slonme - stock.adobe.com

US sanctions Iranians behind CNI cyber attacks

US government issues new sanctions against six Iranians suspected of being behind a series of cyber attacks targeting critical national infrastructure, notably water supply systems

The US Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions against six Iranians on Friday 2 February over their involvement in a series of state-backed cyber intrusions against critical national infrastructure (CNI) in the US and elsewhere.

The named individuals are all officials serving in Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) and are suspected of being behind a spate of cyber attacks towards the end of 2023 that targeted programmable logic controllers used in water and other CNI systems, which were developed by Israel-based Unitronics.

Such industrial control system (ICS) devices are particularly sensitive targets in the context of CNI, as disruption to their normal operation could affect water supplies to homes and businesses or cause damage to the physical pumping and associated infrastructure.

“The deliberate targeting of critical infrastructure by Iranian cyber actors is an unconscionable and dangerous act,” said Brian Nelson, under-secretary of the Treasury for Terrorism and Financial Intelligence. “The United States will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account.”

In the recent attacks, the hackers limited themselves to more mundane mischief, and those affected were able to remediate the incidents with minimal downstream impact. Nevertheless, said OFAC, the US remains “deeply concerned” about the targeting of such systems.

It warned that cyber operations that intentionally damage or impair the use of civilian CNI were both destabilising and, in the context of the gathering Middle Eastern crisis, “potentially escalatory”.

“The US Treasury connected the attacks on global water infrastructure to the IRGC, an organisation with a long history of carrying out disruptive cyber attacks in the US and elsewhere. As the situation in the Middle East unfolds, similar incidents are likely,” said Mandiant Intelligence chief analyst John Hultquist.

“The ultimate purpose of these hacks is to scare us and attack our trust in our own basic safety”
John Hultquist, Mandiant Intelligence

“The ultimate purpose of these hacks is to scare us and attack our trust in our own basic safety. Unfortunately, they can be effective even when they fail to disrupt the services they target, which this actor knows. The IRGC’s attacks on our elections in 2020 were similar, in that they were designed to erode confidence in our institutions, rather than alter any outcome,” he added.

“The water sector has been under enormous pressure lately from Russian, Iranian and Chinese cyber actors who recognise it as a vulnerable critical infrastructure. We have to take the threats to water seriously, but we can’t forget that the adversary’s primary goal is psychological,” said Hultquist.

The named individuals are IRGC-CEC and IRGC-Qods commander Hamid Reza Lashgarian, and IRGC-CEC senior officials Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar and Reza Mohammad Amin Saberian.

The sanctions provide for the blocking of any assets the six men may hold in the US, and prohibit any transactions by people within the US involving those assets. Under US law, financial institutions or private individuals who engage in transactions or other activities with them may themselves become subject to sanctions or enforcement actions. These prohibitions include providing or receiving goods, funds or services.

Read more about Iranian cyber activity

  • Iran learned from attacks on its infrastructure and unleashed similar malware on Saudi Arabia. The world has now gained valuable lessons from the Saudi response.
  • Proofpoint shares data on multiple campaigns of cyber intrusions against journalists originating from threat actors aligned to the governments of China, Iran, North Korea and Turkey.
  • In a global geopolitical first, the Albanian government has severed diplomatic ties with Iran and expelled its ambassador after it was targeted by an APT backed by Tehran.

Read more on Data breach incident management and recovery