Attacks/Breaches

3/23/2018
11:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DoJ Indicts 9 Iranians for Hacking into Hundreds of Universities, FERC, Dept. of Labor, Others

Suspects were operating on behalf of Iranian government and the Iranian Revolutionary Guard, US officials said.

The US Department of Justice today announced indictments of nine Iranian nationals for stealing more than 31 terabytes of data from over 140 universities, 30 companies, and five government agencies in the US as well as from victims in 21 other countries in one of the largest nation-state sponsored cyberattack campaigns ever prosecuted by the agency.

The alleged hackers worked on behalf of the Iranian government's Islamic Revolutionary Guard, under the guise of an Iranian company called the Mabna Institute, where they were leaders, contractors, associates or hired hackers for Mabna, which first launched the attacks in 2013. In addition to the 176 universities worldwide hit by the attackers, other victims included the US Department of Labor, the Federal Energy Regulatory Commission (FERC), the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children's Fund. 

Some 8,000 professors' accounts were hacked, and their stolen credentials and email passed to the IRGC as well as later sold in Iran via Megapaper.ir and Gigapaper.ir, websites where customers could access the online library systems of the hacked universities. 

The alleged hackers named in the indictment are Gholamreza Rafatnejad, Ehsan Mohammadi, Abdollah Karima aka Vahid Karima, Mostafa Sadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam, and Sajjad Tahmasebi. They were each charged with multiple counts of conspiracy and unauthorized access to a computer, as well as aggravated identity theft. But prosecution depends on actual arrest or extradition to the US. The US does not have an extradition agreement with Iran.

"The numbers alone in this case are staggering, over 300 universities and 47 private sector companies both here in the United States and abroad were targeted to gain unauthorized access to online accounts and steal data. An estimated 30 terabytes was removed from universities’ accounts since this attack began, which is roughly the equivalent of 8 billion double-sided pages of text," said FBI Assistant Director William F. Sweeney Jr. "It is hard to quantify the value on the research and information that was taken from victims but it is estimated to be in the billions of dollars. The nine Iranians indicted today now find themselves wanted by the FBI and our partner law enforcement agencies around the globe – and like other cyber criminals they will soon learn their ability to freely move was just limited to the virtual world only."

According to the indictment, the Mabna Institute was under contract with the Iranian government as well as private entities for the operation, which began with a spear phishing campaign against more than 100,000 professors worldwide. They were able to infiltrate email accounts of some 8,000 of them, mostly in the US, but also in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the UK.

The hackers stole intellectual property from the universities, including academic journals, theses, dissertations, and electronic books.

Other US victims included three academic publishers, two media and entertainment companies, one law firm, 11 technology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two online car sales companies, a healthcare company, an employee benefits company, an industrial machinery company, a biotechnology company, a food and beverage company, and a stock images company.

Those private sector victims were targeted via "password-spraying" methods that the hackers used to pilfer their credentials.  

DoJ Deputy Attorney General Rod Rosenstein said in a statement: "The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants' hacking operations and deter similar crimes," Rosenstein said.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:24:04 PM
Re: Universities Have More Intellectual Property than Industry
Scale of roll out (50,000+ users), cost, and resistance to change (user complexity) all present difficult challeges. That is true, two-factor is not something cheap to implement.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:23:05 PM
Re: Universities Have More Intellectual Property than Industry
Technologies such as multi-factor authentication present defensive strategies as far as phishing is concerned. Two-factor is really good to secure logins, there are other issues once students are in the system.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:19:19 PM
Re: Universities Have More Intellectual Property than Industry
We conssitently discover compromised accounts daily. That is the main problem with the students, some of the may be hacker by themselves.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:13:55 PM
Re: Universities Have More Intellectual Property than Industry
Security to a large degree is inversely porportional to ease of use I agree with this, more security means more difficulties to get things done.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:11:53 PM
Re: Universities Have More Intellectual Property than Industry
The challenge to a large degree is how sharp the spear phishing point is Students are target all the times and those put university systems at risk.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:10:03 PM
Re: Universities Have More Intellectual Property than Industry
There are so many moving parts in academia, so "locking down" that traditionally and culturally open environment is a huge challenge for these institutions. I agree, university would like to keep systems open to public to spread the knowledge.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:07:38 PM
Re: Universities Have More Intellectual Property than Industry
Universities have valuable IP that foreign adversaries would benefit from obtaining. That is true, everybody is after new knowledge wherever it is obviously.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:05:20 PM
Re: Universities Have More Intellectual Property than Industry
This is particularly troublesome since many universities do not make cybersecurity a top issue in order to maintain an "open" environment That might be because university are open system in general, they want to release research results to get credit.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:03:53 PM
Re: Universities Have More Intellectual Property than Industry
the attackers are going after the leading-bleeding edge research at universities. That is really interesting for me too. They were after knowledge obviously.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/27/2018 | 8:01:34 PM
31 terabytes
31 terabytes is huge number or research papers, most of those researches would be public at one point I would assume anyway.
Page 1 / 2   >   >>
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Box Mistakes Leave Enterprise Data Exposed
Dark Reading Staff 3/12/2019
How the Best DevSecOps Teams Make Risk Visible to Developers
Ericka Chickowski, Contributing Writer, Dark Reading,  3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.