The U.S. Department of Justice (DOJ) announced on Wednesday that charges have been filed against Hooman Heidarian and Mehdi Farhadi, two Iranian nationals in their 30s who allegedly carried out cyberattacks against private and public systems in the U.S., Europe, and Middle East — “sometimes at the behest of the government of the Islamic Republic of Iran.”
The ten-count indictment accused Heidarian and Farhadi of stealing “hundreds of terabytes of data, which typically included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.”
“In some instances, the defendants’ hacks were politically motivated or at the behest of Iran, including instances where they obtained information regarding dissidents, human rights activists, and opposition leaders. In other instances, the defendants sold the hacked data and information on the black market for private financial gain,” DOJ said.
The coordinated cyberespionage campaign described in the indictments began in 2013 with “cyber intrusions into computer systems in New Jersey and around the world.” The hackers frequently acted under the pseudonym “Sejeal” and boasted their mission was to damage the Iranian opposition and foreign adversaries of the Iranian government. Their targets included defense contractors, government agencies, and non-governmental organizations.
“Sejeal” means “stones.” The word, an apparent reference to a passage in the Quran about birds dropping stones to protect Mohammed from attack, has been used by Iranian terrorists and Iran-sponsored terrorist operations over the past decade, notably including a botched 2012 bombing plot in Thailand that could have become a mass-casualty event if carried out.
According to the indictment, the hackers made over 100,000 posts between 2010 and 2017 under the name “Sejeal” on a forum used by cyber-criminals to boast of their accomplishments. They sold much of the data they stole on the dark web, banking on their elevated reputation to secure high prices for their plundered information.
The first major action in the criminal campaign chronicled by DOJ involved hacking into a public research university in Newark, New Jersey, in 2013 and defacing its website to display a burning Israeli flag and the word Sejeal in a manner that looked very similar to the stickers employed by the 2012 Thailand bombers. Another caper involved hacking an Israeli telecom company in 2015 and broadcasting the message “Sejeal is coming soon! In memory of the martyrs of Yemen” to about 2.5 million of its customers. The two Iranian hackers sent each other congratulatory messages with screen captures of customers complaining about the message.
“We will not bring the rule of law to cyberspace until governments refuse to provide safe harbor for criminal hacking within their borders. Unfortunately, our cases demonstrate that at least four nations — Iran, China, Russia, and North Korea — will allow criminal hackers to victimize individuals and companies from around the world, as long as these hackers will also work for that country’s government — gathering information on human rights activists, dissidents and others of intelligence interest,” said Assistant Attorney General for National Security John C. Demers.
According to the FBI, both of the hackers reside in the Iranian city of Hamedan. The pair were indicted by a grand jury in New Jersey because their early attacks struck targets in that state, but they also hit systems in Europe and the Middle East. Many of their targets were Iranian dissidents and human rights activists. Their tactics became noticeably more sophisticated as their campaign went along, leading DOJ analysts to suspect they received support and guidance from state-sponsored cyber espionage units and professional cybercrime rings.
“These Iranian nationals allegedly conducted a wide-ranging campaign on computers here in New Jersey and around the world. They brazenly infiltrated computer systems and targeted intellectual property and often sought to intimidate perceived enemies of Iran, including dissidents fighting for human rights in Iran and around the world. This conduct threatens our national security, and as a result, these defendants are wanted by the FBI and are considered fugitives from justice,” said Craig Carpenito, U.S. Attorney for the District of New Jersey.
Two other hackers, Iranian Behzad Mohammadzadeh and a Palestinian named Maran Abusrour, were charged on Wednesday with defacing about 50 U.S.-based websites by plastering them with images of Gen. Qassem Soleimani, the Iranian terrorist commander killed by a U.S. drone strike in January, and the message “Down with America.” The indictment against Mohammadzadeh and Abusrour did not state whether their activities were linked to the government of Iran.