7 Indicted for SCADA, Financial Attacks
Friday, March 25, 2016 @ 11:03 AM gHale
Seven Iranian computer specialists are facing an indictment in the U.S. for conducting a coordinated campaign of distributed denial of service attacks (DDoS) against a dam’s SCADA system and the financial sector.
The individuals – Ahmad Fathi; Hamid Firoozi; Amin Shokohi; Sadegh Ahmadzadegan, a/k/a Nitr0jen26; Omid Ghaffarinia, a/k/a PLuS; Sina Keissar; and Nader Saedi, a/k/a Turk Server – worked at two Iran-based computer companies, ITSecTeam and Mersad Company, sponsored by Iran’s Islamic Revolutionary Guard Corps, according to the indictment unsealed by the U.S. Justice Department.
The attacks hit 46 major companies, primarily in the U.S. financial sector, from late 2011 through mid-2013. These attacks, which occurred over a period of 176 days, disabled victim bank websites, prevented customers from accessing their accounts online, and collectively cost the banks tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers.
In addition to the financial sector attacks, Firoozi is also facing charges of obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, located in Rye, New York, in August and September of 2013, according to the indictment.
The DDoS attacks against the U.S. financial sector began in December 2011, and occurred sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis, occurring between Tuesdays and Thursdays during normal business hours in the United States through in or about May 2013, according to the allegations contained in the indictment unsealed in Manhattan federal court.
On certain days during the campaign, victim computer servers were hit with as many as 140 Gigabits of data per second, and hundreds of thousands of customers were cut off from online access to their bank accounts.
For the purpose of carrying out the attacks, the defendants built botnets that consisted of thousands of compromised computer systems that had been infected with the defendants’ malware, and were subject to their remote command and control. The defendants and their co-conspirators ordered their botnets to direct significant amounts of malicious traffic at computer servers used to operate the websites for victim corporations, which overwhelmed victim servers and prevented customers from accessing the websites or their accounts online during the period of the attacks, officials said.
Although the DDoS campaign damaged and disrupted the businesses of the financial sector victims and interfered with their customers’ ability to do online banking during the course of the attacks, the attacks did not affect or result in the theft of customer account data, officials said.
Fathi, Firoozi, and Shokohi were responsible for ITSEC’s portion of the DDoS attack campaign against the U.S. financial sector, officials said. Fathi was the leader of ITSEC and was responsible for supervising and coordinating ITSEC’s portion of the DDoS campaign, as well as managing computer intrusion and cyber attack projects conducted for the government of Iran. Firoozi procured and managed computer servers used to coordinate and direct DDoS attacks for ITSEC. Shokohi is a computer hacker who helped build ITSEC’s botnet and created malware used to direct the botnet to engage in DDoS attacks. During the time he worked in support of the DDoS campaign, Shokohi received credit for his computer intrusion work from the Iranian government toward his completion of his mandatory military service requirement in Iran, officials said.
Ahmadzadegan, Ghaffarinia, Keissar, and Saedi were responsible for MERSAD’s portion of the DDoS attack campaign against the U.S. financial sector, officials said. Ahmadzadegan was a co-founder of MERSAD and responsible for managing the MERSAD botnet. He was also a member of Iranian hacking groups Sun Army and the Ashiyane Digital Security Team (“ADST”), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (NASA) in February 2012, officials said. Ahmadzadegan has also provided training to Iranian intelligence personnel. Ghaffarinia was the other co-founder of MERSAD and created malicious computer code used to build MERSAD’s botnet for the DDoS campaign. Ghaffarinia was also a member of Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February 2012, as well as thousands of other servers in the United States, the United Kingdom, and Israel. Keissar procured computer servers used to access, manipulate, and test MERSAD’s botnet. Saedi wrote computer scripts used to locate vulnerable servers to build MERSAD’s botnet. Saedi was also a former Sun Army computer hacker who expressly touted himself as an expert in DDoS attacks, officials said.
Between August 28, 2013, and September 18, 2013, Firoozi also repeatedly obtained unauthorized access to the SCADA systems of the Bowman Dam, in Rye, NY, which allowed him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels and temperature, and the status of the sluice gate, which is responsible for controlling water levels and flow rates, officials said.
Although that access would normally have allowed Firoozi to remotely operate and manipulate the Bowman Dam’s sluice gate, unbeknownst to Firoozi, the sluice gate had been manually disconnected for maintenance at the time of his intrusion.
All of the indicted individuals are citizens and residents of Iran, and face charges of one count of conspiracy to commit and aid and abet computer hacking, which carries a maximum sentence of 10 years in prison. Firoozi also faces an additional count of obtaining and aiding and abetting unauthorized access to a protected computer, which carries a maximum sentence of five years in prison.
“The charges … respond directly to a cyber assault on New York, its institutions, and its infrastructure,” said Manhattan U.S. Attorney Preet Bharara. “The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime. These were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people. We now live in a world where devastating attacks on our financial system, our infrastructure, and our way of life can be launched from anywhere in the world, with a click of a mouse. Confronting these types of cyber attacks cannot be the job of just law enforcement. The charges should serve as a wake-up call for everyone responsible for securing our financial markets and for guarding our infrastructure.”
Since the suspects are Iranian citizens, they would have to end up extradicted to the U.S., however, it is unlikely the Iranian government will allow that to occur.