U.S. Charges Iranians for Hacking New York Dam, Banks

The DOJ charged seven hackers for their calculated campaign of cyberattacks

Mar 24, 2016 at 2:38 PM ET

In landmark allegations, the U.S. has identified and formally charged seven Iranians with state-sponsored cyberattacks on the U.S.

The charges fall into three major categories: Accessing the online controls of a dam outside of New York City, and two sustained, distinct DDoS campaigns designed to knock groups of banks, most of them American, offline during U.S. business hours.

Iranian hackers had previously claimed responsibility for the attack on the Bowman Avenue Dam in Rye Brook, New York, in 2013. Attackers remotely hacked a computer with access controls to the dam, but were not formally charged until Thursday, when Preet Bharara, U.S. Attorney for the Southern District of New York, named the perpetrator as Hamid Firoozi. Though the compromised computer gathered water levels and temperature, and could control the dam’s sluice gate, and though it was accessed multiple times over the course of several weeks, no physical damage was done—possibly because the sluice gate was manually disconnected for maintenance at the time.

The U.S. is no stranger to what a sufficiently sophisticated cyberattack can do to a country’s infrastructure. In 2010, a worm called Stuxnet, reportedly created as a joint U.S.-Israel attempt to remotely and clandestinely hamper Iran’s nuclear program, caused significant damage to a number of Iranian nuclear centrifuges, and is believed to have considerably delayed Iran’s nuclear research.

As is often the case with international cyberattacks, the legal questions surrounding both Stuxnet and the Bowman Avenue Dam are foggy.

“A nation could only, at best, legally respond to stop an ongoing attack that was causing them pain,” Jason Healey, a Senior Fellow for the Cyber  Statecraft Initiative of the think tank the Atlantic Council told Vocativ. “That clearly doesn’t seem to be the case here.”

The Iranian hackers also allegedly engaged in a common hacker tactic, albeit at a large scale: comprising thousands of computers to create a botnet that hit banking websites in a Distributed Denial of Service (DDoS) attack. Overwhelmed with traffic, the sites would become slow or wouldn’t respond to users at all. Though it declined to share specifics, the Department of Justice claimed that the cumulative costs of hundreds of thousands of customers not being able to use online banking services, plus the cost of restoring service cost the industry cost tens of millions of dollars.

Those attacks occurred in two waves. The first started in December 2011, and focused on at least seven banks, NASDAQ, and the New York Stock Exchange. The second, which Bharara says was the handiwork of a separate hacking team, started in September 2012 and targeted at least 23 banks, most of them American, and the New York Stock Exchange. Both attacks stopped in 2013.

Lest there be any doubt that these attacks were state-sanctioned, Bharara wrote in his indictment that one of those hackers received credit toward his mandatory military service for the DDoS attacks, and that he trained fellow members in the military.

What that means for the future of U.S-Iranian relations is unclear. The State Department, which in July reached a landmark nuclear agreement with Iran, didn’t respond to request for comment.

“[W]e can understand [Iran’s] motivation for tit-for-tat attacks against the bank, though these are clearly outside of existing norms and were targets that had zero to do with Stuxnet, Healey said. “To the dam, the indictment doesn’t claim the Iranians ever tried or even intended to cause immediate harm. This would in the U.S. be considered relatively routine” intelligence gathering against a potential target, he said.