In a rare sweeping indictment against alleged foreign hackers, the Justice Department on Thursday charged seven Iranians for breaking into the computer network of a small New York dam and for digital attacks against more than 40 US banks.
The indictment unveiled by US Attorney General Loretta Lynch charges the Iranians in a campaign of distributed denial of service, or DDoS, attacks that targeted 46 American companies between 2011 and 2013. Additionally, the indictment names one of the alleged hackers for a 2013 attack on a small dam in upstate New York.
"The attacks were relentless, systematic, and widespread," Ms. Lynch said in a press conference Thursday. "We believe that they were conducted with the sole purpose of undermining the targeted companies and damaging the online operation of America’s free market."
The DDoS attacks struck at the heart of the US financial system – affecting banks such as JP Morgan and Bank of America, as well as the New York Stock Exchange and Nasdaq. Justice officials said the attacks cut off hundreds of thousands of customers from their bank accounts and they suspect the hackers – who the government says worked for Iranian tech companies – conducted the attacks with the consent and knowledge of Iran's powerful Islamic Revolutionary Guard Corps.
Thursday’s announcement is just the second time the US government has charged foreigners with computer crimes against US entities and the first such charges that involve attacks on US critical infrastructure. In 2014, the Justice Department indicted five Chinese nationals associated with China’s People’s Liberation Army for allegedly breaching US companies.
FBI Director James Comey said the fact that the US is reaching across border to pursue computer crimes could deter similar attacks in the future. "There is no place safe in this increasingly small world,” he said.
The Manhattan US Attorney's Office charged each of the seven hackers with conspiring to commit, aid, and abet computer hacking for their roles in the denial-of-service attacks against US companies. The charges carry a maximum 10-year prison sentence. Hamid Firoozi, who the government has charged with breaking New York dam, faces an additional count of computer hacking.
If the government's previous charges against foreigners in computer crimes cases are any indication, it's unlikely the Iranian government will extradite the suspected hackers to face the charges in US courts. The five Chinese nationals from the 2014 indictment have not appeared in US court.
Justice Department officials refused to comment on how they identified the alleged Iranian hackers.
"It’s great police work, great intelligence to get down to this level," said Jason Healey, a cybersecurity expert and senior research scholar at Columbia University's School of International and Public Affairs.
But, said Mr. Healey, the government isn't just going after a few individuals with this case, it is sending a message to Iran that the US won't tolerate a growing number of cyberattacks originating from the Islamic Republic. "The US is trying to make a full case for dropping the threshold and trying to cool down cyberconflict quite a bit."
Still, other experts worry that brining criminal charges against suspected hackers may compel other nations to pursue charges against the US over digital espionage or other activities in cyberspace. "If foreign governments actually take our lead, we would start to see US military and intelligence professionals on [wanted] posters in China, Russia, Iran and other places,” said Robert M. Lee, chief executive of the security firm Dragos Security and a former US Air Force cyber officer. "That is something we should seriously want to avoid."
What's more, said Mr. Lee, the government should be more transparent when it comes to explaining how it pinpointed the individuals named in the indictment. An expert in industrial control systems, Lee doubts the government's claim that Mr. Firoozi, who the government charged for the attack of the Bowman Avenue Dam in Rye, N.Y., penetrated the facility's control systems, allowing him to manipulate water levels at the facility. Lee said the dam did not have those systems in place.
Rep. Adam Schiff (D) of California, the House Intelligence Committee's ranking member, said the charges "should serve as a strong message to all hackers, whether criminals or nation states, that their anonymity is not guaranteed online."
The charges come on the heels of major developments in two Justice Department hacking cases this week. On Wednesday, Chinese businessman Su Bin pleaded guilty to siphoning sensitive military data from US defense contractors and sending it to China – including plans for fighter jets and US Air Force cargo planes. Also, the agency charged three members of the Syrian Electronic Army – a pro-government hacking group – for engaging in spear-phishing, extortion, and hijacking the Associated Press Twitter account and the US Army’s website.