In a major development, an indictment has been unsealed in Manhattan federal court, charging four Iranian nationals for their involvement in a cyber-enabled campaign aimed at compromising U.S. government and private entities. The defendants are Hossein Harooni, Reza Kazemifar, Komeil Baradaran Salmani, and Alireza Shafie Nasab.

The indictment reveals that the targets of this extensive hacking campaign included the U.S. Departments of Treasury and State, defense contractors, and two New York-based companies. The defendants allegedly conducted the coordinated hacking campaign from Iran over a period of several years.

The U.S. Department of State's Rewards for Justice program has announced a reward of up to $10 million for information leading to the identification or location of the group and the defendants. The program seeks information on individuals who engage in malicious cyber activities in violation of the Computer Fraud and Abuse Act (CFAA), while acting at the direction or control of a foreign government.

Furthermore, the Treasury Department has imposed sanctions on the four defendants, along with other malicious cyber actors, as a response to their activities.

Attorney General Merrick B. Garland emphasized the seriousness of cyber threats originating from Iran, stating that such criminal activity poses a grave threat to America's national security and economic stability. He added that the defendants are alleged to have engaged in a coordinated hacking campaign that targeted multiple American companies, as well as the U.S. Treasury and State Departments.

FBI Director Christopher Wray highlighted the FBI's commitment to countering cyber threats, specifically those originating from Iran. He expressed the agency's determination to disrupt and track down cybercriminals who pose a danger to American businesses and citizens.

Assistant Attorney General Matthew G. Olsen stressed the deceptive nature of the Iran-based company involved in the cyber campaign. The company purported to provide cybersecurity services but was, in reality, using spearphishing and social engineering attacks to compromise U.S. computer systems. Olsen emphasized the Department of Justice's commitment to disrupting such malicious activities and holding the individuals accountable.

U.S. Attorney Damian Williams for the Southern District of New York emphasized the national security implications of cyber intrusion schemes. He praised the efforts of law enforcement partners and career prosecutors in employing innovative technologies and investigative measures to track down these cybercriminals.

According to court documents, the defendants, along with other conspirators, participated in a hacking organization that executed a multi-year campaign of computer intrusions. The group primarily targeted cleared defense contractors, as well as a New York-based accounting firm and a hospitality company.

The indictment reveals that the cyber campaign relied on techniques such as spearphishing, social engineering, and the creation and use of a particular computer application to organize and deploy attacks. The conspirators compromised administrator email accounts, gaining unauthorized access to a defense contractor's system and using it to initiate additional spearphishing campaigns.

Reza Kazemifar, one of the defendants, played a crucial role in testing tools used in the cyber campaigns. He also worked for the Iranian Organization for Electronic Warfare and Cyber Defense (EWCD), a component of the Iranian Revolutionary Guard Corps (IRGC). The IRGC, designated as a foreign terrorist organization by the United States, is responsible for Iran's offensive cyber capabilities.

Hossein Harooni, another defendant, was responsible for procuring and managing the online network infrastructure used in the intrusions. He used the identity of an individual (Individual-1) to conceal his involvement.

The defendants face charges of conspiracy to commit computer fraud, conspiracy to commit wire fraud, wire fraud, aggravated identity theft, and knowingly damaging a protected computer. If convicted, they could face prison sentences ranging from five to 20 years.

The FBI Cyber Division is leading the investigation, and the case is being prosecuted by Assistant U.S. Attorneys from the Southern District of New York, with assistance from the National Security Division's National Security Cyber Section.

The unsealing of this indictment and the announcement of the reward demonstrate the U.S. government's commitment to countering cyber threats and holding those responsible accountable for their actions.