The Department of Justice has announced the indictment of seven Iranian hackers alleged to work for the Iranian government on charges stemming from a coordinated string of distributed denial of service (“DDoS”) attacks primarily against U.S. financial institutions from 2011 to 2013. One of the hackers is also charged with hacking into the supervisory control and data acquisition (“SCADA”) systems of a dam in Rye, New York, outside of New York City, in 2013. Loretta E. Lynch, the Attorney General of the United States, Preet Bharara, the United States Attorney for the Southern District of New York, James B. Comey, Director of the Federal Bureau of Investigation, and John P. Carlin, Assistant Attorney General for National Security announced the indictments on March 24th.
Importantly, the indictment explicitly states that the seven indicted men worked for two “private computer security companies based in the Islamic Republic of Iran that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps,” thereby linking the alleged hackers to the Iranian state. This is the second time the U.S. government has indicted supposed hackers for performing so-called state sponsored attacks, following the 2014 indictments of five Chinese members of the People’s Liberation Army.
The DDoS attacks in question caused significant disruption to the U.S. financial services sector. The Department of Justice notes that the attacks “occurred on more than 176 days, disabled victim bank websites, prevented customers from accessing their accounts online, and collectively cost the banks tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers.”
The attacks on the Bowman Dam in Rye, New York also highlight and serve as an important reminder of the cybersecurity vulnerabilities in U.S. critical infrastructure facilities and assets. The indictment notes that one of the alleged hackers accessed the dam’s SCADA systems numerous times between August 28, 2013, and September 18, 2013. This access allowed the hacker to view information such as water levels, water temperature, and the status of the sluice gate, “which is responsible for controlling water levels and flow rates.” The indictment notes that such access “typically would have also permitted [the hacker] to remotely operate and manipulate the sluice gate,” but that “the sluice gate control had been manually disconnected for maintenance issues prior to the time [the hacker] gained access to the systems.” These types of intrusions into SCADA systems are increasingly commonplace, and are being used in some active conflicts to achieve physical effects, as seen in the recent blackouts in Ukraine caused by a malware attack, which some have speculated was carried out by Russian hackers.