The federal charges against two Iranians for hacking into critical targets such as U.S. hospitals and cities are a step forward in the Justice Department’s prosecution of ransomware attacks. But the indictment unsealed Wednesday also highlights just how hard it is to hold cybercriminals accountable.
The Justice Department alleges the hackers wrote their own sophisticated ransomware, which encrypts data to lock victims out of their own computer files until they pay up, and used it on more than 200 victims, including major cities such as Atlanta and Newark. The department said Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, collected over $6 million in ransom payments and caused over $30 million in losses to their victims.
As my colleagues Ellen Nakashima and Devlin Barrett point out: “Officials said the case marks the first time federal prosecutors have charged individuals with writing their own ransomware and deploying it themselves as part of a criminal scheme to extort money.”
They continue: “What made this scheme different from other ransomware operations is the nature of the targeting and the sophisticated way in which the alleged hackers penetrated systems first, then deployed the malware, officials said.” And the severe consequences of the SamSam ransomware scheme were on full display in Atlanta: “The ransomware, first identified in 2015, gained prominence after it afflicted Atlanta in March, hobbling computers in the court system, shutting down WiFi at the international airport, preventing residents from paying water bills online and forcing police for several days to file reports on paper instead of electronically. Atlanta refused to pay the anonymous hackers $51,000 in ransom, and recovering from the attack is estimated to have cost the city’s taxpayers more than $9 million.”
Yet the indictment also illustrates the complexities of bringing hackers — even ones who have been exposed for targeting such high-profile public systems — to justice. Both men, allegedly working for their own personal profit and not on behalf of the Iranian government, are believed to be living in Iran.
The Justice Department appeared to acknowledge that their chances of seeing the inside of a U.S. courtroom are slim, at least for now.
The hackers “remain fugitives. Though the U.S. does not have an extradition treaty with Iran, Justice officials said on Wednesday they remain confident the men will be charged one day. ‘American justice has a long arm and we will wait and eventually we’re confident that we will take these perpetrators into custody,’ [Deputy Attorney General Rod] Rosenstein said,” as the Daily Beast reported.
News of the indictment cheered some security pros, even as they acknowledged the criminals can be hard to reach. Tom Cross, the chief technology officer at cybersecurity company OPAQ, said “as a resident of Atlanta, it’s great to see that the computer criminals who targeted our city have been identified.”
Yet Cross, who has also published research on vulnerabilities of connected cities, noted: “[This] indictment does not mean that these attacks are over. These Iranians are just one example of multiple groups all over the world who are launching targeted ransomware campaigns like this, and unfortunately, because they cannot be extradited from Iran, these criminals remain at large, and are able to continue to ply their trade.”
There is a bright spot: “However, these indictments will severely limit their ability to travel and will hopefully have a deterrent effect internationally,” he added. “Cyber criminals are not as anonymous as they sometimes believe.”
And there are other ways the U.S. government can have a more direct effect. From Ellen and Devlin:
“Savandi and Mansouri allegedly extorted victims by demanding a ransom paid in the virtual currency bitcoin in exchange for decryption keys to recover the data. They then allegedly exchanged the bitcoin proceeds into Iranian rial using Iran-based bitcoin exchangers. On Wednesday, the Treasury Department imposed sanctions on two Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who the department said helped exchange the bitcoin ransom payments into rial. The department also listed the digital currency addresses the men used. Anyone who conducts business with either of the men could be subject to secondary sanctions, officials said."
Sign Up! Our newest 202 newsletter is launching Tuesday, Dec. 4: The Technology 202 by Cat Zakrzewski. Cat worked at the Wall Street Journal covering venture capital in Silicon Valley before joining The Post to launch this new venture. She’ll be covering the dynamic and evolving relationship between Washington and technology companies, delving into everything from proposed privacy regulations to artificial intelligence and quantum computing. Get your copy here.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “A distinguished group of China specialists who have long championed engagement with Beijing are now advocating the United States take a more skeptical view of what they see as growing Chinese efforts to undermine democratic values, including free-speech rights, both here and abroad,” my colleague Ellen reported. “‘Except for Russia, no other country’s efforts to influence American politics and society is as extensive and well-funded as China’s,’ the specialists say in a report to be issued Thursday by a working group convened by the Hoover Institution and the Asia Society’s Center on U.S.-China Relations.”
The report, which is titled “Chinese Influence & American Interests: Promoting Constructive Vigilance,” features a section that describes “arguably the most problematic of China’s malign activities, one with national security implications — technology transfers through cybertheft or ‘nontraditional collectors,’ such as Chinese citizens living in the United States and Americans, whether of Chinese descent or not, who have access to desired technology,” Ellen wrote.
Besides, while President Trump and Vice President Pence have accused China of seeking to interfere in American elections, the working group found no such kind of interference, my colleague reported. But Winston Lord, who served as U.S. ambassador to China in the 1980s, expressed worries about the country's influence efforts. “In terms of the diversity of interfering across the board — it’s even wider than the Russian threat,” Lord said, as quoted by Ellen.
