By Mark S. Nelson, J.D.
The DOJ announced criminal computer hacking charges against seven Iranians who allegedly orchestrated repeated cyber attacks against dozens of U.S. financial services companies over a two year period. One of the hackers is also charged with seeking to gain control of New York state infrastructure (U.S. v. Fathi, March 24, 2016).
“In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,” said U.S. Attorney General Loretta Lynch. Senator Dianne Feinstein (D-Cal), vice chairman of that chamber’s Intelligence Committee, praised the DOJ and the FBI but said the U.S. must do more to secure its critical infrastructure.
The indictment comes at a key moment in U.S. cyber awareness. Just last year, Congress passed the Cybersecurity Act of 2015 and the debate over what to do about the benefits and ills of strong encryption recently pitted the FBI against smart phone maker Apple Inc., with the prospect of encryption legislation looming. The indictment also spotlights Iran-based cyber attacks at a time when U.S. policy towards Iran has shifted in order to pursue a diplomatic deal that would freeze that country’s nuclear weapons program, and which has aroused strong feelings in the U.S. both for and against it.
Financial firms targeted. According to the DOJ, teams from two Iran-based private computer security firms linked to the Islamic Revolutionary Guard Corps, an intelligence arm of the Iranian government, remotely enlisted servers in the U.S. and elsewhere that ran outdated software to form a collection of servers called a “botnet” through which the teams could launch cyber attacks on U.S. financial firms.
The Iranian teams allegedly perpetrated two overlapping waves of attacks on U.S. banks and stock exchanges using a mode of attack called distributed denial of service (DDoS), which used botnets. The DOJ accused Ahmad Fathi of being the project manager of one wave of attacks against nine financial firms. A second wave of attacks targeted 24 firms, some of which had been targeted in the earlier attack.
All told, the DOJ estimated the DDoS attacks impacted at least 46 financial sector firms during a total of 176 days in which the hackers swamped the targeted firms’ servers with up to three times the volume of traffic they could handle. This resulted in disruptions in the firms’ ability to provide online services to their customers and required the firms to pay tens of millions of dollars in remediation costs. But the DOJ noted that the attacks did not result in the theft of customer data.
Infrastructure hack. A third attempt to disrupt U.S.-based computers involved the hacking into of the supervisory control and data acquisition (SCADA) system at the Bowman dam located about 30 miles north of New York City in Rye, New York. The DOJ alleged that Hamid Firoozi, who was a network manager in the DDoS attacks on some financial firms, gained access to the Bowman dam’s SCADA system and could have monitored the status of the dam or even controlled the sluice gate that adjusts its water level and flow rate.
As it happened, the sluice gate was offline for maintenance at the time of the intrusion, but Firoozi did not know that. Still, it cost more than $30,000 to fix the damage from the Bowman dam attack.
All seven of the accused hackers are charged with conspiracy to commit computer hacking. Firoozi is also charged with unauthorized access to a protected computer for his role in the Bowman dam intrusion. The seven individuals each face up to 10 years in prison, with Firoozi facing an additional five years for the Bowman dam attack.
The case is No. 16cr48.