Cloud
3/24/2016
02:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DOJ Indicts 7 Iranian Hackers For Attacks On US Banks And New York Dam

Iranian government-backed hackers allegedly behind massive DDoS campaign from 2011- to 2013 against US financial sector, and 2013 breach of Windows XP server at a dam.

Seven Iranian hackers from security companies working on behalf of the Iranian government have been indicted by the US Department of Justice for waging coordinated distributed denial-of-service (DDoS) attacks against major US financial institutions three years ago and one of the men was charged with allegedly infiltrating a server at a dam in New York.

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26; allegedly launched DDoS attacks against 46 organizations—mainly US financial institutions--from late 2011 and mid-2013, according to an indictment unsealed today and announced by DOJ and FBI officials. Firoozi also is charged with hacking into the dam’s computer system between August and September 2013. The seven Iranians were employed by ITSecTeam (ITSEC) and Mersad Company (MERSAD), both of which were working for the Iranian government and the Islamic Revolutionary Guard.

The infamous DDoS campaign against US banks hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

Today’s indictment by the DOJ is the second such public indictment of a nation-state cyberattack by the department: in May of 2014, DOJ made history with the nation’s first-ever criminal charges for cyber espionage, as five members of China’s People’s Liberation Army were charged with hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. To date, none of the five men has been arrested or extradited, but the goal was more about the US’s new strategy to put names and faces behind these attacks.

And earlier this week, DOJ charged three Syrian Electronic Army (SEA) hackers for targeting websites and social media platforms of US military and media agencies, and added the three to the FBI’s Most Wanted Cyber list.

Attorney General Loretta Lynch called the Iranian charges today, “groundbreaking.”

“This case is a reminder of the seriousness of cyber threats to our national security and these public criminal charges represent a groundbreaking step forward in addressing that threat,” Lynch said. “If you are a computer hacker sitting overseas, this indictment sends the powerful message that the full force of the US government will come after you should you seek to attack our infrastructure, financial institutions, or our people,” she said.

According to the indictment, Firoozi hacked into a server that controlled a SCADA system at the Bowman Dam in Rye, N.Y., between Aug. 23 and Sep. 18 of 2013. This gave him access to information about the dam’s water levels, temperature, and status of the sluice gate that controls water levels and flow, according to the indictment. Firoozi was not able to manipulate the gate because at the time of the breach it was disconnected for maintenance purposes. Bowman Dam’s intrusion cost the operation some $30,000 in remediation, DOJ said.

Officials at DOJ described the hack as both of a server that controls a SCADA system, as well as of SCADA systems. Efforts to have DOJ clarify this were unsuccessful as of this posting.

But ICS/SCADA security expert Robert Lee contends that DOJ’s description of the server-hack implications is incorrect. “Nothing about this is a SCADA system,” he says. The server that Firoozi hacked only provided visual reporting of the dam’s water levels, he says.

The attack began when the hacker broke into a Windows XP machine via a cell card, by guessing the password, Lee explains. “When he accessed it, they were able to access the HMI [human machine interface] then, but the HMI had zero elements of control,” he says. “All it did was give visual reporting of the levels of water at the dam.”

Bowman Dam’s control system was manual at that time that had to be manipulated on site, he says. And even if Firoozi had been able to gain any physical control at the dam, the worst he could have done is raised the water level by an inch, Lee says. “The dam’s owners and the city had wanted to put in a control system that could operate from an HMI on the XP server, but it hadn’t been done yet.”

Some security experts say the Iranian hacker’s breach of the dam server should be a wake-up call. “Critical infrastructure is composed of many interconnected elements. All of these need to be comprehended for us to develop the right strategies for protecting them,” says Steve Grobman, CTO at Intel Security. “This event is also a reminder that cyberattack and cyber-exploitation tools and expertise are available to those willing to pay for them ... It's a matter of resources, motivation, persistence, and opportunity."

And as has been a common MO with Iranian nation-state attacks, the goal is no traditional cyber espionage campaign.They are “looking for a strategic, militaristic upper hand," says Jon Miller, head of strategy and research at Cylance.

Who Did What

The DDoS attacks targeted such major institutions as Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity National Information Services, US Bank, and PNC Bank. AT&T was also DDoS’ed by the Iranian hackers in August of 2012, according to the indictment.

ITSEC’s Fathi led his team’s part in the DDoS campaign, while Firoozi, network manager at ITSEC, obtained and managed servers used to coordinate the attack. Shokohi worked on the botnet that his team used in the attacks, and received a credit from the Iranian government for his hacking work as part of his mandatory military service requirement there.

MERSAD’s Ahmadzadegan ran the botnet his team used in the DDoS campaign, and has ties with Iranian hacking groups that infiltrated NASA servers in 2012. Ghaffarinia wrote the malware used to infect bots for the botnet; he is also associated with the hackers behind the NASA breach. Keisser obtained the servers that ran the botnet, and Saedi, a self-proclaimed DDoS expert, wrote malicious code to locate vulnerable servers for the botnet used by MERSAD in their part of the DDoS campaign.

The seven Iranian defendants could face up to 10 years in prison for conspiracy to commit and aid and abet in computer hacking, and Firoozi could get five more years tacked on to his sentence for the unauthorized access to a “protected computer” at the dam.

The Southern District of New York is prosecuting the case, which was investigated by the FBI.

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dkrhla064
50%
50%
dkrhla064,
User Rank: Apprentice
6/7/2016 | 9:57:38 AM
XP Server
Why do they keep talking about XP server?  There was no such product?

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/26/2016 | 9:24:50 AM
Dam XP
Why was the dam using XP in 2013 to begin with?
BCROMWELL479
50%
50%
BCROMWELL479,
User Rank: Apprentice
3/25/2016 | 9:43:23 AM
Broken link in the story
The indictment link points to c:/Users/username...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers