The Justice Department said Wednesday that three Iranian citizens have been charged in the United States with cyberattacks that targeted power companies, local governments and small businesses and nonprofits, including a domestic violence shelter.
The charges accuse the hacking suspects of targeting hundreds of victims in the U.S. and other countries. Prosecutors said the hackers encrypted and stole data from victims' networks and threatened to release it unless exorbitant ransom payments were made. In some cases, the victims made those payments, the department said.
The hackers are not believed to have been working on behalf of the Iranian government but instead for their own financial gain, and some of the victims were even in Iran, according to a senior Justice Department official who briefed reporters on the case on the condition of anonymity under ground rules set by the department. But the official said the activity exists because hackers are permitted by the Iranian government to largely operate with impunity.
The three accused hackers are thought to be in Iran and have not been arrested, but the Justice Department official said the charges make it "functionally impossible" for them to leave the country.
Get Boston local news, weather forecasts, lifestyle and entertainment stories to your inbox. Sign up for NBC Boston’s newsletters.
The case was filed in federal court in New Jersey, where a municipality in Union County was hacked last year.
One of the victims was a domestic violence shelter in Pennsylvania, which the indictment says was extorted out of $13,000 to recover its hacked data.
In-depth news coverage of the Greater Boston Area.
Discussing the indictments in a video, FBI Director Christopher Wray said the facts outlined by the government highlight the threat such aggressors pose — last year, the prestigious Boston Children's Hospital nearly fell victim to such an attack.
"To these sorts of actors, nothing is off limits, not even, for example, Boston Children's Hospital, which they set their sights on in the summer of 2021," Wray said. "Fortunately, before they could successfully launch their attack, we received a tip from a partner that the hospital had been targeted, and working closely with the hospital, we were able to identify and defeat the threat, protecting both the network and the sick children who depend on it."