Hackers linked to the Iranian government launched cyber-attacks on some four dozen U.S. financial institutions and a flood-control dam north of New York City in forays meant to undermine U.S. markets and national security, according to federal prosecutors.
Beginning in 2011, Iran-based hackers targeted the New York Stock Exchange, Nasdaq, Bank of America Corp., JPMorgan Chase & Co. and AT&T Inc., among others, according to an indictment unsealed Thursday in Manhattan federal court. One of them gained unauthorized remote access to a computer controlling the Bowman Avenue Dam in Rye, New York, for about three weeks beginning in 2013, according to the indictment.
The hackers were working on behalf of the Iranian government and the Islamic Revolutionary Guard Corps, a hard-line force in Iran, Attorney General Loretta Lynch told reporters in Washington. The hacking of the small dam could have posed a danger if the facility hadn’t been shut down for maintenance, she said.
“This indictment is the first of its kind because it calls out a foreign nation-state for supporting hackers who directly attacked U.S. critical infrastructure and financial markets,” said Thomas Brown, a cybersecurity specialist at Berkeley Research Group and a former federal prosecutor.
Although Lynch and other officials didn’t say what may have motivated the hackers, the incidents followed imposition of U.S. sanctions on Iran’s government and a cyber-attack on Iran’s nuclear program believed to be carried out by the U.S. and Israel.
“These attacks were relentless, systematic and they were widespread,” Lynch said at a news conference announcing the charges. “We believe that they were conducted with the sole purpose of undermining the targeted companies and damaging the online operation of America’s free market.”
Iran’s ambassador to the United Nations, Gholam-Ali Khoshroo, declined Thursday to comment on the indictment.
It comes just months after the U.S. sealed a historic nuclear pact with Tehran that led to the lifting of nuclear-related economic sanctions against the country. But the Obama administration has said it remains intent on curbing what it considers Iranian support for terrorism and suppression of human rights.
Lynch said the move against the Iranians reflects the increasing ability of U.S. investigators to identify hackers operating from abroad, sometimes with the help of foreign powers or on their behalf.
The hackers are believed to be in Iran, which doesn’t have an extradition treaty with the U.S. Most hackers that the U.S. has identified or indicted remain at large, but some of those indicted as criminals have been captured and extradited to America.
The Bowman Avenue Dam is a modest facility built in the 1940s about 20 miles (32 kilometers) north of New York City. It’s 119 feet long and 13 feet high, separating two ponds of water, according to a 2008 report on potential flood-control improvements.
Still, the security breach at the dam represented “a frightening new frontier” for cyber attacks, Preet Bharara, the U.S. Attorney for the Southern District of New York, told reporters.
From December 2011 to May 2013, the websites of U.S. banks were knocked offline by hackers working for Iran-based private security companies linked to the Iranian government and Revolutionary Guard Corps, the U.S. alleged.
Attacks on the financial firms were initially sporadic, according to the government, and then increased to a near-weekly basis, usually from Tuesdays to Thursdays during normal U.S. business hours. The conspiracy — involving seven Iran-based hackers with nicknames including Turk Server, PLus and Nitr0jen26 — ultimately affected about 46 major financial institutions and other companies in the industry over a total of 176 days, the government said.
On some days, the hacking prevented hundreds of thousands of banking customers from accessing their accounts, according to the indictment, costing the banks tens of millions in remediation efforts. Other victims included American Express Co., BB&T Corp., Citigroup Inc., Fifth Third Bancorp, HSBC Holdings Plc, ING Groep NV, KeyCorp, PNC Financial Services Group Inc., US Bancorp and Wells Fargo & Co., according to the indictment.
The conspiracy hinged on finding computers running software that hadn’t been updated to address security flaws, the U.S. said. Those computers were infiltrated and turned into “bots” that could be used to attack the financial institutions, according to the indictment. The hackers then used the bots to carry out distributed denial of services, or DDoS, a relatively unsophisticated attack in which a victim’s computer servers are overwhelmed with electronic communications, the U.S. said.
