Washington: The Trump administration on Friday announced sanctions and criminal indictments against an Iranian hacker network it said was involved in “one of the largest state-sponsored hacking campaigns” ever prosecuted by the United States, targeting hundreds of US and foreign universities, as well as dozens of US companies and government agencies, and the United Nations.
None of the alleged hackers were direct employees of the Iranian government, but all worked at the behest of the Iranian Revolutionary Guard Corps, officials said. While not the first such punishments imposed on Iran for malicious cyber acts, the new measures address more extensive Iranian efforts than previously alleged.
Nine of 10 named individuals were connected to the Mabna Institute, a Shiraz-based tech firm that the Justice Department alleged hacks on behalf of Iranian universities and the IRGC. The institute conducted “massive, coordinated intrusions” into the computer systems of at least 144 US universities and 176 foreign universities in 21 countries, including Britain and Canada, officials said.
They stole more than 31 terabytes of data and intellectual property - the rough equivalent of three Libraries of Congress - from their victims, prosecutors alleged. Much of it ended up in the hands of the IRGC, which has frequently been accused of stealing information to further its own research and development of weaponry. The Corps is the division of Iran’s security forces charged with overseeing Iranian proxy forces abroad and is under the direct control of the country’s religious leaders.
“Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said Geoffrey S. Berman, US attorney for the Southern District of New York, in a statement.
“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies,” said Sigal Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence. “We will not tolerate the theft of US intellectual property, or intrusion into our research institutions and universities.”
Also sanctioned was Behzad Mesri, who US prosecutors announced last November had been indicted for allegedly hacking into HBO and stealing unaired episodes of programs including “Game of Thrones,” which he threatened to release unless he was paid $6 million.
As a result of the indictments, officials said, the defendants cannot travel to more than 100 countries without fear of arrest and extradition to the United States.
The sanctions block any transactions with those named and freeze any assets they may have under US jurisdiction. Indictments charge the nine Mabna associates with stealing proprietary data, including logins and personal information that allowed access to intellectual property.
The actions are part of a concerted effort by the Trump administration to expose and penalize cyber foes. They also form part of a broad strategy, officials said, for combating “malign activities” by Iran that fall outside the scope of the nuclear agreement it signed with the United States and others three years ago.
President Trump has charged that the agreement itself, negotiated by the Obama administration, is flawed and he has vowed to withdraw from it if its shortcomings are not addressed by mid-May. That is when he must decide whether to renew a presidential waiver of US sanctions lifted in exchange for Iran’s reversal of an alleged nuclear weapons program.
Even as Trump has considered scrapping the deal, he has sought to punish Iran for other activities, including the development of long-range ballistic missiles, its use of proxy forces in Syria and Yemen, and the buildup of asymmetric capabilities, including cyber warfare.
The measures come a week after the administration publicly blamed Russia for unleashing a computer worm, NotPetya, that caused billions of dollars in damage to companies around the world, highlighted Russia’s targeting of US critical infrastructure with potentially destructive cyber implants, and placed sanctions on more than a dozen Russian individuals and organizations for their role in interfering in the 2016 election.
In December, the White House declared that North Korea was behind a cyber virus, WannaCry, that affected more than 230,000 computers in 150 countries.
Friday’s actions are “yet one more step in an overall strategy of calling out bad behaviour and imposing costs,” said Rob Joyce, the White House cybersecurity coordinator.
The Mabna hacking campaign began in 2013, continuing through at least December, and broadly targeted academic data and intellectual property from the universities, including journals, theses, dissertations, and electronic books - about $3.4 billion worth of data, the Justice Department said.
The defendants in some cases sold the stolen data through two Iranian websites, Megapaper and Gigapaper. Megapaper was operated by Falinoos Company, controlled by one of the defendants, Abdollah Karima, and Gigapaper was affiliated with Karima, officials said. Gigapaper sold a service to customers in Iran allowing them to use compromised university professor accounts to access the online library systems of some US-based and foreign universities, they said.
The Trump administration used a cyber sanction authority created by its predecessor, which first used the tool against Russian actors in December 2016 for interfering in the election. The administration used it in sanctioning the Russians last week.
In March 2016, the Justice Department unsealed an indictment against seven Iranian individuals working for two Iran-based computer companies, which conducted denial-of-service computer attacks against US banks in 2012. Treasury followed up with sanctions.
Such actions so far appear to have had limited effect, analysts say, noting that sanctions won’t affect individuals with no property in the United States or who are unlikely to travel there.
Officials say targets have occasionally slipped up and flown to countries with extradition treaties with the United States. Joyce, the White House cybersecurity coordinator, said some targets and their colleagues have been overheard worrying about their ability to travel, attend conferences and take vacations.
Another motive in taking action is to prod misbehaving states to adhere to international norms for cyberspace agreed to at the United Nations in 2015.
“A norm isn’t a norm until you get people to live by it,” Joyce said. “And its clear that the norms we agreed to in 2015 didn’t significantly change the behavior of malicious actors in a small group of countries - Russia, North Korea, Iran and China. So we feel we need to take action.”
The theft of universities’ intellectual property is part of an apparent effort by Iran to obtain information that is denied to them because of existing sanctions, said Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity firm. Iran has resorted to hacking to acquire information in the fields of aviation, defence, energy, financial, manufacturing, telecommunications and high-tech.
The indictment and sanctions are part of a broader strategy by the administration to make clear that attribution is possible even when a state uses third parties or proxies to carry out their malicious acts. With such actions, “we’re getting a clearer picture of the Iranian actors who are not part of the government but are supporting activities on behalf of the Iranian regime,” said Tim Maurer, author of the book “Cyber Mercenaries.”
Only five or six years ago Iran’s cyber capabilities were nascent. But the regime has made strides, developing and deploying a computer virus, Shamoon, that wiped data from energy companies in Saudi Arabia and Qatar.
In a program started under the George W. Bush administration, and continued by President Barack Obama, the United States and Israel allegedly hacked into Iranian government accounts, installing a virus that set back Iran’s nuclear program.
Friday’s announcement, some analysts said, shows that the administration can address its concerns with the IRGC in a way that is consistent with maintaining the safeguards contained in the nuclear deal.
“So while this administration has pointed out a number of things they see as inadequate in the Iran deal, they are in fact demonstrating an ability to address their concerns in a way that is compliant” with the deal, said Elizabeth Rosenberg, a senior fellow at the Centre for a New American Security and a former senior Treasury Department official.
Besides Karima, the sanctions and indictments named the following individuals affiliated with Mabna: Gholamreza Rafatnejad, co-founder and organiser of the hacking campaign; Ehsan Mohammadi, co-founder who helped organize the campaign; Seyed Ali Mirkarimi; Mustafa Sadeghi; Sajjad Tahmasebi; Abuzar Gohari Moqadam; Roozbeh Sabahi and Mohammad Reza Sabahi.
