Latest news with #CyberAv3ngers
The Herald Scotland
6 days ago
- The Herald Scotland
Iranian man pleads guilty to 2019 Baltimore ransomware attack
He faces a maximum penalty of 30 years in prison and is scheduled to be sentenced in August, the Justice Department announced. Gholinejad and unidentified co-conspirators were behind a string of ransomware attacks between January 2019 and March 2024, according to an April 2024 indictment unsealed on May 27. The Justice Department said Gholinejad and his co-conspirators encrypted files on the targeted networks with the Robbinhood ransomware variant to extort ransom payments. The conspirators compromised the computer networks of health care organizations, corporations, and other entities across the United States, according to the Justice Department. The cyberattacks also targeted several U.S. cities, including Baltimore in the high-profile 2019 ransomware attack, and caused "significant disruptions" to essential city services, federal authorities said. The Justice Department added that the conspirators "used the damage they caused these cities to threaten subsequent victims." Though court documents did not allege a state-backed connection in this case, federal authorities have warned in recent years of Iranian government hacking groups targeting U.S. critical infrastructure and private-sector entities. Federal agencies have also issued numerous advisories for cyberattacks by foreign groups, including the Islamic Revolutionary Guard Corps. In November 2023, an Iranian-linked cyber group, Cyber Av3ngers, hacked into the water authority infrastructure in Aliquippa, Pennsylvania. The group took partial control of a system that regulates water pressure, and one that includes technology manufactured in Israel. At the time, federal authorities said the group was looking to disrupt Israeli-made technology in the United States. Here's how to stay protected. Officials warn against dangerous Medusa ransomware attacks. Conspirators used hacking tools to gain access to computer networks Federal authorities said Gholinejad and his co-conspirators gained unauthorized access to computer networks with hacking tools. They copied, transmitted, and stored information and files from the infected victim networks to virtual private servers controlled by the conspirators, according to the indictment. The conspirators also deployed Robbinhood ransomware on targeted computers to encrypt files and make them inaccessible to the victims, the indictment states. They then extorted victims by requiring the payment of Bitcoin in exchange for the private key used to decrypt the victims' computer files. The Justice Department said the conspirators attempted to launder the ransom payments through cryptocurrency mixing services and by moving assets between different types of cryptocurrencies. According to the indictment, the conspirators concealed their identities and activities through various methods, such as the use of virtual private networks and servers that they controlled. The attack on Baltimore in 2019 cost the city more than $19 million from damage to computer networks and disruptions to city services that lasted many months, including the processing of property taxes, water bills, parking citations, and other revenue-generating functions, the Justice Department said. Additional victims include computer networks in the cities of Gresham, Oregon; Yonkers, New York; and Greenville, North Carolina, along with the Glenn-Colusa Irrigation District in California and the nonprofit Berkshire Farm Center and Services for Youth, based in New York, according to the indictment. "Gholinejad and his co-conspirators -- all of whom were overseas -- caused tens of millions of dollars in losses and disrupted essential public services by deploying the Robbinhood ransomware against U.S. cities, health care organizations, and businesses," Matthew R. Galeotti, head of the Justice Department's Criminal Division, said in a statement. "The ransomware attack against the City of Baltimore forced the city to take hundreds of computers offline and prevented the city from performing basic functions for months," Galeotti added. Contributing: Claire Thornton, USA TODAY; Reuters
Reuters
27-05-2025
- Business
- Reuters
Iranian man pleads guilty in US to 2019 Baltimore ransomware attack
May 27 (Reuters) - An Iranian national pleaded guilty to participating in the high-profile 2019 Baltimore, Maryland, ransomware attack, among others, and to causing tens of millions of dollars in losses and disrupted services, the Department of Justice said on Tuesday. Sina Gholinejad, 37, faces a maximum sentence of 30 years in prison after he pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud, according to the DOJ. The DOJ statement and publicly available court records did not allege a state-backed connection in this case, but U.S. authorities in recent years have warned of Iranian government hacking groups targeting U.S. critical infrastructure and private-sector entities. Iranian-linked hackers have also targeted U.S. critical infrastructure under the guise of ostensibly independent personas, such as the November 2023 defacement of water treatment equipment in Aliquippa, Pennsylvania, by a group called Cyber Av3ngers. The U.S. government later tied the group to the Iranian Islamic Revolutionary Guard Corps. Iran has denied targeting entities in the U.S. with cyberattacks. Gholinejad was arrested January 10, 2025, at the Raleigh-Durham International Airport, according to federal court records. The circumstances of his arrest were not immediately clear. The assistant federal public defender assigned to his case declined to comment. Gholinejad and unnamed co-conspirators were behind a string of ransomware attacks using the Robbinhood ransomware variant dating to January 2019 through March 2024, according to an April 2024 indictment unsealed on Tuesday. Additional victims include computer networks in the cities of Gresham, Oregon; Yonkers, New York; and Greenville, North Carolina, along with the Glenn-Colusa Irrigation District in California and the nonprofit Berkshire Farm Center and Services for Youth, based in New York. The attack on Baltimore, beginning on May 7, 2019, cost the city more than $19 million from damage to computer networks and disruptions to city services including the processing of property taxes, water bills, parking citations and other revenue-generating functions lasting many months, the DOJ said in its statement.
