WASHINGTON — The Justice Department said on Wednesday that it had charged three Iranians in a wide-ranging hacking campaign across the world that targeted local governments, public utilities and nonprofit institutions, including a domestic violence shelter and a children’s hospital.
According to an indictment unsealed in New Jersey, the men, who remain at large in Iran, breached the computers of hundreds of people in the United States, Israel, Russia and Britain. They demanded ransom in Bitcoin after deploying malware to block access to networks or to steal data and threatening to sell or make public sensitive information if their victims did not pay up, officials at the Justice Department and the F.B.I. said on Wednesday.
The State Department, which is offering a $10 million reward for information leading to their capture, said that those charged worked for tech companies linked to the Islamic Revolutionary Guards Corps, a powerful branch of Iran’s military.
The cyberattacks were not directed by the Iranian government, which is in the middle of tense negotiations over its nuclear program, senior law enforcement officials told reporters. In fact, the men tried to extort ransom from Iranian businesses.
Nonetheless, Biden administration officials emphasized that Iran’s unwillingness to crack down on cybercrime within its borders, especially ransomware attacks, along with its history of hacking foreign adversaries, made it easier for the men to operate with relative impunity.
“The government of Iran has created a safe haven where cybercriminals acting for personal gain flourish and defendants like these are able to hack and extort victims, including critical infrastructure providers,” said Matthew G. Olsen, the assistant attorney general of the Justice Department’s national security division.
The men, Mansour Ahmadi, Ahman Khatibi Aghda and Amir Hossein Nickaein Ravari, were indicted on conspiracy to commit fraud using a computer and other cyberextortion charges. The scheme, which began in 2020, is believed to still be underway.
The men remain at large in Iran, and prosecutors said they were highly unlikely to face trial in the United States. Officials said they hoped that by exposing the group, they might prevent future attacks. They also released an advisory providing details of the vulnerabilities the hackers exploited, including in the Microsoft Exchange email program.
In a joint move with several U.S. agencies, the State Department announced that it was penalizing 10 Iranians, including the three men, along with two entities for “conducting malicious cyberacts, including ransomware activity,” according to a statement.
All of those named were current or former employees of Najee Technology and the Afkar System Yazd Company, which the State Department has linked to the Revolutionary Guards.
It is not clear how much ransom money the men extracted, but some demands were paid, officials said. Prosecutors believe that the targets of the cyberattacks, identified only by location and a general description of their operations, were selected for no other reason than their systems were known to have vulnerabilities.
In several cases, the men hacked into computer systems; encrypted data using BitLocker, a commercially available software program used to protect information; then demanded payment in exchange for the data, the court filing said.
Victims included a township in Union County, N.J.; a construction business working on critical infrastructure projects and a public housing authority, both in Washington State; accounting firms in Illinois and New Jersey; a county government in Wyoming; and a domestic violence shelter in Pennsylvania.
Two electric power utilities, in Mississippi and Indiana, were also breached, but the intrusion did not affect their operations or cause any power disruptions, officials said.
In February 2021, the men targeted a township in Union County, gained control of its computer network, stole data and employed a hacking tool to set up remote access using a domain registered to Mr. Ahmadi, court documents showed.
In June 2021, the group gained access to the computer network at a children’s hospital, created unauthorized accounts, stole data and tried to encrypt information. Once alerted to the breach, administrators were able to repel the attack without any effect on patient care or medical services.
Last December, the hackers froze access to data at the domestic violence shelter, then ordered the printers to spit out a ransom note that read: “Hi. Do not take any action for recovery. Your files may be corrupted and not recoverable.”
The shelter’s operators quickly agreed to pay Mr. Khatibi Aghda one Bitcoin, then worth $13,000.
They deposited it to his Bitcoin wallet and he freed up their files, prosecutors said.
Edward Wong contributed reporting.