justice headquarters in Washington, D.C. (Liu Jie/Xinhua via Getty Images) (Xinhua News Agency via Getty Images)

CBP and DHS documents reviewed by Yahoo News also revealed ongoing efforts by the State Department to deny entry to the U.S. to diplomats who are suspected of being spies from traveling to the United Nations General Assembly in New York this week.

“Espionage is one of the few grounds for refusing or revoking a diplomatic visa, but due to the secretive nature of espionage there is often little information available to prevent visa issuance,” states a CBP report from last month.

A State Department spokesperson told Yahoo News they could not discuss confidential visa records and would not comment on its review of past use of visa inadmissibility code to deny entry to foreign diplomats traveling to U.N. headquarters.

“As host nation of the U.N., the United States is generally obligated under the U.N. Headquarters Agreement to facilitate travel to U.N. headquarters district by representatives of the U.N. member states,” the spokesperson said. “We take our obligations under the U.N. Headquarters Agreement seriously.”

But documents obtained by Yahoo News show a behind-the-scenes effort to explore options to deny entry to diplomats traveling to the U.N. using visa inadmissibility code 3A1. Last year, three Russians heading to the U.N. General Assembly were denied entry this way.

Iranian flag is seen at the Embassy of the Islamic Republic of Iran, as Albania cuts ties with Iran and orders diplomats to leave over cyberattack, in Tirana, Albania, September 8, 2022. REUTERS/Florion Goga
Florion Goga/Reuters (Florion Goga / reuters)

The actions taken on Wednesday by the Department of Justice and the Treasury Department also come amid continued DHS and FBI warnings of possible retaliatory attacks against U.S. networks, citizens and senior U.S. military and government officials over the 2020 U.S. drone strike in Iraq that killed Iranian Gen. Qassem Soleimani.

Last month, the U.S. charged Shahram Poursafi, 45, with trying to arrange the killing of former Trump administration national security adviser John Bolton and an unnamed Trump official, which Yahoo News identified as former Secretary of State Mike Pompeo.

In interviews with Yahoo News, Bolton and other top White House officials said that, in light of those charges, they were outraged by the Biden administration's continued pursuit restarting a nuclear deal with Tehran.

—Caitlin Dickson contributed reporting

Advertisement