Feds indict two hackers in Iran for cyber attacks on Atlanta, entities in U.S., Canada

By David Pendered

The cyber attack that crippled the City of Atlanta starting in March was part of a assault on more than 200 public entities in the United States and Canada conducted by two men based in Iran who demanded payment in Bitcoins in exchange for keys to unlock ransomware they had installed in victims’ computer systems, according to a federal indictment released Wednesday in New Jersey.

samsam attack locations, atlanta

Georgia is among the states that were attacked more than six times by the ransomware allegedly created and installed by two men operating inside Iran, according to a federal indictment. Credit: justice.gov

Atlanta Mayor Keisha Lance Bottoms released the following statement Wednesday afternoon:

  • “The City of Atlanta is aware of the U.S. Department of Justice’s indictment related to the March cyber-attack against the City. We are grateful for all our federal partners who have assisted with identifying the perpetrators and bringing them to justice. The Administration remains committed to ensuring the ongoing safety and security of the City’s cyber-infrastructure, as well as that of the people of Atlanta.”

Prosecutors did not cite any local law enforcement agencies in the United States for working on the case. Agencies that were cited include the Justice Department, two British agencies, and Canada’s Calgary Police Service and Royal Canadian Mounted Police, according to remarks prepared for delivery by Assistant Attorney General Brian A. Benczkowski.

Atlanta was of two major cities that were targeted in the scheme, according to remarks prepared for delivery by Deputy Attorney General Rod J. Rosenstein:

  • “The victims included two major municipalities – the City of Atlanta, Georgia and the City of Newark, New Jersey.  The defendants also sought to interrupt critical transportation infrastructure by infiltrating the Port of San Diego, California, and the Colorado Department of Transportation.”

Atlanta did not pay a ransom and the attack was estimated to cost the city up to $17 million.

atlanta cyber attack, indictment

Deputy Attorney General Rod Rosenstein (at podium) and other federal officials released Wednesday a federal indictment of two men charged in a ransomware attack on more than 200 public entitites in the United States and Canada. Credit: justice.gov

Rosenstein said the defendants focused on public entities because, “they knew that shutting down those computer systems could cause significant harm to innocent victims.”

Their scheme involved installing the malware and demanding payment to provide decryption keys needed to unlocked the computers, and a threat to delete the decryption keys if the ransom demand was not paid, according to the indictment that was filed Monday and the subject of a briefing Wednesday.

The two defendants have not been arrested and now are fugitives. The FBI’s executive assistant director, Amy Hess, said in a statement the indictment shows the U.S. district attorney’s office in New Jersey will pursue such criminals, “no matter where in the world they may seek to hide.”

The indictment charges Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran.

Charges include:

  • Conspiracy to commit fraud and related activity in connection with computers;
  • Conspiracy to commit wire fraud;
  • Intentional damage to a protected computer;
  • Transmitting a demand in relation to damaging a protected computer.

The two men allegedly conducted a 34-month-long international computer hacking and extortion scheme involving a malware they wrote. The “SamSam Ransomware,” was capable of forcibly encrypting data on the computers of victims, according to a statement by the Justice Department.

The hackers first created SamSam in December 2015 and created updates in June and October 2017, according to a statement. To commit their attacks, the two hackers used Bitcoin exchangers in Iran, and also overseas computer infrastructures, according to the statement.


wanted poster, cyber attack

The FBI issued this wanted poster for two men who allegedly installed ransomware in the City of Atlanta’s computer system and more than 200 other public entities in the United States and Canada. Credit: fbi.gov


David Pendered, Managing Editor, is an Atlanta journalist with more than 30 years experience reporting on the region’s urban affairs, from Atlanta City Hall to the state Capitol. Since 2008, he has written for print and digital publications, and advised on media and governmental affairs. Previously, he spent more than 26 years with The Atlanta Journal-Constitution and won awards for his coverage of schools and urban development. David graduated from North Carolina State University and was a Western Knight Center Fellow. David was born in Pennsylvania, grew up in North Carolina and is married to a fifth-generation Atlantan.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.