The US Treasury Department has issued sactions against Iran’s intelligence agency in response to that country’s cyberattack against Albania and other “cyber-enabled activities against the United States and its allies.”
Earlier this week, NATO ally Albania cut its diplomatic relations with Iran after blaming a July cyberattack that hit its government infrastructure on Iranian state-sponsored attackers. At the time, the White House National Security Council pledged to “take further action to hold Iran accountable for actions that threaten the security of a US ally and set a troubling precedent for cyberspace.”
Today’s sanctions prohibit American businesses and individuals from conducting any transactions with Iran’s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, as well as any business more than 50 percent owned by the entities.
“Iran’s cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson in a statement. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
According to the Feds, since at least 2007, MOIS conducted cyberespionage, stole credentials and deployed ransomware, along with other malicious activities against government agencies, private-sector organizations and critical infrastructure sectors around the globe.
The US and Albania also allege that MOIS-linked cyber gangs were behind a leak of documents purported to be from the Albanian government and personal information about the country’s residents.
In February, Uncle Sam linked an advanced persistent threat (APT) group known a MuddyWater to MOIS, and said that gang has been “conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America,” since at least 2018.”
Additionally, in September 2020 the US Treasury sanctioned another Iran state-sponsored cyberespionage gang, APT39, for “being owned or controlled by MOIS.”
Mandiant, a year prior, linked APT39 to MOIS. Last month, the threat intel firm stated “with moderate confidence” that “one or multiple threat actors who have operated in support of Iranian goals” were involved in the Albanian attack.
Earlier this week, Mandiant named a new threat group, APT42, that it said functions as the cyberspy arm of Iran’s Islamic Revolutionary Guard Corps (IRGC).
“MOIS carries out cyber espionage and disruptive ransomware attacks on behalf of the Iranian government in parallel with the other Iranian security service the IRGC,” Mandiant Intelligence VP John Hultquist told The Register.
“They are largely focused on classic espionage targets such as governments and dissidents, and they have been found targeting upstream sources of intelligence like telecommunications firms and companies with potentially valuable PII.”
While these latest sanctions won’t be a serious roadblock for the Iranian regime’s online army, they do provide another avenue to go after American companies seeking to do business in the theocracy. ® ®