Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:45 PM
Connect Directly

DOJ Indicts 7 Iranian Hackers For Attacks On US Banks And New York Dam

Iranian government-backed hackers allegedly behind massive DDoS campaign from 2011- to 2013 against US financial sector, and 2013 breach of Windows XP server at a dam.

Seven Iranian hackers from security companies working on behalf of the Iranian government have been indicted by the US Department of Justice for waging coordinated distributed denial-of-service (DDoS) attacks against major US financial institutions three years ago and one of the men was charged with allegedly infiltrating a server at a dam in New York.

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26; allegedly launched DDoS attacks against 46 organizations—mainly US financial institutions--from late 2011 and mid-2013, according to an indictment unsealed today and announced by DOJ and FBI officials. Firoozi also is charged with hacking into the dam’s computer system between August and September 2013. The seven Iranians were employed by ITSecTeam (ITSEC) and Mersad Company (MERSAD), both of which were working for the Iranian government and the Islamic Revolutionary Guard.

The infamous DDoS campaign against US banks hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

Today’s indictment by the DOJ is the second such public indictment of a nation-state cyberattack by the department: in May of 2014, DOJ made history with the nation’s first-ever criminal charges for cyber espionage, as five members of China’s People’s Liberation Army were charged with hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. To date, none of the five men has been arrested or extradited, but the goal was more about the US’s new strategy to put names and faces behind these attacks.

And earlier this week, DOJ charged three Syrian Electronic Army (SEA) hackers for targeting websites and social media platforms of US military and media agencies, and added the three to the FBI’s Most Wanted Cyber list.

Attorney General Loretta Lynch called the Iranian charges today, “groundbreaking.”

“This case is a reminder of the seriousness of cyber threats to our national security and these public criminal charges represent a groundbreaking step forward in addressing that threat,” Lynch said. “If you are a computer hacker sitting overseas, this indictment sends the powerful message that the full force of the US government will come after you should you seek to attack our infrastructure, financial institutions, or our people,” she said.

According to the indictment, Firoozi hacked into a server that controlled a SCADA system at the Bowman Dam in Rye, N.Y., between Aug. 23 and Sep. 18 of 2013. This gave him access to information about the dam’s water levels, temperature, and status of the sluice gate that controls water levels and flow, according to the indictment. Firoozi was not able to manipulate the gate because at the time of the breach it was disconnected for maintenance purposes. Bowman Dam’s intrusion cost the operation some $30,000 in remediation, DOJ said.

Officials at DOJ described the hack as both of a server that controls a SCADA system, as well as of SCADA systems. Efforts to have DOJ clarify this were unsuccessful as of this posting.

But ICS/SCADA security expert Robert Lee contends that DOJ’s description of the server-hack implications is incorrect. “Nothing about this is a SCADA system,” he says. The server that Firoozi hacked only provided visual reporting of the dam’s water levels, he says.

The attack began when the hacker broke into a Windows XP machine via a cell card, by guessing the password, Lee explains. “When he accessed it, they were able to access the HMI [human machine interface] then, but the HMI had zero elements of control,” he says. “All it did was give visual reporting of the levels of water at the dam.”

Bowman Dam’s control system was manual at that time that had to be manipulated on site, he says. And even if Firoozi had been able to gain any physical control at the dam, the worst he could have done is raised the water level by an inch, Lee says. “The dam’s owners and the city had wanted to put in a control system that could operate from an HMI on the XP server, but it hadn’t been done yet.”

Some security experts say the Iranian hacker’s breach of the dam server should be a wake-up call. “Critical infrastructure is composed of many interconnected elements. All of these need to be comprehended for us to develop the right strategies for protecting them,” says Steve Grobman, CTO at Intel Security. “This event is also a reminder that cyberattack and cyber-exploitation tools and expertise are available to those willing to pay for them ... It's a matter of resources, motivation, persistence, and opportunity."

And as has been a common MO with Iranian nation-state attacks, the goal is no traditional cyber espionage campaign.They are “looking for a strategic, militaristic upper hand," says Jon Miller, head of strategy and research at Cylance.

Who Did What

The DDoS attacks targeted such major institutions as Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity National Information Services, US Bank, and PNC Bank. AT&T was also DDoS’ed by the Iranian hackers in August of 2012, according to the indictment.

ITSEC’s Fathi led his team’s part in the DDoS campaign, while Firoozi, network manager at ITSEC, obtained and managed servers used to coordinate the attack. Shokohi worked on the botnet that his team used in the attacks, and received a credit from the Iranian government for his hacking work as part of his mandatory military service requirement there.

MERSAD’s Ahmadzadegan ran the botnet his team used in the DDoS campaign, and has ties with Iranian hacking groups that infiltrated NASA servers in 2012. Ghaffarinia wrote the malware used to infect bots for the botnet; he is also associated with the hackers behind the NASA breach. Keisser obtained the servers that ran the botnet, and Saedi, a self-proclaimed DDoS expert, wrote malicious code to locate vulnerable servers for the botnet used by MERSAD in their part of the DDoS campaign.

The seven Iranian defendants could face up to 10 years in prison for conspiracy to commit and aid and abet in computer hacking, and Firoozi could get five more years tacked on to his sentence for the unauthorized access to a “protected computer” at the dam.

The Southern District of New York is prosecuting the case, which was investigated by the FBI.

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/7/2016 | 9:57:38 AM
XP Server
Why do they keep talking about XP server?  There was no such product?

Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/26/2016 | 9:24:50 AM
Dam XP
Why was the dam using XP in 2013 to begin with?
User Rank: Apprentice
3/25/2016 | 9:43:23 AM
Broken link in the story
The indictment link points to c:/Users/username...
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...