Straits Times
27-05-2025
- Straits Times
Iranian man pleads guilty in US to 2019 Baltimore ransomware attack
An Iranian national pleaded guilty to participating in the high-profile 2019 Baltimore, Maryland, ransomware attack, among others, and to causing tens of millions of dollars in losses and disrupted services, the Department of Justice said on Tuesday. Sina Gholinejad, 37, faces a maximum sentence of 30 years in prison after he pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud, according to the DOJ. The DOJ statement and publicly available court records did not allege a state-backed connection in this case, but U.S. authorities in recent years have warned of Iranian government hacking groups targeting U.S. critical infrastructure and private-sector entities. Iranian-linked hackers have also targeted U.S. critical infrastructure under the guise of ostensibly independent personas, such as the November 2023 defacement of water treatment equipment in Aliquippa, Pennsylvania, by a group called Cyber Av3ngers. The U.S. government later tied the group to the Iranian Islamic Revolutionary Guard Corps. Iran has denied targeting entities in the U.S. with cyberattacks. Gholinejad was arrested January 10, 2025, at the Raleigh-Durham International Airport, according to federal court records. The circumstances of his arrest were not immediately clear. The assistant federal public defender assigned to his case declined to comment. Gholinejad and unnamed co-conspirators were behind a string of ransomware attacks using the Robbinhood ransomware variant dating to January 2019 through March 2024, according to an April 2024 indictment unsealed on Tuesday. Additional victims include computer networks in the cities of Gresham, Oregon; Yonkers, New York; and Greenville, North Carolina, along with the Glenn-Colusa Irrigation District in California and the nonprofit Berkshire Farm Center and Services for Youth, based in New York. The attack on Baltimore, beginning on May 7, 2019, cost the city more than $19 million from damage to computer networks and disruptions to city services including the processing of property taxes, water bills, parking citations and other revenue-generating functions lasting many months, the DOJ said in its statement. REUTERS Join ST's Telegram channel and get the latest breaking news delivered to you.
