Seven Iranian hackers affiliated with their government conducted cyber attacks from 2011 to 2013 that disabled dozens of U.S. financial sector websites and compromised the computer system of a Westchester County dam, the Justice Department alleged Thursday.
Officials admitted that federal court criminal charges filed in Manhattan against the men, announced by Attorney General Loretta Lynch in Washington, were symbolic because they are all in Iran, but said the U.S. ability to identify them sent a message to future state-sponsored hackers.
“The world is small and our memory is long,” said FBI director James Comey, noting that even protected defendants like to take vacations abroad. “We want them looking over their shoulders.”
The intrusions, which records say cost millions of dollars in remediation efforts, marked the latest entry in a growing list of geopolitical cyberwar accusations. The U.S. in 2009 used a computer “worm” to cripple Iran’s nuclear capacity, and has in the past accused North Korea, China and Russia of launching attacks.
Officials like Sen. Chuck Schumer (D-N.Y.) said the infiltration into sensitive infrastructure like a dam was particularly alarming and dangerous, and echoed longstanding warnings from experts that the U.S. has to provide better security.
“We must step up our counter-hacking game ASAP to deal with threats from places like Iran and would-be terrorists,” Schumer said. “A particularly neglected area is critical infrastructure — dams and power grids — and we must increase our focus on protecting them.”
The seven men, the charges said, were employed by two computer companies tied to the Iranian government and its Islamic Revolutionary Guard Corps, and engaged in so-called “distributed denial of service” attacks that hijacked networks of computers to overwhelm U.S. financial sites and block real customers.
Beginning in 2011, and escalating to a “near weekly” frequency in 2012 and 2013, the hackers targeted 46 institutions on at least 176 days, including Bank of America, the New York Stock Exchange, American Express, JPMorgan Chase and Citibank, according to the charges.
Separately, in 2013 one of the defendants, Hamid Firoozi, obtained unauthorized access to computer systems of the Bowman Avenue Dam, a small flood control dam on Blind Brook in Rye, Westchester County, and used it to “repeatedly” get operational information on water levels, temperature and the sluice gate, the charges said.
The dam hack, which was previously reported in December, would theoretically have allowed the Iranians to open and close the sluice gate, but at the time of the intrusion it had been manually disconnected for maintenance, the government said.
Officials said the charges, the result of a long and difficult investigation, were designed to show foreign hackers that they could be exposed, and Lynch said there had been hopeful signs from China since exposure of Chinese intrusions a few years ago.
“Like past nation state-sponsored hackers, these defendants and their backers believed that they could attack our critical infrastructure without consequence, from behind a veil of cyber anonymity,” Assistant Attorney General for National Security John Carlin said. “This indictment shows once again there is no veil.”
Justice officials did not mention the U.S. cyberattack on Iran in 2009, two years before they say the Iranian attacks began, or the possibility that Iran was retaliating, but Manhattan U.S. Attorney Preet Bharara called the infiltration of the Bowman Dam a “frightening new frontier in cybercrime.”
“These were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people,” said Bharara.
After the dam computer invasion was disclosed in December news reports, court records indicate Bharara’s office filed the indictment under seal on Jan. 21, just a few days after the Obama administration’s nuclear deal lifting financial sanctions and prisoner exchange with Iran became official.
Bharara and Carlin were asked whether the public announcement of the case was delayed to avoid conflicting with the diplomacy. Bharara said there were many “factors” affecting when a case is brought, but neither man answered with a “yes” or a “no.”
Although details of the infiltration of the dam computers were not available, Cyber security expert Tyler Cohen Wood said hackers use a common technique to gain access to infrastructure systems.
Wood, a cyber security expert at Inspired eLearning in Texas, said a would-be hacker might find an employee’s social media profile, figure out their interests and send them a convincing email laced with malware that, if clicked, downloads a program to a phone or work computer.
Then, the hacker can attack the network — be it a dam, transportation or communication system — from there.
“We really have moved so quickly into just accepting these devices,” she said.
With Laura Blasey