The U.S. Department of Justice (DoJ) has indicted nine Iranian nationals with cyberespionage for cyberattacks that resulted in the theft of more than 30TB of data from domestic and foreign universities, commercial companies and government institutions.
According to the indictment, the suspects were either leaders, contractors, associates, hackers-for-hire or affiliates of an Iranian commercial entity called the Mabna Institute. This company engaged in cyberespionage on behalf of the Islamic Revolutionary Guard Corps, one of Iran’s military intelligence agencies, as well as on behalf of other Iranian government clients, such as universities and research organizations that would benefit from the stolen data.
Since at least 2013, hackers associated with the Mabna Institute have allegedly managed to break into computer systems belonging to 144 universities from the United States and 176 universities from 21 other countries, 47 domestic and foreign companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations and the United Nations Children’s Fund, the DoJ said.
Prosecutors estimate that these breaches resulted in the theft of at least 31.5 terabytes of academic data, including academic journals, theses, dissertations, electronic books, intellectual property, emails and other confidential documents and files. U.S.-based universities alone spent an estimated $3.4 billion to acquire or gain access to this data.
Universities from Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the UK were also affected. Victims also included 36 companies from the United States and 11 private companies from Germany, Italy, Switzerland, Sweden and the UK.
In the case of universities, attackers targeted professors with well-crafted phishing attacks. First, the attackers searched the field of interest and the articles published by their targets, then sent spoofed emails appearing to be from other professors interested in the same areas of research.
The emails included links to supposed academic articles, but instead directed victims to phishing sites that mimicked the login pages of their own university’s computer systems. The goal was to steal credentials and use them to acquire academic data the victims had access to.
In the case of companies, the hackers used brute-force password guessing techniques to break into email accounts belonging to employees. Once inside, they downloaded the contents of the mailboxes and set up forwarding rules so that future outgoing and incoming messages were also sent to the attackers.
This is not the first time when the U.S. government names and indicts hackers involved in cyberespionage operations believed to have been ordered or coordinated by foreign intelligence agencies, but it is one of the largest state-sponsored hacking campaigns ever to be prosecuted by the DoJ.
“I expect the Iranian government to use a plausible deniability defense and claim that these rogue hacking groups aren’t affiliated with Tehran,” said Sam Curry, CSO of security firm Cybereason, via email. “Any nation state, Iran in this case, can say these were rogue groups, but when there is overwhelming proof, the circumstantial evidence can pile up.”
“What’s also interesting about today’s indictments is that the 2015 nuclear deal struck between Iran, the U.S. and six other countries lifted crippling economic sanctions in return for the disarmament of their nuclear weapon program,” he said. “Many experts point toward this agreement as the main reason cyberattacks originating from Tehran have significantly diminished. But the DoJ’s announcement shows a nation that continued its hacking operations in the face of this agreement.”
The fact that governments engage in cyberespionage will not surprise anyone. However, this particular case should worry organizations, because it shows that hackers—state-sponsored or otherwise—don’t need sophisticated malware and zero-day exploits to be highly successful. Relatively simple techniques such as spearphishing and brute-force password guessing attacks remain very effective and can result in massive data breaches.
Training employees to detect phishing and other social-engineering attacks, enforcing strong password policies, deploying two-factor authentication and carefully controlling what data each employee can access would have probably prevented many of these intrusions or would have limited their impact.