WIRED
14-04-2025
- Politics
- WIRED
CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide
Apr 14, 2025 6:00 AM Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption. ANIMATION: JAMES MARSHALL The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world. The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a 'hacktivist' campaign. CyberAv3ngers has been vocal about their operations that targeted Israel and Israeli technology products. But they've also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world. All of that makes the hackers, despite their grassroots front, a rare example of state-sponsored cybersaboteurs who have crossed the line of targeting and disrupting critical infrastructure. And they haven't shown any signs of stopping. 'They pretend to be hacktivists, but they're really not. This is a state-sponsored group. They have funding and tooling,' says Kyle O'Meara, a threat intelligence researcher at industrial-control-system cybersecurity firm Dragos, which tracks the group under the name Bauxite. 'They definitely have the capability, they have the intent, and they have the interest in learning how to shut things off and potentially cause harm.' Though CyberAv3ngers was active as early as 2020, it first came to prominence in November 2023, after Hamas launched its October 7 attack that killed more than 1,200 people and Israel responded with a ground invasion and bombing campaign that has since killed more than 50,000 Palestinians. A month into that ongoing war, the hackers gained access to more than 100 devices sold by the Israeli firm Unitronics—industrial control systems most commonly used in water utilities and wastewater plants. 'Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target!' read a post from the group's X account. In that hacking spree, CyberAv3ngers set the names of the devices to read 'Gaza' and changed their displays to show an image of the group's logo along with a star of David sinking into ones and zeros. 'You have been hacked,' the image read. 'Down with Israel.' While CyberAv3ngers' initial foray may have appeared to be simple vandalism, The hackers actually rewrote the devices' so-called 'ladder logic,' the code that governs their functionality. As a result, the hackers' changes disrupted service on some victim networks, including a water utility and a brewery near Pittsburgh—distinct facilities that were both coincidentally in the same region—as well as multiple water utilities in Israel and Ireland, according to Dragos and another industrial cybersecurity firm, Claroty, that tracked the hacking campaign. Around the same time, CyberAv3ngers also posted on Telegram that it had hacked into the digital systems of more than 200 Israeli and US gas stations—incidents which Claroty says did occur in some cases, but were largely limited to hacking their surveillance camera systems—and to have caused blackouts at Israeli electric utilities, a claim that cybersecurity firms say was false. That initial wave of CyberAv3ngers hacking, both real and fabricated, appears to have been part of a tit-for-tat with another highly aggressive hacker group that is widely believed to work on behalf of Israeli military or intelligence agencies. That rival group, known as Predatory Sparrow, repeatedly targeted Iranian critical infrastructure systems while similarly hiding behind a hacktivist front. In 2021, it disabled more than 4,000 Iranian gas stations across the country. Then, in 2022, it set a steel mill on fire in perhaps the most destructive cyberattack in history. Following CyberAv3ngers' late 2023 hacking campaign, and missile launches against Israel by Iranian-backed Houthi rebels, Predatory Sparrow retaliated again by knocking out thousands of Iran's gas stations in December of that year. 'Khamenei!' Predatory Sparrow wrote on X, referring to the supreme leader of Iran in Farsi. 'We will react against your evil provocations in the region.' Predatory Sparrow's attacks have been tightly focused on Iran. But CyberAv3ngers hasn't limited itself to Israeli targets, or even Israeli-made devices used in other countries. In April and May of last year, Dragos says, the group breached a US oil and gas firm—Dragos declined to name which one—by compromising the company's Sophos and Fortinet security appliances. Dragos found that in the months that followed, the group was scanning the internet for vulnerable industrial control system devices, as well as visiting the websites of those devices' manufacturers to read about them. Following its late 2023 attacks, the US Treasury sanctioned six IRGC officials that it says were linked to the group, and the State Department put its $10 million bounty on their heads. But far from being deterred, CyberAv3ngers has instead shown signs of evolving into a more pervasive threat. Last December, Claroty revealed that CyberAv3ngers had infected a wide variety of industrial control systems and internet-of-things (IOT) devices around the world using a piece of malware it developed. The tool, which Claroty calls IOControl, was a Linux-based backdoor that hid its communications in a protocol known as MQTT used by IOT devices. It had been planted on everything from routers to cameras to industrial control systems. Dragos says it found devices infected by the group worldwide, from the US to Europe to Australia. According to Claroty and Dragos, the FBI took control of the command-and-control server for IOControl at the same time as Claroty's December report, neutralizing the malware. (The FBI didn't respond to WIRED's request for comment about the operation.) But CyberAv3ngers' hacking campaign nonetheless shows a dangerous evolution in the group's tactics and motives, according to Noam Moshe, who tracks the group for Claroty. 'We're seeing CyberAv3ngers moving from the world of opportunistic attackers where their whole goal was spreading a message into the realm of a persistent threat,' Moshe says. In the IOControl hacking campaign, he adds, 'they wanted to be able to infect all kinds of assets that they identify as critical and just leave their malware there as an option for the future.' Exactly what the group might have been waiting for—possibly some strategic moment when the Iranian government could gain a geopolitical advantage from causing widespread digital disruption—is far from clear. But the group's actions suggest that it's no longer seeking to merely send a message of protest against Israeli military actions. Instead, Moshe argues, it's trying to gain the ability to disrupt foreign infrastructure at will. 'This is like a red button on their desk. At a moment's notice they want to be able to attack many different segments, many different industries, many different organizations, however they choose,' he says. 'And they're not going away.'