PATCHED: “Two civil rights groups asked a judge on Wednesday to release documents describing a secret U.S. government effort to force Facebook Inc to decrypt voice conversations between users on its Messenger app,” Reuters's Joseph Menn reported. “A joint motion by the American Civil Liberties Union and the Electronic Frontier Foundation in U.S. District Court in Fresno, California argued that the public’s right to know the state of the law on encryption outweighs any reason the U.S. Justice Department might have for protecting a criminal probe or law-enforcement method.” Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School's Center for Internet and Society, also joined the motion.
The case stemmed from an investigation into the MS-13 gang. A federal judge ruled that “the government cannot force Facebook to break the encryption on its popular Messenger voice app in a criminal case in which agents wanted to intercept a suspect’s conversations,” my colleague Ellen wrote in September. The motion filed on Wednesday “sought the release of the government’s arguments and any ruling accepting or rejecting each of those arguments,” according to Menn. “It said the court could redact information about people that could hurt a criminal case.”
PWNED: “At the CyberwarCon forum in Washington, DC on Wednesday, researchers from threat intelligence firm FireEye noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyberattack, Russian actors have nonetheless [continued] to benefit from their ongoing vetting campaign,” Wired's Lily Hay Newman reported. Alex Orleans, an analyst at FireEye, warned that Russian hackers are particularly active in targeting the U.S. power grid. “The most consistent people are likely the Russians,” Orleans said, as quoted by Wired. “And I also think we likely haven’t fully uncovered the extent to which they have gotten into the wires.”
Hay Newman reported that the hacking group with ties to Russia, which FireEye refers to as “TEMP.Isotope,” has been probing the U.S. grid methodically. “The group mostly uses generic hacking tools and techniques created by other actors—a strategy known as ‘living off the land’—to minimize development time and costs, while also making it harder to identify and track its movements,” she wrote. “But TEMP.Isotope has also created at least one custom system backdoor, and often uses spearphishing and infected websites to compromise targets.” Additionally, the hackers' “actions are in the interest not of triggering large-scale blackouts, but of traditional intelligence-gathering,” according to Wired.
— More cybersecurity news:
— “Soon, federal agencies will have a clear idea of how they are doing on basic cybersecurity and be able to compare their posture to other agencies across the government,” Nextgov's Aaron Boyd reported. “The Homeland Security Department’s Continuous Diagnostics and Mitigation program, or CDM, is providing agencies with a sophisticated suite of cybersecurity tools. As those tools are put in place, the associated sensors are sending data to a centralized dashboard, giving Homeland Security and agencies a holistic view of cybersecurity throughout the federal enterprise. Now, Homeland Security is using that data to compile cyber scores using an algorithm called AWARE, which stands for Agency-Wide Adaptive Risk Enumeration.”
— “A bipartisan pair of senators is asking the White House to look into whether the Chinese telecommunications firm ZTE violated U.S. sanctions by helping Venezuela track and monitor its citizens,” the Hill's Michael Burke wrote. “In a letter shared with The Hill, Sens. Chris Van Hollen (D-Md.) and Marco Rubio (R-Fla.) write that they are concerned that, by building a database to help Venezuela track its citizens, ZTE ‘may have violated U.S. export controls and sanctions laws’ as well as an agreement between the Commerce Department and ZTE reached earlier this year.”
— “Ivanka Trump defended her use of a private email account while working in her father’s White House last year and dismissed comparisons between her situation and that of Hillary Clinton during a television interview broadcast Wednesday,” The Post's John Wagner reported. “‘People who want to see it as the same see it as the same,’ Trump, the president’s eldest daughter and a White House senior adviser, told ABC News. But she insisted that ‘there really is no equivalency.’”
— More cybersecurity news from the public sector:
— “Dell Inc said on Wednesday that it reset passwords for all accounts on its Dell.com online electronics store on Nov. 14, five days after it discovered and stopped hackers who were attempting to steal customer data,” Reuters's Jim Finkle wrote. “The computer maker did not tell customers about the attack when it forced the password resets, according to a person familiar with the breach.”
— “A new partnership among two prominent Israeli venture capital funds, a handful of major private-sector companies and the city’s economic growth development enterprise is hoping to turn New York City into the nation’s leading center for yet one more major industry: cybersecurity,” Bruce Horovitz reported in the New York Times. “Cyber NYC, as the project is called, is among the nation’s most ambitious cybersecurity initiatives, which over the next decade could transform New York City into a global leader of cybersecurity innovation and job creation.”
— More cybersecurity news from the private sector:
- The Georgetown University Law Center hosts a cybersecurity symposium, titled “Cybercrime 2020: Revisiting the Future of Online Crime and Investigations,” in Washington.
- The Council to Secure the Digital Economy hosts an event for the release of the “International Anti-Botnet Report” in Washington.
The Cybersecurity and Infrastructure Security Agency now has its own logo:
Large Australian steer captivates the Internet:
Basketball-loving nun receives Final Four ring: