On Thursday March 24 2016, the US Department of Justice indicted seven hackers associated with the Iranian government, making history for the first time where the USA has charged state-sponsored individuals with hacking to disrupt important US industry networks.
The crimes include attacking U.S. banking websites between 2011 to May 2013 and also breaking into a computer system at Bowman Dam in Rye Brook, Westchester County, NY in a possible attempt to disrupt the operation of the dam.
The attackers have been charged with conspiracy to commit and aid and abet computer hacking for their roles in hacks of the U.S financial sector on more than 176 days.
According to the indictment, all seven men were working for two Iranian computer security companies — ITSecTeam and MERSAD Co. — on behalf of the Iranian Revolutionary Guard Corps (IRGC), a branch of the Iranian military established to defend the country’s Islamic system and promote its ideology.
The indictment alleges that the suspects caused DDoS attacks to crash the sites of 46 U.S. financial institutions. At one point, the attacks happened almost weekly and affected many major institutions. The indictment alleges such actions left hundreds of thousands of customers unable to access online bank accounts.
The seven identified hackers (see photo above),range in ages from 23 to 37 are:
Ahmad Fathi (37)
Hamid Firoozi (34)
Amin Shokohi (25)
Sadegh Ahmadzadegan (23)
Omid Ghaffarinia (25)
Sina Keissar (25) and
Nader Seidi (26)
Hamid Firoozi is charged alone for hacking the dam. Amin Shokohi allegedly received credit from the Iranian government toward his mandatory military service for his work in the attacks.
The affected institutions and businesses included:
- Bank of America
- New York Stock Exchange (NYSE)
- Capital One
U.S. Attorney General Loretta E. Lynch said the attacks caused tens of millions of $USD in losses.
Sadegh Ahmadzadegan and Omid Ghaffarinia also claimed responsibility for hacking into NASA servers and defacing NASA websites, and Firoozi obtained access to a computer control system for the Bowman Avenue Dam. That access would have allegedly allowed Hamid Firoozi to operate and manipulate a gate on the dam. The attack by Hamid Firoozi took place between August 28 2013 and Sept 18 2013.
He was able to access information related to the status and operation of the dam and the status of the sluice gate—responsible for controlling water levels and flow rates.
However, at the time of the hacks the Bowman Dam sluice gate had been manually disconnected for maintenance.
Wrong target/dry run?
Mayor Paul Rosenberg in the village of Rye Brook, NY has theories why the sluice-gate small Bowman dam had been targeted by the Iranians.
One theory is that Iranian hackers had confused the dam with another dam named Bowman — the Arthur R. Bowman Dam on the Crooked River in Oregon. That dam is 245 feet tall and 800 feet long and is used to irrigate many local farms.
Mayor Rosenberg also thought the hackers had gone after the Rye Brook dam as a dry run for a more disruptive invasion such as, for example a major hydroelectric generator or some other part of the USA’s critical power grid.
Reasons, Iranian & Russian Collaboration
The reasons for the DDoS attacks by Iran are probably in response to strong economic sanctions by the USA and Europe in attempts to make Iran stop its nuclear activities.
The IRGC operates in the cyberspace using front companies, which allows the IRGC to circumvent Western law & give them some anonymity.
The Iranian state may be receiving help from Russian hackers affiliated with the Kremlin, which involves writing code or providing malware tools they can adapt.
Iran has previously been suspected in hacking attempts. A Wall Street Journal report linked the IRGC to similar hacking and phishing attempts targeting the email and social-media accounts of President Obama’s administration officials.
The indictment can be read here