The new rules elaborate on what kinds of cyber activities warrant sanctions designation.
The Treasury Department blocked U.S. persons and entities from engaging in property transactions with Iran’s Ministry of Intelligence and Security in response to a recent cyberattack on Albania.
“Iran’s cyber attack against Albania disregards norms of responsible peacetime state behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a Friday press release announcing the sanctions. “We will not tolerate Iran’s increasingly aggressive cyber activities targeting the United States or our allies and partners.”
U.S. attribution of the July 15 attack to Iran highlighted the classification of the adversary’s targets as critical infrastructure. But a statement from the National Security Council also noted “subsequent hack and leak operations,” which Treasury on Friday said involved, “documents purported to be from the Albanian government and personal information associated with Albanian residents.”
In an Aug. 4 blog, cyber intelligence firm Mandiant said it “does not have evidence linking this activity to a named threat actor but assesses with moderate confidence that one or multiple threat actors who have operated in support of Iranian goals are involved.” The post detailed the exploits of a group calling itself “Homeland Justice,” which claimed responsibility for the attack, noting how its actions aligned with the political goals of the current Iranian regime.
Treasury’s announcement Friday noted U.S. and U.K. cybersecurity agencies’ identification of a group called MuddyWater as being in service to Iran’s MOIS.
“MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government and oil and natural gas—in Asia, Africa, Europe and North America,” the agencies said in February with a joint cybersecurity advisory.
Traditional cyber espionage activities have generally been viewed as fair game by the U.S. But the SolarWinds hack—which U.S. officials characterized as a Russian espionage campaign—spurred U.S. sanctions last April because of what officials said was the potential for large-scale disruption of the mostly private-sector entities that were affected.
On Tuesday, Treasury reissued its rules for designating foreign adversaries for sanctions incurred by efforts to undermine cybersecurity, noting that, “the regulations were initially issued in abbreviated form for the purpose of providing immediate guidance to the public.”
“OFAC is amending and reissuing the regulations as a more comprehensive set of regulations that includes additional interpretive guidance and definitions, general licenses and other regulatory provisions that will provide further guidance to the public,” the notice said.
On Friday, in line with the new rules, Treasury said: “The MOIS is being designated today pursuant to E.O. 13694, as amended, for being responsible for, or complicit in, directly or indirectly, cyber-enabled activity that is reasonably likely to result in, or has materially contributed to, a significant threat to the national security of the United States, and that have the purpose or effect of causing a significant disruption to the availability of a computer or network of computers.”
Iran has rejected any link to the attack on Albanian citizen services. A spokesman for its foreign ministry on Thursday “warned against any political adventurism against Iran with these ridiculous excuses and emphasized Iran’s full readiness to deal decisively, immediately and regretfully with any possible conspiracy.”