Seven Iranian hackers from security companies working on behalf of the Iranian government have been indicted by the US Department of Justice for waging coordinated distributed denial-of-service (DDoS) attacks against major US financial institutions three years ago and one of the men was charged with allegedly infiltrating a server at a dam in New York.
Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26; allegedly launched DDoS attacks against 46 organizations—mainly US financial institutions--from late 2011 and mid-2013, according to an indictment unsealed today and announced by DOJ and FBI officials. Firoozi also is charged with hacking into the dam’s computer system between August and September 2013. The seven Iranians were employed by ITSecTeam (ITSEC) and Mersad Company (MERSAD), both of which were working for the Iranian government and the Islamic Revolutionary Guard.
The infamous DDoS campaign against US banks hit a crescendo in September of 2012, in some cases reaching 140-gigabits-per-second of unwanted data traffic to the banks’ networks, resulting in hundreds of thousands of banking customers unable to access their bank accounts online. The attacks cost victims tens of millions of dollars.
Today’s indictment by the DOJ is the second such public indictment of a nation-state cyberattack by the department: in May of 2014, DOJ made history with the nation’s first-ever criminal charges for cyber espionage, as five members of China’s People’s Liberation Army were charged with hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. To date, none of the five men has been arrested or extradited, but the goal was more about the US’s new strategy to put names and faces behind these attacks.
And earlier this week, DOJ charged three Syrian Electronic Army (SEA) hackers for targeting websites and social media platforms of US military and media agencies, and added the three to the FBI’s Most Wanted Cyber list.
Attorney General Loretta Lynch called the Iranian charges today, “groundbreaking.”
“This case is a reminder of the seriousness of cyber threats to our national security and these public criminal charges represent a groundbreaking step forward in addressing that threat,” Lynch said. “If you are a computer hacker sitting overseas, this indictment sends the powerful message that the full force of the US government will come after you should you seek to attack our infrastructure, financial institutions, or our people,” she said.
According to the indictment, Firoozi hacked into a server that controlled a SCADA system at the Bowman Dam in Rye, N.Y., between Aug. 23 and Sep. 18 of 2013. This gave him access to information about the dam’s water levels, temperature, and status of the sluice gate that controls water levels and flow, according to the indictment. Firoozi was not able to manipulate the gate because at the time of the breach it was disconnected for maintenance purposes. Bowman Dam’s intrusion cost the operation some $30,000 in remediation, DOJ said.
Officials at DOJ described the hack as both of a server that controls a SCADA system, as well as of SCADA systems. Efforts to have DOJ clarify this were unsuccessful as of this posting.
But ICS/SCADA security expert Robert Lee contends that DOJ’s description of the server-hack implications is incorrect. “Nothing about this is a SCADA system,” he says. The server that Firoozi hacked only provided visual reporting of the dam’s water levels, he says.
The attack began when the hacker broke into a Windows XP machine via a cell card, by guessing the password, Lee explains. “When he accessed it, they were able to access the HMI [human machine interface] then, but the HMI had zero elements of control,” he says. “All it did was give visual reporting of the levels of water at the dam.”
Bowman Dam’s control system was manual at that time that had to be manipulated on site, he says. And even if Firoozi had been able to gain any physical control at the dam, the worst he could have done is raised the water level by an inch, Lee says. “The dam’s owners and the city had wanted to put in a control system that could operate from an HMI on the XP server, but it hadn’t been done yet.”
Some security experts say the Iranian hacker’s breach of the dam server should be a wake-up call. “Critical infrastructure is composed of many interconnected elements. All of these need to be comprehended for us to develop the right strategies for protecting them,” says Steve Grobman, CTO at Intel Security. “This event is also a reminder that cyberattack and cyber-exploitation tools and expertise are available to those willing to pay for them ... It's a matter of resources, motivation, persistence, and opportunity."
And as has been a common MO with Iranian nation-state attacks, the goal is no traditional cyber espionage campaign.They are “looking for a strategic, militaristic upper hand," says Jon Miller, head of strategy and research at Cylance.
Who Did What
The DDoS attacks targeted such major institutions as Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity National Information Services, US Bank, and PNC Bank. AT&T was also DDoS’ed by the Iranian hackers in August of 2012, according to the indictment.
ITSEC’s Fathi led his team’s part in the DDoS campaign, while Firoozi, network manager at ITSEC, obtained and managed servers used to coordinate the attack. Shokohi worked on the botnet that his team used in the attacks, and received a credit from the Iranian government for his hacking work as part of his mandatory military service requirement there.
MERSAD’s Ahmadzadegan ran the botnet his team used in the DDoS campaign, and has ties with Iranian hacking groups that infiltrated NASA servers in 2012. Ghaffarinia wrote the malware used to infect bots for the botnet; he is also associated with the hackers behind the NASA breach. Keisser obtained the servers that ran the botnet, and Saedi, a self-proclaimed DDoS expert, wrote malicious code to locate vulnerable servers for the botnet used by MERSAD in their part of the DDoS campaign.
The seven Iranian defendants could face up to 10 years in prison for conspiracy to commit and aid and abet in computer hacking, and Firoozi could get five more years tacked on to his sentence for the unauthorized access to a “protected computer” at the dam.
The Southern District of New York is prosecuting the case, which was investigated by the FBI.