The US has indicted seven Iranians for bombarding Wall Street with distributed denial-of-service (DDoS) attacks that crippled 46 financial institutions between 2011 and 2013.
The seven men worked for two private security firms based in Iran — ITSec Team and Mersad — that do work on behalf of the Iranian government. That includes working with the Islamic Revolutionary Guard Corps, which is one of the government’s intelligence arms.
The court document detailed the series of attacks:
The U.S. Financial Industry DDoS Attacks impacted, at a minimum, approximately 46 major financial institutions and other financial-sector corporations in the United States over a total of at least approximately 176 days of DDoS attacks. On certain days during these attacks, hundreds of thousands of customers were unable to access their bank accounts online. As a result of these attacks, those victim institutions incurred tens of millions of dollars in remediation costs as they worked to mitigate and neutralize the attacks on their computer servers.
The Feds say that the attacks on the financial industry began around December 2011.
ITSec Team and Mersad allegedly created botnets comprising thousands of malware-infected slave computers that they ordered to fire-hose Wall Street. Those botnets were launched off equipment that included servers leased in the US.
The DDoS attacks were sporadic until about September 2012, when they were ratcheted up to the point of occurring nearly weekly, typically between Tuesdays and Thursdays during normal business hours in the US.
They kept up, with gusto, until about May 2013.
From the indictment:
During the course of this coordinated campaign, victims’ computer servers were hit with as much as approximately 140 Gigabits of data per second which, depending on the victim institution, was up to as much as three times the entire operating capacity of a victim institution’s servers.
The targets included financial heavyweights like Bank of America, NASDAQ, and the New York Stock Exchange.
One of the defendants, Hamid Firoozi, also allegedly hacked into the Bowman Avenue Dam near Rye Brook, New York.
Rye Brook Mayor Paul Rosenberg told CNN that the dam is used to control water flow when it rains, to prevent flooding downstream.
Rosenberg said that the dam’s managed by a piece of software that’s “industry standard” and “very common.”
Remote access to the dam’s controls allegedly let Firoozi get at the dam’s status and operational status, including water levels and temperature and the status for the sluice gate, which controls water levels and flow rates.
That kind of access should have given him the power to remotely operate the sluice gate.
But according to the indictment, unbeknownst to Firoozi, the sluice gate control had been manually disconnected for maintenance before he allegedly gained access to the dam’s SCADA system.
What is SCADA?
SCADA, which stands for Supervisory Control and Data Acquisition, is a system for remote monitoring and control that operates with coded signals over communication channels that include the internet, with all the mischief-makers and malfeasance that portends.
SCADA ties together a slew of vital physical infrastructure: from power, oil, and gas pipelines to water distribution and wastewater collection systems.
These systems were initially designed to be open, robust, and easily operated and repaired, but security has often been left out of the picture entirely.
There’s already an established set of worries about SCADA’s susceptibility to malicious attack.
Recent add-ons to that pile of worries have included alarming lack of password hygiene by those who work at national infrastructure centers.
One example: power grid workers posting selfies that inadvertently expose critical information.
That’s not just pie-in-the-sky security worrying: real-world examples include Prince William when he was an RAF Search and Rescue helicopter pilot. As you might recall, there were login details written on a piece of paper that was pasted over his head for all to see in widely distributed photos.
Then too, there was the proudly presented video shot inside the 2014 FIFA World Cup security control room, where the Wi-Fi SSID and password (and an internal email address used to communicate with a Brazilian government agency) were clearly legible on the big screen.
It’s even rumored that the creators of the Stuxnet malware (which is thought to have been designed to infiltrate Iran’s uranium enrichment facilities) relied on an image of a SCADA control system monitor to figure out the configuration of the facility’s centrifuges.
The source of the image: a series of 48 photos depicting President Mahmoud Ahmadinejad’s tour of the desert site, released by the country’s own government.
Indicting the seven Iranians allegedly behind these attacks on the nation’s financial and physical infrastructure is just the latest show of force from an administration that’s determined to show that it’s not taking cyber attacks lying down.
Last week, the day before the administration announced its indictment of the Iranians, it announced that it had struck a plea deal with an aviation expert from China who admitted to funneling sensitive military information out of the US and back home to hackers.
His accomplices in China infiltrated computer systems, including those of aviation giant Boeing Company.
Like the prosecution of Chinese national Su Bin, Attorney General Loretta E. Lynch said in a press conference on Thursday that the Iranians’ indictment was meant to send a “powerful” message that:
We will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market.
She said that these types of cyber attacks hit at national security:
The attacks were relentless, systematic and widespread. They threatened our economic well-being and our ability to compete fairly in the global marketplace — both of which are directly linked to our national security.