Three of the indicted hackers work for an Iranian security company called ITSecTeam, and four work for another company called Mersad. According to the charges, both companies have ties to the Iranian Revolutionary Guard Corps, an elite branch of the Iranian military.
Attorney General Loretta Lynch announced the charges at a press conference Thursday morning, where she appeared alongside Assistant Attorney General John Carlin, FBI Director James Comey, and Preet Bharara, the U.S. Attorney for the Southern District of New York.
In the announcement, the law enforcement officials said the unsealing represents the latest example of a “new approach” in government of publicly naming perpetrators of cybercrimes.
The charges against the Iranians come just days after the Justice Department unsealed similar computer-hacking charges against three members of the Syrian Electronic Army, a group of hackers who support Syrian President Bashar al-Assad. The Syrians were accused of stealing login information and defacing the websites and Twitter accounts of American private companies, media organizations, and government agencies.
The government’s public shaming of cybercriminals began in earnest in 2012, when the Justice Department announced charges against five Chinese hackers in the People’s Liberation Army. Those individuals were placed on the FBI’s “Cyber’s Most Wanted” list, and were joined this week by two of the three Syrians accused of hacking, as well as the seven Iranians.
“We will continue to use every tool at our disposal so that we can attribute [attackers’] actions down to the country, the government agency, the organization, and the individuals involved, and charge them publicly,” Lynch said Thursday.
The government hopes that releasing public charges will both make life miserable for those named, and scare off others who would rather stay off of FBI most-wanted lists.
“For many years, nation-states and their affiliates enjoyed what they perceived to be a cloak of anonymity, a cloak the hid behind to break our laws through cyber-intrusion, and to threaten our security and economic well-being,” said Carlin. “They had this perceived cloak of anonymity because they thought we could not figure out who did it, and they thought that we would not say if we did figure it out. They are wrong.”
Despite earning the Iranian hackers a place on the “Cyber’s Most Wanted” list, their methods—a botnet that coordinated a denial-of-service attack on a variety of targets—were neither novel nor terribly complex. (The government did not reveal how Firouzi was able to access the New York dam’s systems, but early reports indicated that hackers attacked a cellular modem in the facility.)
The seven Iranians face a maximum of 10 years in prison, and Firoozi could be sentenced to an additional five years. That’s assuming, of course, that they ever end up in a U.S. court—all seven of the accused reside in Iran.
But the director of the FBI warned against assuming that they will evade the reach of the U.S. forever.
“The world is small and our memory is long. We never say never,” he said. “People often like to travel for vacation or education and we want them looking over their shoulder both when they travel and when they sit at their keyboards. There is no safe place in this increasingly small world.”