OFAC Imposes Additional Iranian Sanctions, List Includes Entities Involved in DDoS Attacks Against U.S. Financial Institutions
On September 14, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced it was imposing sanctions on 11 entities and individuals for supporting designated Iranian actors or for conducting malicious cyberattacks, including engaging in a series of distributed denial of service (DDoS) attacks against approximately 46 U.S. financial institutions. As reported in an indictment delivered by a federal grand jury in the Southern District of New York (see March 24, 2016 DOJ press release), the DDoS attacks—allegedly conducted by seven Iranian individuals between December 2011 and mid-2013—denied customers access to online bank accounts and collectively cost the affected financial institutions “tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their [computer] servers.” During a DDoS attack, a “malicious actor” gains remote control of a server through the installation of malicious software. Once compromised, the “malicious actor” can collect hundreds or thousands of these compromised devices (collectively known as a “botnet”), and, once control is achieved, will “direct the computers or servers comprising the botnet to carry out computer network attack[s] and computer network exploitation activity.” Three of the seven sanctioned individuals worked for a company that was added to OFAC’s updated SDN list on September 14 and oversaw a network of compromised computers that powered DDoS attacks. The other four individuals operated a second DDoS botnet on behalf of a different company listed on OFAC’s non-SDN list. Both Iranian-based private computer security companies perform work on behalf of the Iranian Government, including Iran’s Islamic Revolutionary Guard Corps. Pursuant to E.O. 13694, U.S. persons are prohibited from dealing with the designated entities and individuals, and “foreign financial institutions that facilitate significant transactions for, or persons that provide material or certain other support to, the entities and individuals designated today risk exposure to sanctions that could sever their access to the U.S. financial system or block their property and interests in property under U.S. jurisdiction.”
In addition, pursuant to E.O. 13382, OFAC sanctioned an Iranian-based engineering company for engaging in activities related to Iran’s ballistic missile program, which include providing “ financial, material, technological, or other support for, or goods or services in support of, the [Islamic Revolutionary Guard Corps].” Two Ukrainian-based companies were also sanctioned pursuant to E.O. 13224 for assisting previously sanctioned Iranian and Iraqi airlines in obtaining U.S.-origin aircraft, as well as crew and services.