The US Department of Justice today announced indictments of nine Iranian nationals for stealing more than 31 terabytes of data from over 140 universities, 30 companies, and five government agencies in the US as well as from victims in 21 other countries in one of the largest nation-state sponsored cyberattack campaigns ever prosecuted by the agency.
The alleged hackers worked on behalf of the Iranian government's Islamic Revolutionary Guard, under the guise of an Iranian company called the Mabna Institute, where they were leaders, contractors, associates or hired hackers for Mabna, which first launched the attacks in 2013. In addition to the 176 universities worldwide hit by the attackers, other victims included the US Department of Labor, the Federal Energy Regulatory Commission (FERC), the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children's Fund.
Some 8,000 professors' accounts were hacked, and their stolen credentials and email passed to the IRGC as well as later sold in Iran via Megapaper.ir and Gigapaper.ir, websites where customers could access the online library systems of the hacked universities.
The alleged hackers named in the indictment are Gholamreza Rafatnejad, Ehsan Mohammadi, Abdollah Karima aka Vahid Karima, Mostafa Sadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam, and Sajjad Tahmasebi. They were each charged with multiple counts of conspiracy and unauthorized access to a computer, as well as aggravated identity theft. But prosecution depends on actual arrest or extradition to the US. The US does not have an extradition agreement with Iran.
"The numbers alone in this case are staggering, over 300 universities and 47 private sector companies both here in the United States and abroad were targeted to gain unauthorized access to online accounts and steal data. An estimated 30 terabytes was removed from universities’ accounts since this attack began, which is roughly the equivalent of 8 billion double-sided pages of text," said FBI Assistant Director William F. Sweeney Jr. "It is hard to quantify the value on the research and information that was taken from victims but it is estimated to be in the billions of dollars. The nine Iranians indicted today now find themselves wanted by the FBI and our partner law enforcement agencies around the globe – and like other cyber criminals they will soon learn their ability to freely move was just limited to the virtual world only."
According to the indictment, the Mabna Institute was under contract with the Iranian government as well as private entities for the operation, which began with a spear phishing campaign against more than 100,000 professors worldwide. They were able to infiltrate email accounts of some 8,000 of them, mostly in the US, but also in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the UK.
The hackers stole intellectual property from the universities, including academic journals, theses, dissertations, and electronic books.
Other US victims included three academic publishers, two media and entertainment companies, one law firm, 11 technology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two online car sales companies, a healthcare company, an employee benefits company, an industrial machinery company, a biotechnology company, a food and beverage company, and a stock images company.
Those private sector victims were targeted via "password-spraying" methods that the hackers used to pilfer their credentials.
DoJ Deputy Attorney General Rod Rosenstein said in a statement: "The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property. This case is important because it will disrupt the defendants' hacking operations and deter similar crimes," Rosenstein said.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.