U.S. Charges Iranian Hackers in Wall Street Cyber-Attacks
Hackers linked to the Iranian government launched cyber-attacks on some four dozen U.S. financial institutions and a flood-control dam above New York City in forays meant to undermine U.S.markets and national security, according to federal prosecutors.
Beginning in 2011, Iran-based hackers targeted the New York Stock Exchange, Nasdaq, Bank of America, JPMorgan Chase and AT&T, among others, according to an indictment unsealed Thursday in Manhattan federal court. One of them gained unauthorized remote access to a computer controlling the Bowman Avenue Dam in Rye, N.Y., for about three weeks beginning in 2013, according to the indictment.
The hackers were working on behalf of the Iranian government and the Islamic Revolutionary Guard Corps, a hard-line force in Iran, Attorney General Loretta Lynch told reporters in Washington. The hacking of the dam could have caused great damage if the facility hadn't been shut down for maintenance, she said.
The security breach at the dam represented "a frightening new frontier" for cyberattacks, Preet Bharara, the U.S. Attorney for the Southern District of New York, told reporters.
From December 2011 to May 2013, financial firms' computer systems were hacked in an effort that involved Iran-based private computer security companies linked with the Revolutionary Guard Corps, the U.S. alleged.
The incursions on the financial firms were initially sporadic, according to the government, and then increased to a near-weekly basis, usually from Tuesdays to Thursdays during normal U.S. business hours. The hacking conspiracy — involving seven Iran-based hackers with nicknames including Turk Server, PLus and Nitr0jen26 — ultimately affected about 46 major financial institutions and other companies in the industry over a total of 176 days, the government said.
On some days, the hacking prevented hundreds of thousands of banking customers from accessing their accounts, according to the indictment, costing the banks tens of millions in remediation efforts. Other victims included American Express, BB&T, Citigroup, Fifth Third Bancorp, HSBC Holdings, ING Groep, KeyCorp, PNC Financial Services Group, U.S. Bancorp and Wells Fargo, according to the indictment.
The conspiracy hinged on finding computers running software that hadn't been updated to address security flaws, the U.S. said. Those computers were infiltrated and turned into "bots" that could be used to attack the financial institutions, according to the indictment. The hackers then used the bots to carry out distributed denial of services, or DDoS, attacks in which a victim's computer is overwhelmed with electronic communications, the U.S. said.
"These attacks were relentless, they were systematic and they were widespread," Lynch said at a news conference announcing charges. "We believe they were conducted with the sole purpose of undermining the American free market."
Drez Jennings, a spokeswoman for KeyCorp, said the bank is cooperating with authorities investigating the matter. "It's important to emphasize, just as it stated in the indictment, that no client information was compromised" by the attacks, which she added slowed the bank's systems for a short time.
Representatives of Nasdaq and NYSE Group declined to comment, as did representatives from ING, US Bancorp and Citigroup. Others identified in the indictment as targets as the hacks didn't immediately respond to a request for comment.
The people charged in the indictment are Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar and Nader Saedi. They couldn't immediately be located for comment.
Firoozi repeatedly obtained unauthorized remote access in 2013 to a computer that controlled the supervisory control and data acquisition of the Bomwan Avenue Dam, a 1940s flood-control facility about 20 miles north of New York City, according to the indictment.
From Aug. 28 to Sept. 18 of that year, he repeatedly obtained information about the dam's status and operation, including water levels and temperature and the status of the gate that controls flow rates.
Although access to the system would have typically permitted a remote user to operate and manipulate the sluice gate, "unbenownst to Firoozi, the sluice gate control had been manually disconnected" earlier for maintenance, the government said.
Officials have begun pointing to the attack on the dam as a warning that U.S. infrastructure is vulnerable.
Sen. Charles Schumer, D-N.Y., called the attack a "shot across the bow" of the U.S. and said tougher sanctions should be imposed. He urged for the U.S. to begin a probe to determine if critical infrastructure is vulnerable to cyberattacks and said state and local governments as well as private companies needed to beef up computer security.
"Hackers can come in, as these Iranian hackers did, and hurt our critical infrastructure," Schumer said at a March 11 news conference. "What if they open the sluice gates of a dam with a whole lot of people behind it? What if they shut off the power for a large part of the area?"
The indictment of Iran-based hackers comes just months after the U.S. sealed a historic nuclear pact with Tehran that led to the lifting of economic sanctions against the country. It's the latest example of the U.S. pursuit of hackers it says are operating within, and at times with the help of, foreign powers.
In May 2014, the U.S. indicted five Chinese military officials for stealing trade secrets, casting the hacker attacks as a direct economic threat. The indictment accused China and its government of a vast effort to mine U.S. technology through cyber-espionage, stealing jobs and innovation. The charges alleged the officers conspired to steal trade secrets and other information from U.S. companies including Westinghouse Electric and Allegheny Technologies.
Foreign governments have responded to U.S. hacking allegations by denying wrongdoing and accusing the U.S. of its own incursions. Intelligence experts have said the U.S. and Israel may have been behind a cyberstrike that used the so-called Stuxnet virus to disable operations at an Iranian nuclear enrichment plant.
In the China case, as with the latest allegations, the indicted hackers remained abroad and likely out of the reach of U.S. prosecutors. FBI Director James Comey, responding to those who point out the difficulty of bringing those accused in such cases to justice, added Thursday: "The world is small, and our memories are long."