7 Iranians Indicted for DDoS Attacks Against U.S. Banks

Cybersecurity , DDoS

Prosecutors Say Attackers Also Targeted Dam Near New York City 7 Iranians Indicted for DDoS Attacks Against U.S. BanksAttorney General Loretta Lynch announces indictments of seven Iranians for hacking U.S. banks.

The Justice Department has unsealed indictments against seven Iranians - allegedly working on behalf of the Iranian government, including the Iranian Revolutionary Guard Corps, a branch of Iran's armed forces - who are suspected of conducting distributed denial-of-service attacks against dozens of American banks as well as attempting to seize control of Bowman Dam outside New York City.

See Also: CISO Discussion: Secure Code

"In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market," Attorney General Loretta Lynch said in announcing the indictments on March 24.

The DDoS attacks started in December 2011 and continued sporadically until September 2012, when they escalated in frequency on a nearly weekly basis, typically between Tuesdays and Thursdays, through May 2013, according to the indictment. The indictment alleges the hackers over 176 days targeted 46 major financial institutions and corporations - including Bank of America, Capital One, JPMorgan Chase and PNC Banks as well as the New York Stock Exchange and Nasdaq - leaving hundreds of thousands of customers unable to access their bank accounts, resulting in tens of millions of dollars being spent by victimized organizations to mitigate and neutralize the attacks. The government said the Iranians also targeted AT&T.

Motivation for DDoS?

During the extensive wave of DDoS attacks against U.S. banks, a group calling itself Izz ad-Din al-Qassam Cyber Fighters repeatedly took credit, saying the attacks were waged in protest of a YouTube movie trailer deemed by the group to cast Islam in a negative light.

But some intelligence experts, according to published reports, suggest the attacks were actually in retaliation for the Stuxnet attack launched by the U.S. and Israel that crippled Iranian nuclear centrifuges in 2010.

One expert, Martin Libicki of the think tank Rand Corp., discounts that theory. "The United States is open to such attacks because systems have vulnerabilities, although the hackers did not, in fact, get very far in Rye (where Bowman Dam is located)," says Libicki, a senior management scientist, whose research focuses on the intersection of information technology and national security. "Iran knows this. Does anyone seriously think that they would have restrained themselves if Stuxnet had not occurred? The fact that the United States has not used suicide bombers has hardly kept Iran from using them."

The vice chairwoman of the Senate Intelligence Committee, Dianne Feinstein, D-Calif., said the targeting of Bowman Dam emphasizes the weakness of defending critical infrastructure.

"If hackers are able to access dams, the electrical grid, airports, our water supply or nuclear plants, the amount of damage they could do is enormous," Feinstein said. "Congress took a key step last year by passing a cybersecurity information sharing bill to help identify and stop attacks. But we also need to do more to protect our critical infrastructure."

Indictment as Publicity Tool

The Iranian indictments are reminiscent of the indictments in May 2014 of five Chinese army officers for hacking American corporate computers to steal intellectual property (see The Real Aim of U.S. Indictment of Chinese). Then, as now, no one expected the assailants to be extradited to the United States.

FBI Director James Comey says the indictments will have the Iranian suspects looking over their shoulders.

Indeed, a federal prosecutor suggested exposing the Iranian hacking gang is one of the reasons the indictment was unsealed.

"For many years, nation-states and their affiliates enjoyed what they perceived to be a cloak of anonymity," Assistant Attorney General John Carlin said. "They had this perceived cloak because they thought we couldn't figure out who did it and, if we did figure it out, we would keep it a secret. They are wrong. In a new approach, we have unleashed prosecutors and FBI agents against national security cyberthreats. ... Let this indictment reinforce that the days of perceived anonymity are gone - we can remove the cloak. And we will."

The indictment names the suspects as Ahmad Fathi, Hamid Firoozi, Amin Shokohi and Sadegh Ahmadzadegan, who went by the online moniker of "Nitr0jen26," as well as Omid Ghaffarinia, known as "PLuS," Sina Keissar and Nader Saedi, also called "Turk Server." Prosecutors allege they worked for either of two firms described as Iranian private security companies, ITSec Team and Mersad Co., that performed work on behalf of the Iranian government.

Syrian Hackers Charged

The announcement of the Iranian indictments comes two days after the government unsealed indictments against three members of a Syrian hacker collective for hijacking the websites and social media platforms of prominent American media organizations and the U.S. military.

The FBI said Amad Umar Agha, Firas Dardar and Peter Romar worked on behalf of the Syrian Electronic Army, a group of hackers that support Syrian President Bashar al-Assad. The sites targeted by the SEA included computer systems in the Executive Office of the President in 2011 and a U.S. Marine Corps recruitment website in 2013.

According to the charges, the hackers engaged in a multiyear conspiracy that began in 2011 to collect usernames and passwords that gave them the ability to deface websites, redirect domains to sites controlled by the conspirators, steal email and hijack social media accounts. To obtain the login information, according to the FBI, they relied on spear phishing to trick people with privileged access to their organizations' websites and social media channels into volunteering sensitive information by posing as a legitimate entity.

In addition, the Syrian suspects allegedly compromised the Twitter account of a prominent U.S. media organization in 2013 and released a tweet claiming that a bomb had exploded at the White House and injured the president. They also allegedly gained control of a Marine Corps recruiting website and posted a message urging Marines to "refuse [their] orders," according to the FBI.

Chinese Businessman Pleads Guilty

The Iranian indictment came one day after a Chinese businessman, Su Bin, pleaded guilty to criminal conspiracy to hack into a defense contractor's computer system to steal military technical data, including data relating to the C-17 strategic transport aircraft and certain fighter jets produced for the U.S. military.

The Justice Department said Su admitted to conspiring with two others in China from October 2008 to March 2014 to gain unauthorized access to protected computer networks in the United States, including computers belonging to the Boeing Co. in Orange County, California, to obtain sensitive military information and to export that information illegally from the United States to China.