Iranian Hackers Indicted for Port of San Diego Cyberattack

A federal grand jury in New Jersey has indicted two Iranian hackers for using ransomware to extort money from American organizations. Among many other offenses, the men are accused of conducting the cyberattack on the Port of San Diego on September 25.

“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said U.S. Deputy Attorney General Rod Rosenstein in a statement. “The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”

According to the indictment, Iranian nationals Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri (left), 27, wrote a malware program called SamSam Ransomware, which is capable of encrypting data stored on a victim's computer systems. Over the course of nearly three years, the two men allegedly hacked into the IT networks of hundreds of institutions and organizations in order to install SamSam.

Once inside the victim's network, they would use the program to encrypt valuable data, then demand a ransom payment in Bitcoin in exchange for the decryption key. The indictment alleges that Savandi and Mansouri have collected over $6 million in ransom payments to date.

The hackers allegedly attacked more than 200 targets, including hospitals, health care companies, municipalities and public institutions. The Port of San Diego was the most recent victim, and others included the City of Atlanta; the City of Newark; the Colorado Department of Transportation; the University of Calgary; Hollywood Presbyterian Medical Center in Los Angeles; Kansas Heart Hospital in Wichita; LabCorp; MedStar Health; OrthoNebraska Hospital in Omaha; and Allscripts Healthcare Solutions in Chicago, Illinois.

U.S. Attorney for the District of New Jersey Craig Carpenito alleged that the hackers targeted governmental and healthcare organizations because of the victims' public service orientation: since they use their IT systems to serve people in need, they might pay a ransom quickly in order to restore operations. Carpenito accused Savandi and Mansouri of "cravenly taking advantage of the fact that these victims depend on their computer networks to serve the public, the sick, and the injured without interruption."

The two men allegedly used a sophisticated approach to their attacks. They would research their targets online and scan for computer network vulnerabilities. When they struck, they would time the attack for night-time hours, when the victims would be least capable of mounting a defense, and would disguise their intrusions as normal network activity. They allegedly deployed an anonymized browsing and traffic routing service in an attempt to hide their tracks. 

Savandi and Mansouri face two conspiracy charges, two counts of intentional damage to a protected computer and two counts of transmitting a demand in relation to damaging a protected computer. As both men reside in Iran, which has cold relations with the United States, they are unlikely to face extradition and prosecution in the U.S. They have not reportedly been arrested.  

According to the Port of San Diego, no data loss occurred as a result of the attack because the port's IT team had backups in place. The hack took down non-critical administrative systems for a brief period, and did not affect commercial port operations. The port did not pay the ransom demand. 

“We applaud the U.S. Department of Justice and the FBI for conducting this complex and sophisticated investigation,” said port CEO Randa J. Coniglio in a statement. “We are very pleased to see these enforcement efforts against international computer hacking and extortion scammers.”