The US Department of Justice (DoJ) has charged seven Iranian hackers over a string of high-profile distributed denial-of-service (DDoS) attacks against banks.
The seven allegedly worked with Islamic Revolutionary Guard Corps-affiliated entities to run a coordinated campaign of cyber attacks against the US financial sector. One defendant was also charged with obtaining unauthorized access into control systems of a dam in New York state.
Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan (aka Nitr0jen26), 23; Omid Ghaffarinia (aka PLuS), 25; Sina Keissar, 25; and Nader Saedi (aka Turk Server), 26, allegedly smashed 46 outfits, primarily in the US financial sector, offline between late 2011 and mid-2013.
The group was employed by two Iran-based computer companies, ITSecTeam and Mersad Company, which performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps, according to US prosecutors.
This work allegedly involved botnets – networks of compromised malware-controlled systems – that hit targets with floods of junk packets measuring up to 140Gbps.
Firoozi is further charged with hacking into the industrial controls for the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, located in Rye, New York, in August and September of 2013.
"This unauthorized access allowed him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature, and status of the sluice gate, which is responsible for controlling water levels and flow rates," a DoJ statement on the case explains.
"Although that access would normally have permitted Firoozi to remotely operate and manipulate the Bowman Dam's sluice gate, Firoozi did not have that capability because the sluice gate had been manually disconnected for maintenance at the time of the intrusion."
The indictments against the group, announced Thursday, appear largely symbolic and follow a day after the FBI added two alleged Syrian Electronic Army hackers to its Cyber Most Wanted list. Both the Iranian and Syrian suspects are in countries beyond the reach of US law enforcement and unlikely to visit extradition treaty countries (such as Cyprus or Turkey), especially now they know the dire consequences that might befall them if they do. ®
ITSecTeam's role in the alleged attacks are somewhat prosaic, while the supposed activities of MERSAD shed more light on how US intelligence reckons that the Iranians ran the attacks, related assaults and links to other hacker groups. More from the DoJ statement:
Ahmadzadegan was a co-founder of MERSAD and was responsible for managing the botnet used in MERSAD's portion of the DDoS campaign. He was also associated with Iranian hacking groups Sun Army and the Ashiyane Digital Security Team (ADST), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (NASA) in February 2012. Ahmadzadegan has also provided training to Iranian intelligence personnel.
Ghaffarinia was a cofounder of MERSAD and created malicious computer code used to compromise computer servers and build MERSAD's botnet. Ghaffarinia was also associated with Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February 2012, as well as thousands of other servers in the United States, the United Kingdom and Israel.
Keissar procured computer servers used by MERSAD to access and manipulate MERSAD's botnet, and also performed preliminary testing of the same botnet prior to its use in MERSAD's portion of the DDoS campaign.
Saedi was an employee of MERSAD and a former Sun Army computer hacker who expressly touted himself as an expert in DDoS attacks. Saedi wrote computer scripts used to locate vulnerable servers to build the MERSAD botnet used in its portion of the DDoS campaign.