US disrupts ‘massive and brazen’ Iranian hacking scheme, DOJ says

Iranian pro-government demonstrators set a makeshift US flag on fire during a march after the weekly Muslim Friday prayers in Tehran on January 5, 2018. New pro-regime protests were held in Iran, in reaction to the protests against the government and the cost of living.

The Trump administration alleged Friday that Iranian government-linked hackers conducted a “massive and brazen” hacking scheme, breaking into the accounts of roughly 8,000 professors at hundreds of US and foreign universities, as well as private companies and government entities, to steal huge amounts of data and intellectual property.

The indictment unveiled by the Justice Department directly links the individuals charged with the hacks to the Iranian government, saying the perpetrators were working for Iran’s Islamic Revolutionary Guard Corps and other government clients.

Along with the charges, the Treasury Department designated the nine Iranians and the company they worked for, the Mabna Institute, for sanctions.

Also sanctioned was a previously indicted Iranian who allegedly hacked HBO.

Justice Department officials said the scheme was one of the biggest state-sponsored efforts they have ever taken on.

“(W)e have unmasked criminals who normally work in total anonymity, hiding behind the ones and zeros of computer code,” said Manhattan US Attorney Geoffrey Berman, who called it a “massive and brazen cyberassault.”

The move from the Justice Department and Treasury follows other US efforts to indict foreign government-linked cyberattackers, including special counsel Robert Mueller’s indictment of Russian operatives for meddling in the 2016 US election, and the Obama administration’s indictment of Chinese military members for the government-sponsored hacking of US companies.

It also comes at a time of tension with Iran, long an adversary of the US. As President Donald Trump reshuffles his national security and diplomacy team, including firing Secretary of State Rex Tillerson and national security adviser H.R. McMaster, experts speculate Trump may be laying the groundwork to pull out of the Iran nuclear deal that the Obama administration negotiated, though Iran’s cyber efforts were not part of that deal.

Officials also stressed that the hacking was conducted at the behest of the Iranian government, and Mabna Institute functioned as a contractor for the Revolutionary Guard. Sigal Mandelker, Treasury’s undersecretary for terrorism and financial intelligence, stressed that the elite military wing has been a primary actor behind Iran’s sponsorship and encouragement of terrorism.

“The IRGC plays a central role in Iran’s maligned activities across the world, including fomenting terrorism,” Mandelker said.

Deputy Attorney General Rod Rosenstein declined to provide details, but said the hacking “benefited” the Revolutionary Guard.

According to the charges, which include conspiracy to commit computer intrusions, wire fraud, unauthorized access of a computer and aggravated identity theft and could carry a maximum sentence of upwards of four decades in prison, the nine alleged hackers carried out a sophisticated worldwide campaign since at least 2013 to pull off their cyberheist of more than 30 terabytes of academic data and other sensitive information.

The indictment alleges the Mabna Institute targeted more than 100,000 professors worldwide and succeeded in compromising 8,000 of them, spread across 144 US-based universities and 176 foreign universities. In their crosshairs were various types of intellectual property, including academic journals, dissertations and electronic books.

To break into the accounts, the sophisticated campaign started by studying each target in a reconnaissance phase, then using that information to send specialized emails to the targets that appeared to come from other university professors expressing interest in a recently published work, with links to other research that were actually links to malicious websites that would mimic the professor’s login page and steal his or her login information and use it to access their accounts.

The hackers also allegedly broke into the accounts of employees of US government and non-governmental entities, including the Department of Labor, the Federal Energy Regulatory Commission, the states of Hawaii and Indiana, Indiana’s Department of Education, the United Nations, and the United Nations Children’s Fund. Once inside, the hackers allegedly stole the entire email inbox.

Other victims included employees of 36 US-based companies and 11 companies outside the US in a wide range of industries, including academic publishers, media and entertainment entities, a law firm, tech companies, and consulting and marketing firms.

The tactic for the private-sector and governmental hacks was much less sophisticated, according to the indictment. The hackers allegedly used “password spraying”: They collected email addresses they could find on the internet and then simply tried common passwords on those accounts, stealing email inboxes if they managed to get in.

It is unlikely that any of the individuals named in the indictment will ever see the inside of a US jail or courtroom. It is also unlikely that foreign governments without extradition treaties with the US would give up their citizens to stand trial, and once the indictment is unsealed, the individuals named in it are unlikely to travel to countries that could extradite them to the US.

Still, federal prosecutors hope that by exposing the hacking operations, they can deter the behavior and make clear their ability to trace it back to its source.