DOJ announces indictments for Iranian-led cyber crimes

U.S. Attorney General Loretta Lynch, along with FBI Director James Comey, U.S. Attorney for the Southern District of New York Preet Bharara and Assistant Attorney General for National Security John Carlin, held a press conference Thursday morning to announce the unsealing of an indictment against seven alleged experienced hackers employed by computer security companies working on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps. 

Lynch said that a federal grand jury in Manhattan found the seven individuals conspired together and with others to conduct a series of cyberattacks against civilian targets in the United States financial industry that, in all, cost victims tens of millions of dollars.

She said that in the time between late 2011 and mid-2013, the United States financial sector suffered a large-scale and coordinated campaign of distributed denial of service (DDoS) attacks – a particular kind of cyberattack in which multiple compromised sources are used to target and overwhelm a single system. Because of the hackers actions, 46 financial institutions were flooded with traffic for 176 days which resulted in online services disruptions and hundreds of thousands of Americans being unable to access bank accounts online.

“The attacks were relentless, systematic, and widespread.” Lynch said.

Additionally, one of the defendants has also been charged with illegally obtaining access to the supervisory control and data acquisition system of the Bowman Dam in Rye, New York.

“At the time of his alleged intrusion, the dam was undergoing maintenance and had been disconnected from the system.  But for that fact, that access would have given him the ability to control water levels and flow rates – an outcome that could have posed a clear danger to the public health and safety of Americans.  I would like to thank the Department of Homeland Security and the city of Rye, New York, for their assistance in managing this incident.” Lynch said. “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market.”

Lynch went on to say that this case is a reminder of the seriousness of cyber threats to national security and the public criminal charges represent a groundbreaking step forward in addressing that threat. She said the United States will continue to use every tool at its disposal to investigate malicious cyber actors to attribute their actions, down to the country, government agency, organization and individuals involved,  and charge them publicly.

According to the grand jury indictment from the Southern District of New York, Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, also known as Nitr0jen26, 23; Omid Ghaffarinia, also known as PLuS, 25; Sina Keissar, 25; and Nader Saedi, also known as Turk Server, 26; launched DDoS attacks against 46 victims, primarily in the U.S financial sector. Additionally, Firoozi has been charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, in Rye, New York, in August and September 2013.

The group are said to have been employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian government.

The indictment said that the DDoS campaign began in approximately December 2011, and attacks occurred only sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis, between Tuesdays and Thursdays during normal business hours in the United States. On certain days during the campaign, victim computer servers were hit with as much as 140 GB of data per second and hundreds of thousands of customers were cut off from online access to their bank accounts.

Shokohi is described in the indictment as a computer hacker who helped build the botnet used by ITSEC to carry out its portion of the DDoS campaign and created malware used to direct the botnet to engage in those attacks. Since the attacks, both the DOJ and the FBI, have worked together with the private sector to effectively neutralize and remediate the botnets.

Between Aug. 28, 2013, and Sept. 18, 2013, Firoozi had unauthorized access that allowed him to repeatedly obtain information regarding the status and operation of the Bowman Dam, including information about the water levels, temperature and status of the sluice gate, which is responsible for controlling water levels and flow rates. Although that access would normally have allowed him to remotely operate and manipulate the dam’s sluice gate, Firoozi did not have that capability because the sluice gate had been manually disconnected for maintenance at the time of the intrusion. Remediation for the dam intrusion cost more than $30,000.

The seven defendants face a maximum sentence of 10 years in prison for conspiracy to commit and aid and abet computer hacking. Firoozi faces an additional five years in prison for obtaining, aiding and abetting unauthorized access to a protected computer at the Bowman Dam.

The DOJ commented that an indictment is an accusation and all defendants are presumed innocent unless proven guilty in a court of law.

The case was investigated by the FBI, including the Chicago, Cincinnati, New York, Newark, New Jersey, Phoenix and San Francisco field offices. The case is being prosecuted by Assistant U.S. Attorney Timothy T. Howard of the Southern District of New York with the help of Deputy Chief Sean M. Newell of the National Security Division’s Counterintelligence and Export Control Section.