While the DDoS attacks alarmed company and government officials, they didn’t compromise the computers or the companies’ data. Cyber-attacks since then have become more advanced and more vicious, stealing information and destroying computers.
During the first denial of service attack, Zions Bancorporation’s website was down for about two hours, said spokesman James Abbott. Subsequently, the bank was able to identify attacks as they began and introduce countermeasures so that customers hardly noticed any disruptions. The attacks cost that bank alone more than $400,000.
“There was no compromise to our customer information in that process, but it is frustrating for our customers,” Abbott said.
Drez Jennings, a spokeswoman for KeyCorp, said the bank is cooperating with authorities investigating the matter. “It’s important to emphasize, just as it stated in the indictment, that no client information was compromised” by the attacks, which she added slowed the bank’s systems for a short time.
PNC said it welcomed the indictment but declined to comment further. BB&T said systems remained secure and clients’ personal information wasn’t exposed during the attacks. AT&T spokesman Jim Greer said the company “mitigated issues to protect our network, our customers and others.”
Representatives of Nasdaq Inc., NYSE Group Inc. and American Express declined to comment, as did representatives from ING, US Bancorp and Citigroup. Others identified in the indictment as targets of the hackers didn’t respond to requests for comment.
The people charged in the indictment, who couldn’t be located for comment, are identified as Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar and Nader Saedi. They worked for two Iranian companies, ITSecTeam and Mersad Co., according to the indictment.
It said Shokohi, who’s accused of working on the attacks upon U.S. banks, got credit toward his mandatory military service in Iran by engaging in the computer intrusion.
“It’s notable that the Iranian government is using what appears to be civilian criminal actors to engage in these attacks,” said Brown, the cybersecurity specialist.
Brown, who headed Bharara’s cybercrime unit, said that in his time in government, he was able to prosecute hackers after they traveled to other countries, including a Russian national who was arrested in Switzerland.
Firoozi repeatedly obtained unauthorized remote access in 2013 to a computer that controlled the supervisory control and data acquisition of the Bowman Avenue Dam, according to the indictment.
From Aug. 28 to Sept. 18 of that year, he repeatedly obtained information about the dam’s status and operation, including water levels and temperature and the status of the gate that controls flow rates.
Although access to the system would have typically permitted a remote user to operate and manipulate the sluice gate, “unbeknownst to Firoozi, the sluice gate control had been manually disconnected” earlier for maintenance, the government said.
Officials have begun pointing to the attack on the dam as a warning that U.S. infrastructure such as power plants and water-treatment facilities are vulnerable to attack.
‘Across the Bow’
New York Senator Charles Schumer called the dam attack a “shot across the bow” of the U.S. and said tougher sanctions should be imposed. He urged for the U.S. to begin a probe to determine if critical infrastructure is vulnerable to cyber attacks and said state and local governments and companies need to beef up computer security.
“Hackers can come in, as these Iranian hackers did, and hurt our critical infrastructure,” Schumer said at a March 11 news conference. “What if they open the sluice gates of a dam with a whole lot of people behind it? What if they shut off the power for a large part of the area?”
In May 2014, the U.S. indicted five Chinese military officials for stealing trade secrets, casting the hacker attacks as a direct economic threat. The indictment accused China and its government of a vast effort to mine U.S. technology through cyber-espionage, stealing jobs and innovation. The charges alleged the officers conspired to steal trade secrets and other information from U.S. companies including Westinghouse Electric Co. and Allegheny Technologies Inc.
Foreign governments have responded to U.S. hacking allegations by denying wrongdoing and accusing the U.S. of its own incursions. Cyber security experts have said the U.S. and Israel were behind a cyber strike that used the so-called Stuxnet virus to disable operations at an Iranian nuclear enrichment plant.
In the China case, as with the latest allegations, the indicted hackers remained abroad and probably out of the reach of U.S. prosecutors.
FBI Director James Comey, responding to those who point out the difficulty of bringing those accused in such cases to justice, said Thursday: “The world is small, and our memories are long.”
The case is U.S. v. Fathi, U.S. District Court, Southern District of New York.