This is a story about how actions in the physical world are connected to actions in the cyber world.
In January 2020, the United States took military action against the Islamic Revolutionary Guard Corps (IRGC) Quds Force, a U.S.-designated foreign terrorist organization. These actions resulted in the killing of their leader, Qasem Soleimani.
In response to this, two cybercriminals wanted to send the U.S. a message. Behzad Mohammadzadeh, a 19-year-old national of the Islamic Republic of Iran, and his counterpart Marwan Abusrour, a 25-year-old stateless national of the Palestinian Authority, have been indicted on one count of conspiring to commit intentional damage to a protected computer and one count of intentionally damaging a protected computer.
Cybercrimes committed against the United States
The pair of cybercriminals allegedly started working together around December 26, 2019, when Abusrour began providing Mahammadzadeh with access to compromised websites. It was only one week later when the U.S. announced on January 2 that the military had "taken decisive defensive action to protect U.S. personnel abroad" and that the "strike was aimed at deterring future Iranian attack plans."
The U.S. Department of Justice says this is what the two suspects did in response to the attack:
"Mohammadzadeh allegedly transmitted computer code to approximately 51 websites hosted in the United States, and defaced those websites by replacing their content with pictures of the late General Soleimani against a background of the Iranian flag along with the message, in English, 'Down with America,' and other text.
No later than Jan. 7, 2020, Abusrour provided Mohammadzadeh with access to at least seven websites, which they defaced with a similar image and text. The defendants took credit online for their website defacements."
The U.S. does not take crimes like this lightly, as there are significant punishments waiting for the two of them, if they are ever to leave their home countries.
"The charge of conspiring to commit intentional damage to a protected computer provides for a sentence of up to five years in prison, three years of supervised release and a fine of $250,000 or twice the gain or loss, whichever is greatest. The charge of intentionally damaging a protected computer provides for a sentence of up to 10 years in prison, three years of supervised release and a fine of $250,000 or twice the gain or loss, whichever is greatest. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and other statutory factors."
Trends in cybercrime follow geopolitical events
SecureWorld interviewed research scientist Kenneth Geers at our Chicago cybersecurity conference. Geers tracked sudden spikes of malware that follows President Donald Trump around the globe, along with similar spikes that followed former U.S. Secretary of State Rex Tillerson.
He observed malware spikes following a war of words between President Trump and North Korea, when Kim Jong-Un launched missiles over Japan. Here is what Geers had to say on the matter:
"Malware is super dynamic, it's changing all the time, but it is a reflection of human affairs.... In the case of North Korea, I dropped it (the malware spike) on a timeline and then there was one huge spike in the middle of the year and literally, it was the day after Donald Trump was at the UN threatening to destroy North Korea.... And one of the things I found is that the single highest day for malware detection in North Korea was the very day that Donald Trump was in South Korea. Those are not coincidences."
There are a variety of reasons why cybercrime spikes around geopolitical events. It can be for world leader visits, controversial statements, or actions that highlight a particular place, such as the killing of Soleimani.
Geer also has a theory that reconnaissance plays a role in each spike.
"My basic hypothesis in this kind of geopolitical analysis is that we’re looking at cyber espionage. When there's a really big event like a North Korean missile launch over Japan, there's at least a dozen intelligence services that are very interested in gathering information very quickly on what's happening.”
He shared more of his thoughts in our interview.
Knowing that malware rates spike around geopolitical events, your security team should be prepared if there is anything going on in your region of the world.