U.S. Charges Seven Iranians With Cyber Attacks on Top Banks
Indictment reflects new strategy targeting nation-state hackers
by JOSEPH COX
This article originally appeared at Motherboard.
On Thursday, the Department of Justice unsealed an indictment against seven Iranians, charging them with a slew of hacking offenses against U.S. banks, companies and other targets. The individuals were allegedly contracted by the Iranian government.
One of the attacks mentioned in the indictment is the breach of systems at the small Bowman Avenue Dam in Rye Brook, New York in 2013. But the indictment describes a longer episode of activity, which allegedly lasted for 176 days and hit 46 financial institutions, including Bank of America, Capital One and the New York Stock Exchange; some of the hackers also targeted AT&T.
The legal move has been described by officials as part of the U.S.’s new strategy of pursuing and charging nation-state hackers.
“In a new approach, we have unleashed prosecutors and FBI agents against national security cyber threats,” Assistant Attorney General John P. Carlin said during a press conference.
The individuals indicted for conspiracy to commit computer hacking were Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keisser and Nader Saedi. Firoozi was also indicted for unauthorized access to a protected computer.
These individuals were employees of ITSec Team and Mersad Co., private companies based in Iran that the indictment claims worked on behalf of the government, including the Islamic Revolutionary Guard Corps.
The crimes include the “large scale and coordinated” denial-of-service attacks between December 2011 and 2013 against the U.S. financial sector, Attorney General Loretta Lynch said during a press conference. Those affected included Bank of America, American Express, Bank of Monteral, NASDAQ, JP Morgan, Chase Bank, Citibank, HSBC, Wells Fargo, the New York Stock Exchange, Capital One and ING, according to the indictment. Lynch claimed that the attacks cost these companies tens of millions of dollars.
“Victims’ computer servers were hit with as much as approximately 140 Gigabits of data per second which, depending on the victim institution, was up to as much as three times the entire operating capacity of a victim institution’s servers,” the indictment reads.
To make their botnet, employees of ITSec scanned the internet for systems running popular website content management software, and which were vulnerable to known security issues, the indictment reads. From here, the hackers gained access to thousands of computers, and installed malware created by Shokohi, allowing the group to launch large DDoS attacks.
Mersad, the other alleged front company, was born in 2011 by members of the Iran-based hacking groups Sun Army and Ashiyane Digital Security Team, which have publicly claimed carrying out attacks on U.S. government systems such as NASA, the indictment claims.
Lynch said, “We will not allow any individual, group or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market.”
The indictment also included the Bowman Avenue Dam incident, in which a hacker remotely gained access to an online control system, according to the Wall Street Journal. That attack was not particularly sophisticated, however, but according to that report, it still alarmed U.S. officials.
Firoozi, according to the indictment, “repeatedly obtained unauthorized remote access to a computer which controlled the supervisory control and data acquisition (‘SCADA’) system for the Bowman Dam.” This access supposedly allowed Firoozi to see information about the dam’s water levels and temperature, the status of the sluice gate, which is responsible for controlling flow rates and water levels, the indictment reads.
Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door
“Although access to the SCADA system typically would have also permitted [Firoozi] to remotely operate and manipulate the sluice gate on the Bowman Dam, unbeknownst to [Firoozi], the sluice gate control had been manually disconnected for maintenance issues prior to the time [Firoozi] gained access to the systems,” according to the indictment.
These charges are the latest in the growing trend of U.S. officials publicly pursuing hackers affiliated with nation states. In 2014, the U.S. charged five suspected Chinese military hackers with espionage, and the FBI blamed North Korea for the catastrophic hack of Sony Pictures. Earlier this week, the U.S. charged three suspected members of the Syrian Electronic Army, a pro-Assad hacking group, and placed two of them on the FBI’s most wanted list.
A Reuters report on Wednesday anticipated the Department of Justice’s announcement, relying on anonymous sources.
“This case is a reminder of the seriousness of cyber threats to our national security, and these public criminal charges represent a groundbreaking step forward in addressing that threat,” Lynch said.
Of course, Iran is not the only country allegedly targeting foreign nations with cyberattacks.
A prolonged series of U.S.-led cyberattacks on Iranian civilian infrastructure was recently revealed in the documentary Zero Days. The operation, dubbed Nitro Zeus, targeted power plants, transportation and air defenses. Part of that included the infamous Stuxnet worm, which infected an Iranian nuclear facility. (The National Security Agency recently rejected a Freedom of Information request from Motherboard for documents related to the operation.)
However, the fact that the U.S. has participated in attacks of its own hasn’t deterred the approach of publicly naming and shaming suspected hackers from other nations.