U.S. Indicts Iranians for Hacking Many Banks & New York Bowman Dam

On Thursday March 24 2016, the US Department of Justice indicted seven hackers associated with the Iranian government, making history for the first time where the USA has charged state-sponsored individuals with hacking to disrupt important US industry networks.
The crimes include attacking U.S. banking websites between 2011 to May 2013 and also breaking into a computer system at Bowman Dam in Rye Brook, Westchester County, NY in a possible attempt to disrupt the operation of the dam.

The attackers have been charged with conspiracy to commit and aid and abet computer hacking for their roles in hacks of the U.S financial sector on more than 176 days.

According to the indictment, all seven men were working for two Iranian computer security companies — ITSecTeam and MERSAD Co. — on behalf of the Iranian Revolutionary Guard Corps (IRGC), a branch of the Iranian military established to defend the country’s Islamic system and promote its ideology.

The indictment alleges that the suspects caused DDoS attacks to crash the sites of 46 U.S. financial institutions. At one point, the attacks happened almost weekly and affected many major institutions. The indictment alleges such actions left hundreds of thousands of customers unable to access online bank accounts.

The seven identified hackers (see photo above),range in ages from 23 to 37 are:

Ahmad Fathi (37)
Hamid Firoozi (34)
Amin Shokohi (25)
Sadegh Ahmadzadegan (23)
Omid Ghaffarinia (25)
Sina Keissar (25) and
Nader Seidi (26)

Hamid Firoozi is charged alone for hacking the dam. Amin Shokohi allegedly received credit from the Iranian government toward his mandatory military service for his work in the attacks.

The affected institutions and businesses included:

  • Bank of America
  • Nasdaq
  • New York Stock Exchange (NYSE)
  • Capital One
  • AT&T
  • PNC

U.S. Attorney General Loretta E. Lynch said the attacks caused tens of millions of $USD in losses.

Sadegh Ahmadzadegan and Omid Ghaffarinia also claimed responsibility for hacking into NASA servers and defacing NASA websites, and Firoozi obtained access to a computer control system for the Bowman Avenue Dam. That access would have allegedly allowed Hamid Firoozi to operate and manipulate a gate on the dam. The attack by Hamid Firoozi took place between August 28 2013 and Sept 18 2013.
He was able to access information related to the status and operation of the dam and the status of the sluice gate—responsible for controlling water levels and flow rates.
However, at the time of the hacks the Bowman Dam sluice gate had been manually disconnected for maintenance.

Wrong target/dry run?

Mayor Paul Rosenberg in the village of Rye Brook, NY has theories why the sluice-gate small Bowman dam had been targeted by the Iranians.
One theory is that Iranian hackers had confused the dam with another dam named Bowman — the Arthur R. Bowman Dam on the Crooked River in Oregon. That dam is 245 feet tall and 800 feet long and is used to irrigate many local farms.
Mayor Rosenberg also thought the hackers had gone after the Rye Brook dam as a dry run for a more disruptive invasion such as, for example a major hydroelectric generator or some other part of the USA’s critical power grid.

Reasons, Iranian & Russian Collaboration

The reasons for the DDoS attacks by Iran are probably in response to strong economic sanctions by the USA and Europe in attempts to make Iran stop its nuclear activities.

The IRGC operates in the cyberspace using front companies, which allows the IRGC to circumvent Western law & give them some anonymity.

The Iranian state may be receiving help from Russian hackers affiliated with the Kremlin, which involves writing code or providing malware tools they can adapt.

Iran has previously been suspected in hacking attempts. A Wall Street Journal report linked the IRGC to similar hacking and phishing attempts targeting the email and social-media accounts of President Obama’s administration officials.


The indictment can be read here


Powerful Iran? Iranian Twitter Bots #FAIL

The Iranians appear to be engaged in a strange soft-war propaganda campaign projecting to a Western audience using the hashtag, “Powerful_Iran” (#powerful_iran)

Multiple fake Twitter accounts have been publishing content from accounts with English names and profile photographs of Hollywood celebrities. The tweets have photographs of Iranian military equipment and cover a range of countries, media outlets, political slogans and other issues.

All of the tweeted photos have a logo of a dove with a rifle on its back showing the Iranian flag. They also include a caption using the “Powerful Iran” hashtag in English, Arabic and Persian.  Many of the tweets have images which vainly state that, “Islamic Republic of Iran is an international power” If you say so…

Here are some of the obviously fake Twitter accounts (seems that these 16 accounts are sending most of the tweets):

@daniel_mathew12 (created:12/15/2015)
@coreenwright3 (created: 12/26/2015)
@brianrauscher3 (created: 12/15/2015)
@harrisonangela5 (created: 12/15/2015)
@Williams2070 (created: 12/27/2015)
@daisybailey01 (created: 12/27/2015)
@EthelBell2016 (created: 12/26/2015)
@charlesmeyer201 (created: 12/26/2015)
@agustinarobbin1 (created: 12/27/2015)
@thomasanaya3 (created: 12/26/2015)
@Halina1321 (created: 12/13/2015)
@Peggy_Seitz (created: 12/26/2015)
@stefan_witcher (created: 12/26/2015)
@TillieMedeiros (created: 12/26/2015)
@shahab945 (created: 08/05/2015)
@pablofisher1990 (created: 12/22/2015)

The profiles are fake because:

  1. They have clearly mostly been created around the same time.
  2. They replay the same content between profiles.
  3. They don’t tweet about much else!
  4. They have a lot of followers & tweets in a short time.
  5. They use images of celebrities, obviously!

Similarities to Letter4u

Last year, the hashtag “Letter4u” was used by many bot-like accounts following the release of an open letter by Iran’s supreme leader addressed to Western youth and the “Powerful_Iran” shows similarities to that campaign: “Letter4u” was also launched by an army of bots using photos of celebrities and also used a similar range of random hashtags. The themes of the tweets coincides with the predictable goals of the Iranian state, that is to destroy Israel and shut down traffic in the Persian Gulf, suggestions that Israel and Saudi Arabia are working together, & that Iran is a major global military country.

While it’s not entirely clear who is behind the “Powerful_Iran” campaign, but it gained traction following the nuclear agreement between the West & Iran.


John Little, author of Blogs of War states that, “…the campaign is a miserable failure. Almost all of the tweets have gone unnoticed and have no retweets or favourites. The few interactions that I can find also appear to be faked by other bots”.   


You can follow the Twitter & Telegram accounts for: @powerful_iran