The U.S. government announced extensive sanctions on Thursday against an Iranian cybersecurity threat actor associated with the Ministry of Intelligence and Security (MOIS). The sanctions are a response to a series of malware campaigns that have targeted Iranian dissidents, journalists, and entities within the telecom and travel sectors globally.
According to statements from the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions specifically focus on Rana Intelligence Computing Company, which has been identified as a front for the Iranian cyber espionage group known as APT39, or Chafer. This group has been active since 2014 and has been linked to various hacking operations aimed at acquiring sensitive information from organizations across the United States and the Middle East in furtherance of Iran’s national security interests.
The sanctions implicate 45 individuals employed across various roles within Rana, including managerial and technical positions. The measures prohibit U.S. businesses from engaging with Rana and its employees, marking a significant escalation in efforts to curb Iranian cyber threats.
The FBI emphasized that behind the facade of Rana Intelligence Computing Company, MOIS has orchestrated a long-term malware campaign aimed at surveilling not only Iranian citizens and journalists but also government networks in neighboring nations and foreign organizations in sectors such as travel, academia, and telecommunications.
Rana has reportedly targeted private enterprises and academic institutions, including cultural centers focused on the Persian language, both domestically and abroad. This broad scope of targeting underscores the group’s operational reach, which spans over 30 countries, including at least 15 U.S.-based travel companies that have fallen victim to its malware.
Earlier this year, Bitdefender uncovered two cyberattacks orchestrated by this actor against critical infrastructures in Kuwait and Saudi Arabia, utilizing spear-phishing tactics to compromise targets through malicious attachments. Extensive reconnaissance techniques were employed to collect sensitive data from these infiltrated systems.
The FBI has formally linked APT39’s activities to Rana while also detailing previously undisclosed malware utilized by the group for various intrusion and reconnaissance operations. This includes Microsoft Office documents embedded with Visual Basic Script (VBS), malicious AutoIt scripts, and custom-built malware designed for both capturing keystrokes and stealing data from compromised systems.
This recent round of sanctions against APT39 is part of a broader series of actions taken by the U.S. government against Iranian cyber actors, which also includes criminal charges against three individuals connected to the Islamic Revolutionary Guard Corps (IRGC). They are accused of participating in identity theft and hacking schemes targeting sensitive U.S. aerospace and satellite technology.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about Iranian cyber operatives exploiting unpatched vulnerabilities in VPN systems to harvest sensitive information and even resell access to compromised networks on underground forums.
As John C. Demers, the Assistant Attorney General for National Security, stated, the recent indictments and sanctions serve as a stark reminder of the extensive range of Iranian cyber activities that threaten not only U.S. interests but also those of nations worldwide. The pattern of these operations signifies Iran’s increasing role as a player in global cybercrime, affecting businesses and individuals far beyond its borders.
