The Department of Justice indicted 7 Iranian nationals today (March 24) on charges related to the "Operation Ababil" wave of cyberattacks upon U.S. bank websites that lasted from the fall of 2012 through the spring of 2013.
The attacks "disabled victim bank websites, prevented customers from accessing their accounts online, and collectively cost the banks tens of millions of dollars in remediation costs," a DoJ press release said. It also said that "the attacks did not affect or result in the theft of customer account data."
Each of the seven defendants was charged with one count of conspiracy to commit and aid and abet computer hacking. One man was also charged with obtaining and aiding and abetting unauthorized access to a protected computer, related to a September 2013 network intrusion of the Bowman Avenue Dam in Rye, New York, just north of New York City. No damage was incurred at the dam.
The massive distributed denial-of-service (DDoS) attacks knocked several banking sites offline at once, two or three times per week for extended periods. The affected institutions included Bank of America, Citibank, Wells Fargo, JPMorgan Chase, the New York Stock Exchange, PNC Bank, Capital One, Union Bank, Fifth Third Bank, HSBC, TD Bank, American Express and US Bancorp.
Claiming credit was a previously unknown group calling itself the Izz Ad-Din Al-Qassam Cyber Brigades, which called its attack Operation Ababil and posted manifestoes online in English and Arabic demanding that the notorious "Innocence of Muslims" video be removed from YouTube.
However, U.S. intelligence officials quickly said that the attacks came not from a religiously motivated "hacktivist" group, but instead from Iranian government entities. At the time, the sheer power of the attacks was thought to be out of range for hacktivists, but subsequent, unrelated DDoS attacks proved that wrong.
The indictments allege that the seven men were employed by two Iranian companies, ITSecTeam or ITSEC and Mersad Company. Both companies were seemingly controlled by Iran's Revolutionary Guard Corps, the former street fighters who have become as militarily powerful as Iran's regular armed forces and control large sectors of the Iranian economy.
Three men — Ahmad Fathi, Hamid Firoozi and Amin Shokohi — are alleged to have been ITSec employees. Sadegh Ahmadzadegan, aka "Nitr0jen26," Omid Ghaffarinia, aka "Plus," Sina Keissar and Nader Saedi, aka "Turk Server," all apparently worked at Mersad. Fathi and Firoozi are 37 and 34, respectively; the other five defendants are all in their mid-20s. Each faces up to 10 years in prison for the banking attacks.
Firoozi is alleged to have been the person who penetrated the Bowman Avenue Dam's control systems and gathered "information regarding the status and operation of the dam, including information about the water levels and temperature, and the status of the sluice gate, which is responsible for controlling water levels and flow rates," according to the indictment. He faces an additional five years in prison for that.
The Bowman Avenue Dam intrusion is really not much of a hack, and security researchers snooping online often find similar industrial-control systems left unprotected or lightly protected. The indictment alleges that Firoozi could have opened the dam's sluice gate had it not been manually disabled at the time, but that would have had to take place during heavy rains to cause even localized flooding.
As with the five Chinese military personnel indicted in 2014 for alleged industrial espionage, the U.S. does not expect the Iranian defendants to appear in court any time soon.