The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
9/9/2022 Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities | U.S. Department of the Trea… U.S. DEPARTMENT OF THE TREASURY Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities September 9, 2022 WASHINGTON — Today, the U.S. Department of the Treasuryʼs O ice of Foreign Assets Control (OFAC) is designating Iranʼs Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence for engaging in cyber-enabled activities against the United States and its allies. Since at least 2007, the MOIS and its cyber actor proxies have conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors. In July 2022, cyber threat actors assessed to be sponsored by the Government of Iran and MOIS disrupted Albanian government computer systems, forcing the government to suspend online public services for its citizens. “Iranʼs cyber attack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “We will not tolerate Iranʼs increasingly aggressive cyber activities targeting the United States or our allies and partners.” Todayʼs action is being taken pursuant to Executive Order (E.O.) 13694, as amended, which targets those who engage in malicious cyber activities. MOIS was previously designated pursuant to Executive Orders 13224, 13472, and 13553 for its support to multiple terrorist groups and for being responsible for, or complicit in, the commission of serious human rights abuses against the Iranian people. MOIS AND ITS CYB ER T HREAT ACTOR NET W ORKS The MOIS, under the leadership of Esmail Khatib, directs several networks of cyber threat actors involved in cyber espionage and ransomware attacks in support of Iranʼs political goals. In addition to conducting malicious cyber activity that a ected Albanian government websites, MOIS cyber actors were also responsible for the leaking of documents purported to https://home.treasury.gov/news/press-releases/jy0941 1/3 9/9/2022 Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities | U.S. Department of the Trea… be from the Albanian government and personal information associated with Albanian residents. Earlier this year, the United States identified a group of advanced persistent threat (APT) actors, known as MuddyWater, as a subordinate element within MOIS that has been conducting broad cyber campaigns in support of the organizationʼs objectives since approximately 2018. MuddyWater actors are known to exploit publicly reported vulnerabilities to gain access to sensitive data on victimsʼ systems, deploy ransomware, and disrupt the operations of private organizations. As recently as November 2021, MuddyWater was assessed to be involved in a cyber campaign targeting Turkish government entities and delivering documents containing malware likely through spear-phishing emails to gain access to victimsʼ systems. APT39, which OFAC designated pursuant to E.O. 13553 on September 17, 2020, for being owned or controlled by MOIS, is another cyber espionage group that Iran has used to advance its malign objectives. APT39 has engaged in widespread the of personal identifying information, probably to support surveillance operations that enable Iranʼs human rights abuses. Concurrent with the U.S. designation of APT39 and Government of Iran-front company Rana Intelligence Computing Company, the Federal Bureau of Investigation exposed MOISʼ years-long malware campaign that targeted and monitored Iranian citizens, dissidents, and journalists, as well as a host of foreign organizations that included at least 15 U.S. companies. The MOIS is being designated today pursuant to E.O. 13694, as amended, for being responsible for, or complicit in, directly or indirectly, cyber-enabled activity that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security of the United States, and that have the purpose or e ect of causing a significant disruption to the availability of a computer or network of computers. Esmail Khatib is being designated today pursuant to E.O. 13694, as amended, for having acted or purported to act for or on behalf of, directly or indirectly, the MOIS. SANCT IONS IMPLICAT IONS As a result of todayʼs designation, all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities that are owned 50 percent or more by one or more designated persons are also blocked. All transactions by https://home.treasury.gov/news/press-releases/jy0941 2/3 9/9/2022 Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities | U.S. Department of the Trea… U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons are prohibited unless authorized by a general or specific license issued by OFAC, or exempt. These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person. In addition, non-U.S. persons that engage in certain transactions with the persons designated today may themselves be exposed to designation. Furthermore, any foreign financial institution that knowingly conducts or facilitates a significant transaction for or on behalf of the persons designated today could be subject to U.S. correspondent or payable-through account sanctions. The power and integrity of OFAC sanctions derive not only from OFACʼs ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information concerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFACʼs Frequently Asked Question 897 here. For detailed information on the process to submit a request for removal from an OFAC sanctions list. View identifying information on the individual and entity designated today. F OR MORE INF ORMAT ION ON RANSOMW ARE Please visit StopRansomare.gov, a one-stop resource for individuals and organizations of all sizes to reduce their risk of ransomware attacks and improve their cybersecurity resilience. This webpage brings together tools and resources from multiple federal government agencies under one online platform. Learn more about how ransomware works, how to protect yourself, how to report an incident, and how to request technical assistance. ### https://home.treasury.gov/news/press-releases/jy0941 3/3