The Justice Department on Thursday announced it has indicted seven hackers associated with the Iranian government, marking the first time the United States has charged state-sponsored individuals with hacking to disrupt the networks of key U.S. industries.
The crimes include attacking U.S. banks’ public websites from late 2011 through May 2013 and with breaking into a computer system at a small dam in Rye, N.Y., in an apparent attempt to disrupt its operation.
According to an 18-page indictment, all seven men were working for two Iran-based computer security companies — ITSec Team and Mersad Co. — on behalf of the Iranian Revolutionary Guard Corps, a branch of the Iranian military established to defend the country’s Islamic system and promote its ideology.
The indictment alleges that the suspects caused cyber-mayhem, including coordinated “distributed denial of service,” or DDoS, attacks, in which hackers commandeered Web servers around the world and used them to direct massive amounts of traffic to crash the commercial sites of 46 U.S. financial institutions. Those attacks, for a time, occurred on a near-weekly basis and affected dozens of major institutions, leaving hundreds of thousands of customers unable to access their bank accounts online, the indictment alleges.
All of those charged are believed to be in Iran. They were identified as Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar and Nader Seidi.
The affected institutions and businesses included Bank of America, the Nasdaq composite index, the New York Stock Exchange, Capital One, AT&T and PNC, the indictment alleges. Attorney General Loretta E. Lynch said the attacks caused tens of millions of dollars in losses.
“These attacks were relentless, they were systematic and they were widespread,” Lynch said.
According to the indictment, Ahmadzadegan and Ghaffarinia also claimed responsibility for hacking into NASA servers and defacing NASA websites, and Firoozi obtained access to a computer control system for the Bowman Avenue Dam. That access, according to the indictment, would have permitted Firoozi to “operate and manipulate” a gate on the dam if it had not been manually disconnected for maintenance issues.
“The potential havoc that such a hack of American infrastructure could wreak is scary to think about,” said Preet Bharara, U.S. attorney for the Southern District of New York. His office handled the investigation, which ran for more than three years, with assistance from FBI field offices around the country.
Although Iran is unlikely to voluntarily send those indicted to the United States, officials said charging them was important nonetheless.
“The world is small, and our memories are long,” FBI Director James B. Comey said. “We never say never. People often like to travel for vacation or education, and we want them looking over their shoulder.”
The charges come two years after the United States indicted five Chinese military officers on charges of economic espionage in cyberspace and eight months after the nuclear accord between Iran and the United States and other world powers.
“It demonstrates a continued commitment to raising the cost of cybercrime and to demonstrating that the U.S. government can uncover the tradecraft of cybercriminals and attribute their activities with confidence,” said Zachary Goldman, executive director of New York University School of Law’s Center on Law and Security. “It also reinforces the U.S. government’s commitment to using every tool available to counter Iran’s destructive activities notwithstanding the nuclear deal.”
Intelligence officials said at the time of the attacks they believed Iran unleashed the DDoS campaign in response to increasingly strong economic sanctions imposed by the United States and Europe in an attempt to force Iran to curtail its nuclear program.
Iran began developing its cyberspace capabilities in earnest with the 2009 Green Revolution, when protesters demanded the ouster of President Mahmoud Ahmadinejad, said James Lewis, a cybersecurity expert with the Center for Strategic and International Studies. Iran used cyber-techniques to spy on protesters and squelch dissent, he said.
The IRGC in particular, he said, likes to operate in cyberspace using front companies “to circumvent Western law and to give them a degree of anonymity. There’s no such thing as a freelance hacker in Iran. They’re all connected to the state.”
He and other analysts said that Iran may be receiving help from Russian hackers affiliated with the Kremlin. “Some of it is writing code,” Lewis said. “Some of it is providing malware tools they can adapt.”
For years, the U.S. government had treated hacking campaigns carried out by foreign governments as matters of national security that are classified. Officials were reluctant even to acknowledge a major intrusion by a foreign country either for diplomatic or intelligence reasons.
But as the scope and severity of the intrusions have grown, that has changed. The indictment against the Chinese People’s Liberation Army officers was an early example. Then, in January 2015, the United States slapped new financial sanctions on North Korean officials and government agencies in response to a cyberattack on Sony Pictures Entertainment.
On Wednesday, the Justice Department announced a guilty plea by a Chinese businessman charged with aiding two Chinese military hackers in stealing sensitive technical plans from U.S. defense contractors.
The indictments in national security cyber cases reflect a “new approach” that borrows from counterterrorism, said Assistant Attorney General John Carlin, whose National Security Division was created in 2006 to help prevent terrorist attacks. In 2012, he said, the department began to train prosecutors to work with both the intelligence community and law enforcement to bring cyber-cases.
“Once you unleash the dedicated prosecutors and give them access to intelligence, have them working together as teams,” they will identify hackers and affiliations, draw up indictments that name them and lay out evidence — in an effort to hold nation-state actors accountable and deter others, Carlin said.
Some administration officials said that the unsealing of the indictment against the Iranian hackers could ease the way for economic sanctions to be imposed. President Obama last April issued an executive order creating the authority to impose such sanctions specifically for malicious cyber-activity. That authority has not been used yet.