In its latest drumbeat against the cyber activities of Iran, the US government Friday charged nine Iranian hackers with a massive three-year campaign to penetrate and steal more than 31 terabytes of information—totaling more than $3 billion in intellectual property—from more than 300 American and foreign universities.
The effort, detailed in a 21-page indictment unsealed Friday, amounted to “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” said Geoffrey Berman, the US Attorney for the Southern District, which brought the case. The effort netted a lengthy list of victims, including 144 universities based in the US, and another 176 spread across 21 foreign countries. The group also hit 47 private sector companies, government targets as varied as the US Department of Labor, the Federal Energy Regulatory Commission, and the states of Hawaii and Indiana, along with the United Nations.
The hacking campaign focused on a Tehran-based organization called the Mabna Institute, which served as a clearinghouse for contractors and hackers-for-hire who were tasked with penetrating and stealing data, intellectual property, and the contents of professors’ email inboxes. According to the FBI’s investigation, two of the defendants—Gholamreza Rafatnejad and Ehsan Mohammadi—founded the Mabna Institute around 2013. “While the company’s name may sound legitimate, the so-called institute was set up for one reason only: To steal scientific resources from other countries around the world,” Berman said.
Rafatnejad organized the hacking efforts and coordinated with Iran’s Islamic Revolutionary Guard Corps, while Mohammadi served as Mabna’s managing director.
“This case is critically important because it will disrupt the activities of the Institute and it will deter similar crimes by other perpetrators. The indictment publicly identifies the conspirators. In this time of public identification, it helps to deter state-sponsored computer intrusions by stripping hackers of their anonymity and by imposing real consequences,” Rod Rosenstein, the deputy attorney general, said at the morning announcement in Washington. “Revealing the Mabna Institute’s nefarious activities makes it harder for them to do business.”
According to the Justice Department, many of the network intrusions began with sophisticated “spear-phishing” campaigns, with emails to target professors appearing to come from fellow academics at other schools. Links in the emails would direct the professors to pages that made it appear that they had accidentally logged out of their university account and needed to reenter their user credentials. All together, the campaign targeted more than 100,000 professors, and the Iranian hackers managed to successfully penetrate about 8,000 accounts, including 3,768 at US schools. One of the defendants, Mostafa Sadeghi, who the indictment labels a “prolific Iran-based computer hacker,” was single-handedly responsible for the compromise of more than 1,000 of those accounts, and helped train the others on hacking techniques.
The stolen data was used by the IRGC as well as sold through two websites, Megapaper.ir, which was partially owned by Sadeghi, and Gigapaper.ir. According to the indictment, Gigapaper offered stolen university credentials for sale so customers could directly access the online library resources, like electronic books and LEXIS-NEXIS databases, of US and foreign universities.
The hacking effort also targeted private sector companies, including media and entertainment companies, a law firm, two banking and investment firms, a healthcare company, and even a stock images company. In that effort, the indictment says, the hackers used “password spraying” tactics to assemble publicly available lists of user emails and then attempt to access them using common passwords; the approach allowed them access to 36 American companies and 11 more in Europe. Once the hackers gained access to an account, they would both exfiltrate the existing contents and also set up forwarding rules to pass future emails directly to them.
Rosenstein said, “For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps.”
The approach of the hacking campaign to rely on cut-outs rather than official military hackers—as China has—was consistent with previous Iranian-focused indictments brought by the Justice Department in recent years.
Almost exactly two years ago, in March 2016, the Justice Department brought charges against seven Iranians for their role in a lengthy and costly series of distributed denial-of-service attacks that targeted Wall Street and the financial sector, as well as penetrating the control systems of a dam in Rye, New York. While that indictment also stopped short of directly naming the Iranian government as responsible, it did note that the two companies that employed the seven hackers—the ITSec Team and Mersad Company—both worked closely with the IRGC, and that one of the hackers even “received credit for his computer intrusion work from the Iranian Government towards completion of his mandatory military service.”
Similarly, in another recent economic espionage case, the Justice Department charged three Iranians with breaking into a Vermont defense contractor to steal protected technology and then offer it for sale to entities like Tehran University, Sharif Technical University, and Shiraz Electro Optic Industry, a missile company owned by the Iranian military. That scheme was so successful that the mercenary hackers received certificates of appreciation from the Iranian military. “They are essentially nonsanctioned espionage groups,” said Brian Wallace, a security expert at Cylance explained at the time when that case became public. “The government doesn’t create them, they don’t own them. They operate and get almost of their income from the government.”
Broadly, the effort to take public action against nation-state hackers is consistent with an approach adopted by the Obama administration’s Justice Department to move nation-state cybersecurity cases out of the shadows and to bring public prosecutions when possible. In May 2014, in the first-of-its-kind case, the Justice Department indicted five members of the Chinese military’s Unit 61398, its elite hacking team, for economic espionage.
Rosenstein at Friday’s press conference argued that such efforts were not an empty threat.
“[The Iranian] defendants are now fugitives from justice. There are more than 100 countries where they may face arrest and extradition to the United States. Thanks to [related sanctions by] the Treasury Department, the defendants will find it difficult to engage in business or financial transactions outside of Iran,” the deputy attorney general said. “By making clear the criminal actions have consequences, we deter schemes to victimize the United States, its companies, and its citizens, and we help to protect our foreign allies.”
Indeed, while Berman said that the government believes that all nine individuals are inside Iran right now, it’s not impossible that one someday face a US courtroom. One of the three Iranians charged in the defense contractor hack, Nima Golestaneh, was caught while vacationing in Turkey and extradited to the United States, where he pleaded guilty.
Garrett M. Graff (@vermontgmg) is a contributing editor for WIRED and can be reached at garrett.graff@gmail.com.
