The indictment against employees of the Iranian information security firm ITSecTeam, unsealed today, alleges the company was one of two involved in state-sanctioned attacks against US banks and SCADA systems.US Attorney General Loretta Lynch, FBI Director James Comey, and other Justice Department officials announced today that a federal grand jury had issued indictments for seven Iranians employed by two information technology companies.
The indictments allege that the companies were contracted by the Iranian government to conduct cyber attacks against bank websites in the US and carry out intrusion into the supervisory control and data acquisition (SCADA) network of a dam near Rye, New York.
In a press conference announcing the indictments, Lynch said, “Today, we have unsealed an indictment against seven alleged experienced hackers employed by computer security companies working on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps.
A federal grand jury in Manhattan found that these seven individuals conspired together, and with others, to conduct a series of cyberattacks against civilian targets in the United States financial industry that, in all, cost victims tens of millions of dollars.”
The seven worked at ITSecTeam (ITSEC) and Mersad Company, both based in Iran.
The companies are alleged to be contracted by the Iranian government and the Iranian Revolutionary Guard to conduct a range of network intrusions and attacks, including distributed denial of service campaigns against the websites of several US banks.
The DDoS attacks, which started sporadically in December 2011, continued into September 2012—when attacks were ramped up to a “near-weekly basis,’ the indictment states.
At their peaks, the DDoS attacks reached 140 gigabits per second.
Ahmad Fathi, Hamid Firoozi, and Amin Shokohi were the employees of ITSecTeam named in the indictment.
Fathi, the head of ITSecTeam, is alleged to have supervised his company’s network intrusion and attack projects for the Iranian government.
Fizoori provided networking and infrastructure support and is alleged to have conducted the intrusion into the Bowman Avenue Dam.
Shokohi, the indictment states, wrote the botnet code used by the company and was waived from mandatory military service in recognition of his work.
Those indicted at the Mersad group include Sadegh Ahmadzadegan ( “Nitr0jen26”), Omid Ghaffarinia (“PLuS”), and Nader Saedi, (“Turk Server”), as well as the un-aliased Sina Keissar.
Ahmadzadegan and Ghaffarinia, the cofounders of the company, have a long history of malicious hacking.
According to the DOJ, they are connected to the hacking teams Sun Army and the Ashiyane Digital Security Team (ADST).
The pair claimed credit for hacking NASA servers in 2012.
Ahmadzdegan is alleged to have managed the botnet used in the campaign by his company and Ghaffarinia is said to have written the malware used to distribute the bots.
“In unsealing this indictment,” Lynch said, “the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market… we will continue to pursue national security cyber threats through the use of all available tools, including public criminal charges.
And as today’s unsealing makes clear, individuals who engage in computer hacking will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.”
It’s not clear, however, what real effect the indictments will have on Iran’s growing use of cyber-attacks as a tool in espionage or if it will even have an impact on those charged.
Arrests are unlikely to be made unless any of those charged travel outside Iran to a country willing to extradite them to the US.
Additionally, the scope of the intrusion at Bowman Avenue Dam—which the Justice Department claims cost $30,000 to “remediate”—may be slightly exaggerated by the government; earlier assessments said that the attacker only managed to touch back-office systems.
And the remediation was sorely needed, as the dam’s network was accessed through an unsecured cellular modem connection–with its SCADA systems visible from an Internet scan.