Spear-Phishing and Brute Force Hacking Compromises US Agencies and Businesses

Summary: A four year campaign by nine Iranian hackers affected thousands of systems and resulted in data breaches from sensitive sources in government agencies.

According to the US Department of Justice nine Iranians stole data from Government Agencies, universities, and private businesses.

A statement from the FBI’s internal news periodical indicates that the hackers committed the data theft under orders from the Iranian government and were affiliated with a known malicious organization, an Iran-based Mabna Institute with radical muslim ties dedicated to hacking outside the country. Among the agencies affected by the breach were the Department of Labor as well as the Federal Energy Regulatory Commission.

At a March 23rd press conference, FBI Deputy Director David Bowdich described how, over the course of four years, hackers “compromised approximately 144 U.S.-based universities and 176 foreign universities in 21 countries.” Victims were notified by the FBI once the agency became aware of the attacks “so they could take action to minimize the impact.” After, the FBI “took action to find and stop these hackers.”

Among methods used by the hackers were spear-phishing techniques, which are targeted emails that provide innate details that can be gathered by accessing public records. After doing a little bit of homework on a target, a hacker can create an email designed to fool its recipient into believing there is in an issue with one of their accounts, forwarding them to a phishing site that gathers their credentials to a nefarious individual or group. Such was the case for over 50 compromised computer systems for local and foreign private-sector companies spread throughout Hawaii, Indiana, and the greater US.

Hackers also collected data from public sources, and used “brute force” style guesswork to untangle passwords, often searching for commonly used default ones, like “Administrator” or the classic “password123.” According to an agent familiar with the case, this tactic is so unrefined it often slips under the radar of security measures.

Formerly sealed indictments revealed that over 30 terabytes of academic data and intellectual property fell into the hands of the hackers, around thrice that contained by the library of congress.

Of 100,000 professorial accounts targeted by the Mabna Institute, 8,000 were compromised, and it is estimated that the data stolen by the hackers cost facilities of higher education around $3.4 billion to procure in the first place. The hackers simply waltzed away with that information without paying.

For now agents determined to bring the culprits of the hacking incidents to justice have a challenge ahead of then, but Bowdich maintains, “it’s not impossible.” When the suspects travel abroad, enforcement officers will be lying in wait and keeping pressure on the Mabna Institute.

“Where we can’t apprehend these individuals quickly we will resort to different methods — naming and shaming, sanctions, and a lot of publicity. We will keep at it, because the FBI and our partners at the Department of Justice have a very long memory.”