Threat Management, Threat Management, Threat Intelligence, Malware, Phishing

Nine Iranians indicted over alleged state-sponsored hacking of universities, companies and governments

USA v Rafatnejad et al

The Department of Justice today leveled a series of federal charges against nine members of an Iranian firm, which officials say worked on behalf of the Islamic Revolutionary Guard Corps (IRGC) and other Iranian clients to steal email credentials and more than 31 terabytes of files from universities, companies, government agencies and non-governmental organizations.

The announcement followed a Manhattan court's unsealing of a seven-count indictment alleging that the Iranians engaged in a coordinated campaign to steal proprietary research, data and intellectual property from a wide range of targets, including 144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana and its Department of Education, the United Nations, and the United Nations Children's Fund. 

A DOJ press release identifies the defendants as Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah (aka Vahid) Karima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24; Abuzar Gohari Moqadam, 37; and Sajjad Tahmasebi, 30 -- all citizens and residents of Iran who allegedly worked in some capacity for a firm called the Mabna Institute.

DOJ officials claim the Mabna Institute successfully hacked nearly 8,000 professor email accounts at 144 U.S. universities (and 176 more around the world), exfiltrating assets that American universities spent close to $3.4 billion on procuring and maintaining during the course of the malicious campaign. The firm would then allegedly sell or distribute the stolen data to Iranian universities and other clients, supplying them with scientific research and intelligence that they could not obtain through honest means.

According to the indictment, the accused hackers performed reconnaissance on tens of thousands of university professors to ascertain their research interests, before launching spear phishing campaigns against their chosen targets.

The phishing emails were designed to look like correspondence from fellow professors expressing an interest in a victim's published articles, and contained links to what supposedly were additional articles. However, when victims clicked on the link, they were actually redirected to a malicious phishing domain that appeared to be a log-in page for their own university network -- a ruse intended to make them think they were logged out of the system so they would enter their credentials, thus exposing them. In total, over 100,000 professor accounts were targeted during the course of the operation, the indictment states.

The private-sector companies that were targeted outside of the university operations included three academic publishers, two media and entertainment companies, a law firm, 11 tech companies, five consulting firms, four marketing firms, two banking/investment firms, two online car sales companies, a health business, an employee benefits company, an industrial machinery company, a biotechnology company, a food and beverage enterprise and a stock images company.

The nine defendants were charged in the U.S. Southern District of New York with one count of conspiracy to commit computer intrusions, one count of conspiracy to commit wire fraud, two counts of unauthorized access of a computer, two counts of wire fraud, and one count of aggravated identity theft. Pooled together, these charges are punishable by up to 77 years in prison.

Meanwhile, the Department of the Treasury's Office of Foreign Assets Control (OFAC) has designated the Mabna Institute and all nine defendants for sanctions, effectively blocking their assets. In addition, the OFAC imposed sanctions on a tenth individual, Behzad Mesri, who was indicted last November for allegedly hacking HBO's servers in order to steal data in a $6 million extortion plot.

"Hostile individuals, organizations and nation-states have taken note of our success. They increasingly attempt to profit from America's ingenuity by infiltrating our computer systems, stealing our intellectual property, and evading our controls on technology exports," said Deputy Attorney General Rod Rosenstein in prepared remarks today. "When hackers gain unlawful access to computers, it can take only a few minutes to steal discoveries produced by many years of work and many millions of dollars of investment. That type of criminal activity does not just cause economic harm. It also threatens our national security."

"We will not tolerate the theft of U.S. intellectual property, or intrusions into our research institutions and universities said Treasury Under Secretary Sigal Mandelker in a departmental press release. "Treasury will continue to systematically use our sanctions authorities to shine a light on the Iranian regime's malicious cyber practices, and hold it accountable for criminal cyberattacks."

The defendants also allegedly sold stolen data, as well as access to hijacked accounts, through two websites, Megapaper.ir and Gigapaper.ir, known as Megapaper and Gigapaper, respectively. The DOJ says the former was operated by Karima's through a business called the Falinoos Company, while the latter was also affiliated with him.

Researcher Collin Anderson, who recently co-authored a paper about the Iran cyber threat for the Carnegie Endowment for International Peace, posted on Twitter today that the indictment "demonstrates a common pattern," noting that Iran typically "uses proxies online" do to its bidding "and its behavior is dictated by regional politics."

The indictment comes in uncertain times, as the Trump administration ponders the future of the Joint Comprehensive Plan of Action (JCPOA), informally known as the nuclear accord reached between the U.S. and Iran in October 2015. Some analysts believe this agreement prompted Tehran to scale back on major disruptive cyberattacks against the U.S., in anticipation of lighter sanctions against the Middle Eastern regime. However, if proven true, this latest reported incident suggests that Iran continues to aggressively hack targets behind the scenes.

Adam Meyers, VP of Intelligence at CrowdStrike, said in emailed comments that “CrowdStrike Intelligence has assessed the theft of universities' intellectual property is part of an apparent effort by Iran to obtain information that is denied to them because of existing sanctions."

"On March 21, 2018, CrowdStrike Intelligence observed cyber operations targeting academic institutions for the purpose of stealing research," Meyers added, noting that for years Iran has also been observed targeting the fields of aviation, defense, energy, financial, manufacturing, telecommunications and high-tech.

Almost two years ago to the day, the DOJ announced indictments against seven other Iranians for launching distributed denial of service attacks against the financial sector. One of the defendants, Hamid Firoozid, was also charged with illegally intruding into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam in Rye, N.Y.

Phil Neray, VP of industrial cybersecurity at CyberX, raised the concern in emailed comments that the indictment's reference to the compromise of an industrial machinery company could represent another attempt on Iran's part "to steal proprietary design information about ICS/SCADA systems, which could later be used to compromise critical infrastructure."

U.S. officials understand that it is unlikely they will be able to apprehend and extradite the defendants as long as they stay within Iran's borders. Nevertheless, authorities believe that stripping the alleged hackers of their anonymity by naming and shaming them is among the next best available options.

The announcement comes almost two years to the day from a previous indictment against seven Iranian hackers who broke into a New York dam. It also comes at a time that the Trump adminsitration continues to reassess the nuclear deal with Iran adminst sanctions leveled against the regime.
Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.