Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/24/2016
02:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DOJ Indicts 7 Iranian Hackers For Attacks On US Banks And New York Dam

Iranian government-backed hackers allegedly behind massive DDoS campaign from 2011- to 2013 against US financial sector, and 2013 breach of Windows XP server at a dam.

Seven Iranian hackers from security companies working on behalf of the Iranian government have been indicted by the US Department of Justice for waging coordinated distributed denial-of-service (DDoS) attacks against major US financial institutions three years ago and one of the men was charged with allegedly infiltrating a server at a dam in New York.

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26; allegedly launched DDoS attacks against 46 organizations—mainly US financial institutions--from late 2011 and mid-2013, according to an indictment unsealed today and announced by DOJ and FBI officials. Firoozi also is charged with hacking into the dam’s computer system between August and September 2013. The seven Iranians were employed by ITSecTeam (ITSEC) and Mersad Company (MERSAD), both of which were working for the Iranian government and the Islamic Revolutionary Guard.

The infamous DDoS campaign against US banks hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.

Today’s indictment by the DOJ is the second such public indictment of a nation-state cyberattack by the department: in May of 2014, DOJ made history with the nation’s first-ever criminal charges for cyber espionage, as five members of China’s People’s Liberation Army were charged with hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. To date, none of the five men has been arrested or extradited, but the goal was more about the US’s new strategy to put names and faces behind these attacks.

And earlier this week, DOJ charged three Syrian Electronic Army (SEA) hackers for targeting websites and social media platforms of US military and media agencies, and added the three to the FBI’s Most Wanted Cyber list.

Attorney General Loretta Lynch called the Iranian charges today, “groundbreaking.”

“This case is a reminder of the seriousness of cyber threats to our national security and these public criminal charges represent a groundbreaking step forward in addressing that threat,” Lynch said. “If you are a computer hacker sitting overseas, this indictment sends the powerful message that the full force of the US government will come after you should you seek to attack our infrastructure, financial institutions, or our people,” she said.

According to the indictment, Firoozi hacked into a server that controlled a SCADA system at the Bowman Dam in Rye, N.Y., between Aug. 23 and Sep. 18 of 2013. This gave him access to information about the dam’s water levels, temperature, and status of the sluice gate that controls water levels and flow, according to the indictment. Firoozi was not able to manipulate the gate because at the time of the breach it was disconnected for maintenance purposes. Bowman Dam’s intrusion cost the operation some $30,000 in remediation, DOJ said.

Officials at DOJ described the hack as both of a server that controls a SCADA system, as well as of SCADA systems. Efforts to have DOJ clarify this were unsuccessful as of this posting.

But ICS/SCADA security expert Robert Lee contends that DOJ’s description of the server-hack implications is incorrect. “Nothing about this is a SCADA system,” he says. The server that Firoozi hacked only provided visual reporting of the dam’s water levels, he says.

The attack began when the hacker broke into a Windows XP machine via a cell card, by guessing the password, Lee explains. “When he accessed it, they were able to access the HMI [human machine interface] then, but the HMI had zero elements of control,” he says. “All it did was give visual reporting of the levels of water at the dam.”

Bowman Dam’s control system was manual at that time that had to be manipulated on site, he says. And even if Firoozi had been able to gain any physical control at the dam, the worst he could have done is raised the water level by an inch, Lee says. “The dam’s owners and the city had wanted to put in a control system that could operate from an HMI on the XP server, but it hadn’t been done yet.”

Some security experts say the Iranian hacker’s breach of the dam server should be a wake-up call. “Critical infrastructure is composed of many interconnected elements. All of these need to be comprehended for us to develop the right strategies for protecting them,” says Steve Grobman, CTO at Intel Security. “This event is also a reminder that cyberattack and cyber-exploitation tools and expertise are available to those willing to pay for them ... It's a matter of resources, motivation, persistence, and opportunity."

And as has been a common MO with Iranian nation-state attacks, the goal is no traditional cyber espionage campaign.They are “looking for a strategic, militaristic upper hand," says Jon Miller, head of strategy and research at Cylance.

Who Did What

The DDoS attacks targeted such major institutions as Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity National Information Services, US Bank, and PNC Bank. AT&T was also DDoS’ed by the Iranian hackers in August of 2012, according to the indictment.

ITSEC’s Fathi led his team’s part in the DDoS campaign, while Firoozi, network manager at ITSEC, obtained and managed servers used to coordinate the attack. Shokohi worked on the botnet that his team used in the attacks, and received a credit from the Iranian government for his hacking work as part of his mandatory military service requirement there.

MERSAD’s Ahmadzadegan ran the botnet his team used in the DDoS campaign, and has ties with Iranian hacking groups that infiltrated NASA servers in 2012. Ghaffarinia wrote the malware used to infect bots for the botnet; he is also associated with the hackers behind the NASA breach. Keisser obtained the servers that ran the botnet, and Saedi, a self-proclaimed DDoS expert, wrote malicious code to locate vulnerable servers for the botnet used by MERSAD in their part of the DDoS campaign.

The seven Iranian defendants could face up to 10 years in prison for conspiracy to commit and aid and abet in computer hacking, and Firoozi could get five more years tacked on to his sentence for the unauthorized access to a “protected computer” at the dam.

The Southern District of New York is prosecuting the case, which was investigated by the FBI.

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dkrhla064
50%
50%
dkrhla064,
User Rank: Apprentice
6/7/2016 | 9:57:38 AM
XP Server
Why do they keep talking about XP server?  There was no such product?

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/26/2016 | 9:24:50 AM
Dam XP
Why was the dam using XP in 2013 to begin with?
BCROMWELL479
50%
50%
BCROMWELL479,
User Rank: Apprentice
3/25/2016 | 9:43:23 AM
Broken link in the story
The indictment link points to c:/Users/username...
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .