The Washington PostDemocracy Dies in Darkness

Trump administration hits Iranian hacker network with sanctions, indictments in vast global campaign

The Department of Justice headquarters building in Washington.
The Department of Justice headquarters building in Washington. (J. David Ake/AP)

The Trump administration on Friday announced sanctions and criminal indictments against an Iranian hacker network it said was involved in “one of the largest state-sponsored hacking campaigns” ever prosecuted by the United States, targeting hundreds of U.S. and foreign universities, as well as dozens of U.S. companies and government agencies, and the United Nations.

None of the alleged hackers were direct employees of the Iranian government, but all worked at the behest of the Islamic Revolutionary Guard Corps (IRGC), officials said. While not the first such punishments imposed on Iran for such malicious acts, the new measures address more extensive Iranian efforts than previously alleged.

Read the indictment against Iranian hackers

Nine of 10 named individuals were connected to the Mabna Institute, a Shiraz-based tech firm that the Justice Department alleged hacks on behalf of Iranian universities and the IRGC. The institute conducted “massive, coordinated intrusions” into the computer systems of at least 144 U.S. universities and 176 foreign universities in 21 countries, including Britain and Canada, officials said.

Here's what you need to know about what cyberweapons are and when they have been used in the past. (Video: Dani Player, Sarah Parnass/The Washington Post)

The hackers stole more than 31 terabytes of data and intellectual property — the rough equivalent of three Libraries of Congress — from their victims, prosecutors alleged. Much of it ended up in the hands of the IRGC, which has frequently been accused of stealing information to further its own research and development of weaponry. The Guard Corps is the division of Iran’s security forces charged with overseeing Iranian proxy forces abroad and is under the direct control of the country’s religious leaders.

“Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said Geoffrey S. Berman, U.S. attorney for the Southern District of New York.

“Iran is engaged in an ongoing campaign of malicious cyberactivity against the United States and our allies,” said Sigal Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence. “We will not tolerate the theft of U.S. intellectual property or intrusion into our research institutions and universities.”

Also sanctioned was Behzad Mesri, who U.S. prosecutors announced last November had been indicted on a charge related to the hacking of HBO and theft of unaired episodes of programs including “Game of Thrones,” which the hacker threatened to release unless he was paid $6 million.

Iran nuclear deal may be the first casualty of Tillerson’s ouster

As a result of the indictments, officials said, the defendants cannot travel to more than 100 countries without fear of arrest and extradition to the United States.

The sanctions block any transactions with those named and freeze any assets they may have under U.S. jurisdiction. Indictments charge the nine Mabna associates with stealing proprietary data, including log-ins and personal information that allowed access to intellectual property.

Deputy Attorney General Rod J. Rosenstein predicted the measures would “disrupt the criminal operations of the Mabna Institute and­ . . . deter similar crimes by others.”

The actions are part of an effort by the Trump administration to expose the activities of and penalize cyber-foes. They also form part of a broad strategy, officials said, for combating “malign activities” by Iran that fall outside the scope of the nuclear agreement it signed with the United States and others three years ago.

President Trump has charged that the agreement, negotiated by the Obama administration, is flawed, and he has vowed to withdraw from it if its shortcomings are not addressed by mid-May. That is when he must decide whether to renew a presidential waiver of U.S. sanctions lifted in exchange for Iran’s reversal of an alleged nuclear weapons program.

Even as Trump has considered scrapping the deal, he has sought to punish Iran for other activities, including the development of long-range ballistic missiles, its use of proxy forces to fight wars in Syria and Yemen, and the buildup of asymmetric capabilities, including cyberwarfare.

New Russia sanctions are Trump’s strongest action against Moscow — but far short of what Congress wanted

The moves come a week after the administration placed sanctions on more than a dozen Russian individuals and organizations for their role in interfering in the 2016 election, and highlighted Russia’s targeting of U.S. critical infrastructure with potentially destructive cyber implants.

In December, the White House declared that North Korea was behind a cybervirus, WannaCry, that affected more than 230,000 computers in 150 countries.

Friday’s actions are “yet one more step in an overall strategy of calling out bad behavior and imposing costs,” said Rob Joyce, the White House cybersecurity coordinator.

The Mabna hacking campaign began in 2013, continuing through at least December, and broadly targeted academic data and intellectual property from the universities, including journals, theses, dissertations and electronic books — about $3.4 billion worth of data, the Justice Department said.

The defendants allegedly compromised accounts belonging to thousands of university professors through “spear-phishing” campaigns designed to trick a target into unwittingly providing his or her credentials, officials said. In some cases, they sold the stolen data through two Iranian websites, Megapaper and Gigapaper, officials said. Megapaper was operated by Falinoos Co., controlled by one of the defendants, Abdollah Karima, and Gigapaper was affiliated with Karima, officials said. Gigapaper sold a service to customers in Iran allowing them to use compromised university professor accounts to access the online library systems of some U.S.-based and foreign universities, they said.

Also hacked were the U.S. Labor Department and the Federal Energy Regulatory Commission. The latter regulates the interstate transmission of electricity, natural gas and oil.

The Trump administration used a cyber-sanction authority created by its predecessor, which first used the tool against Russian actors in December 2016 for interfering in the election. The administration used it in sanctioning the Russians last week.

In March 2016, the Justice Department unsealed an indictment against seven Iranian individuals working for two Iran-based computer companies, which conducted denial-of-service computer attacks against U.S. banks in 2012. The Treasury Department followed up with sanctions.

Such actions so far appear to have had limited effect, analysts say, noting that sanctions won’t affect individuals with no property in the United States or who are unlikely to travel here.

Officials say targets have occasionally slipped up and flown to countries with extradition treaties with the United States. And, Joyce said, some targets and their colleagues have been overheard worrying about their ability to travel, attend conferences and take vacations.

Another motive in taking action is to prod misbehaving states to adhere to international norms for cyberspace agreed to at the United Nations in 2015.

By bringing criminal charges, Rosenstein said, “we reinforce the norm that most of the civilized world accepts: Nation-states should not steal intellectual property for the purpose of giving domestic industries a competitive advantage.”

The theft of universities’ intellectual property is part of an apparent effort by Iran to obtain information that is denied to them because of existing sanctions, said Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity firm. Iran has resorted to hacking to acquire information in the fields of aviation, defense, energy, finance, manufacturing, telecommunications and high-tech.

The indictment and sanctions help make clear that attribution is possible even when a state uses third parties or proxies to carry out their malicious acts, officials say. With such actions, “we’re getting a clearer picture of the Iranian actors who are not part of the government but are supporting activities on behalf of the Iranian regime,” said Tim Maurer, author of the book “Cyber Mercenaries.”

Following the announcement, Britain’s Foreign Office issued a statement welcoming the indictments and noting that the country’s National Cyber Security Center has assessed “with high confidence” that the Mabna Institute is “almost certainly responsible” for a multiyear hacking campaign targeting U.S. and British universities for intellectual property theft.

Only five or six years ago, Iran’s cyber capabilities were nascent. But the regime has made strides, developing and deploying a computer virus, Shamoon, that wiped data from energy companies in Saudi Arabia and Qatar.

In a covert, still-unacknowledged program launched by the George W. Bush administration, and continued by President Barak Obama, the United States and Israel used a cyberworm to sabotage centrifuges in an Iranian uranium enrichment plant, setting back Iran’s nuclear program.

Friday’s announcement, some analysts said, shows that the administration can address its concerns with the IRGC in a way that is consistent with maintaining the safeguards contained in the nuclear deal.

“So while this administration has pointed out a number of things they see as inadequate in the Iran deal, they are in fact demonstrating an ability to address their concerns in a way that is compliant” with the deal, said Elizabeth Rosenberg, a senior fellow at the Center for a New American Security and a former senior Treasury Department official.

Besides Karima, the sanctions and indictments named the following individuals affiliated with Mabna: co-founders Gholamreza Rafatnejad and Ehsan Mohammadi; Seyed Ali Mirkarimi; Mostafa Sadeghi; Sajjad Tahmasebi; Abuzar Gohari Moqadam; Roozbeh Sabahi and Mohammed Reza Sabahi.