Seven Iranians Indicted for Hacking

The FBI’s most-wanted list for cybercrime has grown by nearly 50 percent this week.

U.S. Attorney General Loretta Lynch and FBI Director James Comey announce the indictments of seven Iranian hackers. (Jonathan Ernst / Reuters)

A New York grand jury has indicted seven Iranians for computer hacking, accusing them of coordinating a months-long cyberattack on New York financial institutions, according to documents unsealed Thursday. One of the Iranians was also indicted for illegally gaining access to some of the controls of a dam located less than an hour from Manhattan.

According to the indictment, the seven hackers infected a large network of computers with malware, took partial control of them, and launched a distributed denial-of-service attack on the computer systems of 46 different organizations, mostly in the financial sector.

(A network of compromised computers working together to attack a target, often without the knowledge of their owners, is called a botnet, and a denial-of-service attack works by inundating a target server with data to the point that it malfunctions.)

The government said the attacks began in earnest in September 2012, overwhelming target servers with massive amounts of data and resulting in the disruption of online banking services. According to the indictment, the attacks cost victims tens of millions of dollars.

One individual, 34-year-old Hamid Firoozi, separately broke into the controls of a dam in Rye, New York, the government said. He was apparently unable to cause harm because his attack happened during routine maintenance that temporarily disabled some of the dam’s features, but the system typically allows users to monitor and control the dam’s water levels and flow rates. Even if he had gained control, the dam is small and used only for flood control—it’s not clear how much damage he could have done.​

Three of the indicted hackers work for an Iranian security company called ITSecTeam, and four work for another company called Mersad. According to the charges, both companies have ties to the Iranian Revolutionary Guard Corps, an elite branch of the Iranian military.

Attorney General Loretta Lynch announced the charges at a press conference Thursday morning, where she appeared alongside Assistant Attorney General John Carlin, FBI Director James Comey, and Preet Bharara, the U.S. Attorney for the Southern District of New York.

In the announcement, the law enforcement officials said the unsealing represents the latest example of a “new approach” in government of publicly naming perpetrators of cybercrimes.

The charges against the Iranians come just days after the Justice Department unsealed similar computer-hacking charges against three members of the Syrian Electronic Army, a group of hackers who support Syrian President Bashar al-Assad. The Syrians were accused of stealing login information and defacing the websites and Twitter accounts of American private companies, media organizations, and government agencies.

The government’s public shaming of cybercriminals began in earnest in 2012, when the Justice Department announced charges against five Chinese hackers in the People’s Liberation Army. Those individuals were placed on the FBI’s “Cyber’s Most Wanted” list, and were joined this week by two of the three Syrians accused of hacking, as well as the seven Iranians.

“We will continue to use every tool at our disposal so that we can attribute [attackers’] actions down to the country, the government agency, the organization, and the individuals involved, and charge them publicly,” Lynch said Thursday.

The government hopes that releasing public charges will both make life miserable for those named, and scare off others who would rather stay off of FBI most-wanted lists.

“For many years, nation-states and their affiliates enjoyed what they perceived to be a cloak of anonymity, a cloak the hid behind to break our laws through cyber-intrusion, and to threaten our security and economic well-being,” said Carlin. “They had this perceived cloak of anonymity because they thought we could not figure out who did it, and they thought that we would not say if we did figure it out. They are wrong.”

Despite earning the Iranian hackers a place on the “Cyber’s Most Wanted” list, their methods—a botnet that coordinated a denial-of-service attack on a variety of targets—were neither novel nor terribly complex. (The government did not reveal how Firouzi was able to access the New York dam’s systems, but early reports indicated that hackers attacked a cellular modem in the facility.)

The seven Iranians face a maximum of 10 years in prison, and Firoozi could be sentenced to an additional five years. That’s assuming, of course, that they ever end up in a U.S. court—all seven of the accused reside in Iran.

But the director of the FBI warned against assuming that they will evade the reach of the U.S. forever.

“The world is small and our memory is long. We never say never,” he said. “People often like to travel for vacation or education and we want them looking over their shoulder both when they travel and when they sit at their keyboards. There is no safe place in this increasingly small world.”