Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:45 PM
Connect Directly

DOJ Indicts 7 Iranian Hackers For Attacks On US Banks And New York Dam

Iranian government-backed hackers allegedly behind massive DDoS campaign from 2011- to 2013 against US financial sector, and 2013 breach of Windows XP server at a dam.

Seven Iranian hackers from security companies working on behalf of the Iranian government have been indicted by the US Department of Justice for waging coordinated distributed denial-of-service (DDoS) attacks against major US financial institutions three years ago and one of the men was charged with allegedly infiltrating a server at a dam in New York.

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26; allegedly launched DDoS attacks against 46 organizations—mainly US financial institutions--from late 2011 and mid-2013, according to an indictment unsealed today and announced by DOJ and FBI officials. Firoozi also is charged with hacking into the dam’s computer system between August and September 2013. The seven Iranians were employed by ITSecTeam (ITSEC) and Mersad Company (MERSAD), both of which were working for the Iranian government and the Islamic Revolutionary Guard.

The infamous DDoS campaign against US banks hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

Today’s indictment by the DOJ is the second such public indictment of a nation-state cyberattack by the department: in May of 2014, DOJ made history with the nation’s first-ever criminal charges for cyber espionage, as five members of China’s People’s Liberation Army were charged with hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. To date, none of the five men has been arrested or extradited, but the goal was more about the US’s new strategy to put names and faces behind these attacks.

And earlier this week, DOJ charged three Syrian Electronic Army (SEA) hackers for targeting websites and social media platforms of US military and media agencies, and added the three to the FBI’s Most Wanted Cyber list.

Attorney General Loretta Lynch called the Iranian charges today, “groundbreaking.”

“This case is a reminder of the seriousness of cyber threats to our national security and these public criminal charges represent a groundbreaking step forward in addressing that threat,” Lynch said. “If you are a computer hacker sitting overseas, this indictment sends the powerful message that the full force of the US government will come after you should you seek to attack our infrastructure, financial institutions, or our people,” she said.

According to the indictment, Firoozi hacked into a server that controlled a SCADA system at the Bowman Dam in Rye, N.Y., between Aug. 23 and Sep. 18 of 2013. This gave him access to information about the dam’s water levels, temperature, and status of the sluice gate that controls water levels and flow, according to the indictment. Firoozi was not able to manipulate the gate because at the time of the breach it was disconnected for maintenance purposes. Bowman Dam’s intrusion cost the operation some $30,000 in remediation, DOJ said.

Officials at DOJ described the hack as both of a server that controls a SCADA system, as well as of SCADA systems. Efforts to have DOJ clarify this were unsuccessful as of this posting.

But ICS/SCADA security expert Robert Lee contends that DOJ’s description of the server-hack implications is incorrect. “Nothing about this is a SCADA system,” he says. The server that Firoozi hacked only provided visual reporting of the dam’s water levels, he says.

The attack began when the hacker broke into a Windows XP machine via a cell card, by guessing the password, Lee explains. “When he accessed it, they were able to access the HMI [human machine interface] then, but the HMI had zero elements of control,” he says. “All it did was give visual reporting of the levels of water at the dam.”

Bowman Dam’s control system was manual at that time that had to be manipulated on site, he says. And even if Firoozi had been able to gain any physical control at the dam, the worst he could have done is raised the water level by an inch, Lee says. “The dam’s owners and the city had wanted to put in a control system that could operate from an HMI on the XP server, but it hadn’t been done yet.”

Some security experts say the Iranian hacker’s breach of the dam server should be a wake-up call. “Critical infrastructure is composed of many interconnected elements. All of these need to be comprehended for us to develop the right strategies for protecting them,” says Steve Grobman, CTO at Intel Security. “This event is also a reminder that cyberattack and cyber-exploitation tools and expertise are available to those willing to pay for them ... It's a matter of resources, motivation, persistence, and opportunity."

And as has been a common MO with Iranian nation-state attacks, the goal is no traditional cyber espionage campaign.They are “looking for a strategic, militaristic upper hand," says Jon Miller, head of strategy and research at Cylance.

Who Did What

The DDoS attacks targeted such major institutions as Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity National Information Services, US Bank, and PNC Bank. AT&T was also DDoS’ed by the Iranian hackers in August of 2012, according to the indictment.

ITSEC’s Fathi led his team’s part in the DDoS campaign, while Firoozi, network manager at ITSEC, obtained and managed servers used to coordinate the attack. Shokohi worked on the botnet that his team used in the attacks, and received a credit from the Iranian government for his hacking work as part of his mandatory military service requirement there.

MERSAD’s Ahmadzadegan ran the botnet his team used in the DDoS campaign, and has ties with Iranian hacking groups that infiltrated NASA servers in 2012. Ghaffarinia wrote the malware used to infect bots for the botnet; he is also associated with the hackers behind the NASA breach. Keisser obtained the servers that ran the botnet, and Saedi, a self-proclaimed DDoS expert, wrote malicious code to locate vulnerable servers for the botnet used by MERSAD in their part of the DDoS campaign.

The seven Iranian defendants could face up to 10 years in prison for conspiracy to commit and aid and abet in computer hacking, and Firoozi could get five more years tacked on to his sentence for the unauthorized access to a “protected computer” at the dam.

The Southern District of New York is prosecuting the case, which was investigated by the FBI.

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/7/2016 | 9:57:38 AM
XP Server
Why do they keep talking about XP server?  There was no such product?

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/26/2016 | 9:24:50 AM
Dam XP
Why was the dam using XP in 2013 to begin with?
User Rank: Apprentice
3/25/2016 | 9:43:23 AM
Broken link in the story
The indictment link points to c:/Users/username...
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185193932
PUBLISHED: 2021-06-21
Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
PUBLISHED: 2021-06-21
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for explo...
PUBLISHED: 2021-06-21
In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: ...