In an unprecedented case of cyberespionage, on Friday, March 23rd, the U.S. Justice Department indicted nine Iranian hackers after discovering a “massive and brazen” scheme targeting universities, private companies, and government agencies. These indictments include charges of aggravated identity theft, wire fraud, and conspiracy to commit computer intrusions, and if convicted, carry a penalty of more than four decades. The defendants are currently at-large, and have direct ties to the government of Iran, reportedly working for the country’s Islamic Revolutionary Guard Corps. In addition to the charges levied, the Treasury Department has placed sanctions on the individuals and the company they were associated with, Mabna Institute.
The Iranian hackers performed a phishing scam on more than 100,000 U.S. university professors, across 144 different institutions. They stole intellectual property, including academic research in technology, medicine, and other sciences, which could cost universities $3.4 billion dollars.
They also infiltrated the information systems of 36 U.S. companies in a wide range of industries, ranging from academic publishing to law firms and tech companies. For this attack, the hackers used a tactic known as “password spraying,” or trying common passwords on a list of known email addresses.
In their breach of government entities, the Iranian hackers used the same method to break into accounts of Department of Labor, Federal Energy Regulatory Commission, the states of Hawaii and Indiana, Indiana’s Department of Education, the United Nations, and the United Nations Children’s Fund personnel. Once inside, they stole all the emails associated with each account.
All-in-all, these data breaches compromised 8,000+ accounts worldwide, with nearly half of them belonging to professors at U.S. universities. While the total cost and fall out from these attacks remains to be seen, the fact that a state-sponsored attack was successfully executed at this scale is troubling.
“For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps,” said Deputy Attorney General Rod Rosenstein in a statement to the press.
Even with advanced cybersecurity protocols and most people aware of the risks of cybercrime, nobody is immune from the threats facing us every day. It’s critical that we all take responsibility to secure personal information, and that of our families, employees, and customers, and remain vigilant in the protection of our identities.