7 Iranians indicted for cyber attacks on US banks and a dam

The US Justice Department unsealed on Thursday an indictment charging seven Iranian computer specialists for conducting a coordinated campaign of distributed denial of service attacks against 46 major companies, primarily in the US financial sector, from late 2011 through mid-2013.

The individuals – Ahmad Fathi; Hamid Firoozi; Amin Shokohi; Sadegh Ahmadzadegan, a/k/a Nitr0jen26; Omid Ghaffarinia, a/k/a PLuS; Sina Keissar; and Nader Saedi, a/k/a Turk Server – were employed by two Iran-based computer companies, ITSecTeam and Mersad Company, which were allegedly sponsored by Iran’s Islamic Revolutionary Guard Corps.

These attacks, which occurred on more than 176 days, disabled victim bank websites, prevented customers from accessing their accounts online, and collectively cost the banks tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers. In addition, Firoozi is also charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, located in Rye, New York, in August and September of 2013.

The attacks

According to the allegations contained in the indictment unsealed today in Manhattan federal court, the DDoS attacks against the US financial sector began in approximately December 2011, and occurred sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis, occurring between Tuesdays and Thursdays during normal business hours in the United States through in or about May 2013.

On certain days during the campaign, victim computer servers were hit with as many as 140 Gigabits of data per second, and hundreds of thousands of customers were cut off from online access to their bank accounts.

For the purpose of carrying out the attacks, the defendants built botnets that consisted of thousands of compromised computer systems that had been infected with the defendants’ malware, and were subject to their remote command and control. The defendants and their co-conspirators ordered their botnets to direct significant amounts of malicious traffic at computer servers used to operate the websites for victim corporations, which overwhelmed victim servers and prevented customers from accessing the websites or their accounts online during the period of the attacks.

Although the DDoS campaign damaged and disrupted the businesses of the financial sector victims and interfered with their customers’ ability to do online banking during the course of the attacks, the attacks did not affect or result in the theft of customer account data.

Fathi, Firoozi, and Shokohi were responsible for ITSEC’s portion of the DDoS attack campaign against the US financial sector. Fathi was the leader of ITSEC and was responsible for supervising and coordinating ITSEC’s portion of the DDoS campaign, as well as managing computer intrusion and cyberattack projects being conducted for the government of Iran. Firoozi procured and managed computer servers that were used to coordinate and direct DDoS attacks for ITSEC. Shokohi is a computer hacker who helped build ITSEC’s botnet and created malware used to direct the botnet to engage in DDoS attacks. During the time that he worked in support of the DDoS campaign, Shokohi received credit for his computer intrusion work from the Iranian government towards his completion of his mandatory military service requirement in Iran.

Ahmadzadegan, Ghaffarinia, Keissar, and Saedi were responsible for MERSAD’s portion of the DDoS attack campaign against the U.S. financial sector. Ahmadzadegan was a co-founder of MERSAD and was responsible for managing the MERSAD botnet. He was also a member of Iranian hacking groups Sun Army and the Ashiyane Digital Security Team (“ADST”), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (NASA) in February 2012. Ahmadzadegan has also provided training to Iranian intelligence personnel. Ghaffarinia was the other co-founder of MERSAD and created malicious computer code used to build MERSAD’s botnet for the DDoS campaign. Ghaffarinia was also a member of Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February 2012, as well as thousands of other servers in the United States, the United Kingdom, and Israel. Keissar procured computer servers used to access, manipulate, and test MERSAD’s botnet. Saedi wrote computer scripts used to locate vulnerable servers to build MERSAD’s botnet. Saedi was also a former Sun Army computer hacker who expressly touted himself as an expert in DDoS attacks.

Between August 28, 2013, and September 18, 2013, Firoozi also repeatedly obtained unauthorized access to the SCADA systems of the Bowman Dam, in Rye, New York, which allowed him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels and temperature, and the status of the sluice gate, which is responsible for controlling water levels and flow rates. Although that access would normally have permitted Firoozi to remotely operate and manipulate the Bowman Dam’s sluice gate, unbeknownst to Firoozi, the sluice gate had been manually disconnected for maintenance at the time his intrusion.

Charges and potential sentences

All of the indicted individuals are citizens and residents of Iran, and are each charged with one count of conspiracy to commit and aid and abet computer hacking, which carries a maximum sentence of 10 years in prison. Firoozi is also charged with an additional count of obtaining and aiding and abetting unauthorized access to a protected computer, which carries a maximum sentence of five years in prison.

“The charges announced today respond directly to a cyber-assault on New York, its institutions, and its infrastructure,” Manhattan U.S. Attorney Preet Bharara said. “The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime. These were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people. We now live in a world where devastating attacks on our financial system, our infrastructure, and our way of life can be launched from anywhere in the world, with a click of a mouse. Confronting these types of cyber-attacks cannot be the job of just law enforcement. The charges announced today should serve as a wake-up call for everyone responsible for securing our financial markets and for guarding our infrastructure.”

Whether the Iranians will ever see the inside of a courtroom is doubtful, as it’s extremely unlikely that their countrly will ever extradite them to the US.