Iranian hacking spree hit hospitals and other entities in 43 U.S. states
WASHINGTON — Two Iranian hackers charged Wednesday in a federal indictment were accused of attacking the computer networks of hospitals and other targets in 43 states, a broad criminal extortion campaign that walloped a heart hospital in Kansas and disrupted one of the nation’s largest diagnostic blood testing companies in North Carolina.
Federal prosecutors said the three-year cybercrime spree caused tens of millions of dollars in damage from coast to coast. It marked the first U.S. indictment against foreign hackers engaged in a for-profit ransomware and extortion scheme.
The two hackers developed unique tools to hold U.S. computer networks hostage from Iran, prosecutors said. The two Iranians, Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, remain at large, presumably in their homeland, officials said.
Assistant Attorney General Brian A. Benczkowski sidestepped a question about whether Iran’s government sponsored the two, saying only that the indictment contains no such allegation.
The three-year ransomware campaign hit at least 200 victims in the United States, collecting more than $6 million in extortion payments and causing more than $30 million in losses, Deputy Attorney General Rod J. Rosenstein said.
Ransomware is computer code that encrypts targeted systems and cripples networks until victims pay a ransom, usually in a digital currency like bitcoin.
The Iranian ransomware, called Sam Sam, has been in use since early 2016.
In one of the Iranian team’s first alleged actions in 2016, it hit the computers of the 54-bed Kansas Heart Hospital in Wichita, which provides specialized cardiovascular care for patients throughout Kansas and northern Oklahoma.
Press reports at the time said Kansas Heart Hospital paid an undisclosed ransom, then faced new demands from the hackers. Hospital spokeswoman Joyce Heismeyer could not be reached immediately.
The hackers breached the networks of at least six health care-related entities, including Hollywood Presbyterian Hospital of Los Angeles and Med Star Health of Columbia, Md.
Other targets of the Iranians’ campaign included the networks of the cities of Atlanta (encrypted in March) and Newark, N.J. (April 2017), the Colorado Department of Transportation (Feb. 19, 2018) and the Port of San Diego (Sept. 25, 2018).
Officials said the hackers were intent on creating disruption and inflicting physical harm as much as in collecting ransom, deliberately targeting health care facilities and hospitals.