OFAC Announced Sanctions Against Iran-Based Cyber Threat Actor APT39

Hack

On Thursday, the U.S. Treasury Bureau of Foreign Assets Control ( OFAC) announced sanctions against Iran-based cyber threat actor APT39, associated individuals, and a front company named Rana Intelligence Computing Company.

Also known as Chafer, Cadelspy, ITG07, and Remexi, APT39 has been active since at least 2014 and some of its operations also align with the OilRig group’s activity.

A series of documents allegedly leaked from the Iranian Ministry of Intelligence and Security (MOIS) last year revealed information on Rana ‘s activities, which tracked individuals both in and outside Iran, and on its members.

Rana, the Treasury Department says, has been working on behalf of Iran’s government for years to target Iranian dissidents, journalists, and travel-sector global businesses. The Ministry of Intelligence and Security of Iran owns and manages both APT39 and Rana.

“Rana advances Iranian national security goals and [MOIS] strategic goals by conducting computer intrusions and malware campaigns against perceived adversaries, including foreign governments and other individuals that the MOIS considers a threat,” says the Treasury Department.

In addition to Rana, the U.S. sanctioned 45 individuals “for having substantially assisted, sponsored, or supplied financial , material, or technological support to or in support of the MOIS.”

These individuals, the U.S. says, were employed at Rana as managers, programmers, and hacking experts, providing support for attacks on companies , institutions, air carriers, and other interesting targets.

Hidden behind Rana, the MOIS helped the Government of Iran conduct violence and control operations against its own people. APT39 leveraged malware to hack and track Iranian citizens, including dissidents, environmentalists, former government employees, journalists, refugees, university students and faculty, and international organisation employees, operating through Rana.

APT39, and at least 15 countries in the MENA region, are also said to have targeted Iranian private sector companies and academic institutions. Overall, Rana is said to have targeted hundreds of individuals and organisations, including 15 U.S. companies , mainly from the travel sector, in over 30 different countries in Asia , Africa, Europe , and North America.

In an advisory issued on Thursday, the FBI provides information on eight malware families that Iran’s MOIS used to run cyber-intrusion operations through Rana, including VBS and AutoIt scripts, malware variants BITS 1.0 and BITS 2.0, a malicious programme posing as Firefox, a Python-based tool, Android malware, and malware Depot.dat. Samples of those threats were also uploaded to VirusTotal by the FBI.

This week, the U.S. announced three separate sets of charges against Iranian threat actors, including three individuals involved in targeting satellite and aerospace companies; two hackers targeting aerospace companies, think tanks, government, non-governmental and non-profit organisations, among others; and two individuals defacing websites in retaliation against killing of Qasem Soleimani.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.