2 Iranians Indicted for Cyberattacks Targeting U.S. Cities and Public Institutions

by | November 29, 2018

By Mike Freeman

A federal grand jury has indicted two Iranian men for orchestrating a widespread ransomware cyberattack scheme targeting U.S. cities, hospitals and transportation agencies.

The indictment charges Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, with launching cyberattacks using malware known as SamSam to freeze data on computers. The men then demanded payment in digital currency known as Bitcoin to unlock the data.

Authorities said Savandi and Mansouri collected more than $6 million in ransom payments and caused $30 million in damages in attacks that began in December 2015. Both men reside in Iran and have not been arrested.

"The allegations in the indictment unsealed today -- the first of its kind -- outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail," said Assistant Attorney General Benczkowski. "These defendants allegedly used ransomware to infect the computer networks of municipalities, hospitals, and other key public institutions, locking out the computer owners, and then demanded millions of dollars in payments from them."

The Port of San Diego, one target of the scheme, first reported the ransomware attack on Sept. 25, limiting access to permits and public documents for a few days. Computers that handled administrative functions for the Harbor Police also were impacted.

The port declined to comment on whether it paid the ransom, and U.S. Department of Justice officials on Wednesday also declined to identify which victims opted to pay.

"We applaud the U.S. Department of Justice and the FBI for conducting this complex and sophisticated investigation. The federal government's assistance and partnership has been invaluable during our recovery from the September 2018 cyberattack," said Randa Coniglio, chief executive of the port, in a statement. "We are very pleased to see these enforcement efforts against international computer hacking and extortion scammers, and we hope these efforts also serve as a deterrent to future attacks."

According to the indictment, Atlanta, Newark, the Colorado Department of Transportation and the University of Calgary were among the government agencies attacked.

In addition, health care facilities, including Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital; MedStar Health in Maryland; Nebraska Orthopedic Hospital; and Allscripts Healthcare Solutions in Chicago were victims.

Savandi and Mansouri created the first version of the SamSam Ransomware in late 2015 and further refined the ransomware in June and October 2017, according to the indictment.

The men allegedly used sophisticated online reconnaissance to select potential targets, according to the indictment, disguising their attacks to appear like legitimate network activity.

The Port of San Diego is the most recent victim of the attacks, according to the indictment. It employs about 570 workers and oversees 34 miles of San Diego Bay waterfront property. It plays a key role in public safety with the Harbor Police and the operation of cargo and cruise terminals. The district spans five cities and houses 800 businesses.

(c)2018 The San Diego Union-Tribune