![](\"https:\/\/media.wired.com\/photos\/5ab513cd5d79c76b98749dfd\/master\/pass\/UniversitiesHacked-911438756.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Garrett M. Graff| Date: Fri, 23 Mar 2018 15:49:17 +0000<\/strong><\/p>\n In its latest <\/span>drumbeat against the cyber activities of Iran<\/a>, the US government Friday charged nine Iranian hackers with a massive three-year campaign to penetrate and steal more than 31 terabytes of information\u2014totaling more than $3 billion in intellectual property\u2014from more than 300 American and foreign universities.<\/p>\n The effort, detailed in a 21-page indictment unsealed Friday, amounted to \u201cone of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,\u201d said Geoffrey Berman, the US Attorney for the Southern District, which brought the case. The effort netted a lengthy list of victims, including 144 universities based in the US, and another 176 spread across 21 foreign countries. The group also hit 47 private sector companies, government targets as varied as the US Department of Labor, the Federal Energy Regulatory Commission, and the states of Hawaii and Indiana, along with the United Nations.<\/p>\n The hacking campaign focused on a Tehran-based organization called the Mabna Institute, which served as a clearinghouse for contractors and hackers-for-hire who were tasked with penetrating and stealing data, intellectual property, and the contents of professors\u2019 email inboxes. According to the FBI\u2019s investigation, two of the defendants\u2014Gholamreza Rafatnejad and Ehsan Mohammadi\u2014founded the Mabna Institute around 2013. \u201cWhile the company\u2019s name may sound legitimate, the so-called institute was set up for one reason only: To steal scientific resources from other countries around the world,\u201d Berman said.<\/p>\n Rafatnejad organized the hacking efforts and coordinated with Iran\u2019s Islamic Revolutionary Guard Corps, while Mohammadi served as Mabna\u2019s managing director.<\/p>\n \u201cThis case is critically important because it will disrupt the activities of the Institute and it will deter similar crimes by other perpetrators. The indictment publicly identifies the conspirators. In this time of public identification, it helps to deter state-sponsored computer intrusions by stripping hackers of their anonymity and by imposing real consequences,\u201d Rod Rosenstein, the deputy attorney general, said at the morning announcement in Washington. \u201cRevealing the Mabna Institute\u2019s nefarious activities makes it harder for them to do business.\u201d<\/p>\n 'It helps to deter state-sponsored computer intrusions by stripping hackers of their anonymity and by imposing real consequences.'<\/p>\n Deputy Attorney General Rod Rosentsein<\/p>\n According to the Justice Department, many of the network intrusions began with sophisticated \u201cspear-phishing\u201d campaigns<\/a>, with emails to target professors appearing to come from fellow academics at other schools. Links in the emails would direct the professors to pages that made it appear that they had accidentally logged out of their university account and needed to reenter their user credentials. All together, the campaign targeted more than 100,000 professors, and the Iranian hackers managed to successfully penetrate about 8,000 accounts, including 3,768 at US schools. One of the defendants, Mostafa Sadeghi, who the indictment labels a \u201cprolific Iran-based computer hacker,\u201d was single-handedly responsible for the compromise of more than 1,000 of those accounts, and helped train the others on hacking techniques.<\/p>\n The stolen data was used by the IRGC as well as sold through two websites, Megapaper.ir, which was partially owned by Sadeghi, and Gigapaper.ir. According to the indictment, Gigapaper offered stolen university credentials for sale so customers could directly access the online library resources, like electronic books and LEXIS-NEXIS databases, of US and foreign universities.<\/p>\n The hacking effort also targeted private sector companies, including media and entertainment companies, a law firm, two banking and investment firms, a healthcare company, and even a stock images company. In that effort, the indictment says, the hackers used \u201cpassword spraying\u201d tactics to assemble publicly available lists of user emails and then attempt to access them using common passwords; the approach allowed them access to 36 American companies and 11 more in Europe. Once the hackers gained access to an account, they would both exfiltrate the existing contents and also set up forwarding rules to pass future emails directly to them.<\/p>\n Rosenstein said, \u201cFor many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps.\u201d<\/p>\n The approach of the hacking campaign to rely on cut-outs rather than official military hackers\u2014as China has\u2014was consistent with previous Iranian-focused indictments brought by the Justice Department in recent years.<\/p>\n Almost exactly two years ago, in March 2016, the Justice Department brought charges against seven Iranians<\/a> for their role in a lengthy and costly series of distributed denial-of-service attacks that targeted Wall Street and the financial sector, as well as penetrating the control systems of a dam in Rye, New York. While that indictment also stopped short of directly naming the Iranian government as responsible, it did note that the two companies that employed the seven hackers\u2014the ITSec Team and Mersad Company\u2014both worked closely with the IRGC, and that one of the hackers even \u201creceived credit for his computer intrusion work from the Iranian Government towards completion of his mandatory military service.\u201d<\/p>\n The campaign targeted more than 100,000 professors, and the Iranian hackers managed to successfully penetrate about 8,000 accounts.<\/p>\n Similarly, in another recent economic espionage case, the Justice Department charged three Iranians with breaking into a Vermont defense contractor to steal protected technology and then offer it for sale to entities like Tehran University, Sharif Technical University, and Shiraz Electro Optic Industry, a missile company owned by the Iranian military. That scheme was so successful that the mercenary hackers received certificates of appreciation from the Iranian military. \u201cThey are essentially nonsanctioned espionage groups,\u201d said Brian Wallace, a security expert at Cylance explained at the time<\/a> when that case became public. \u201cThe government doesn\u2019t create them, they don\u2019t own them. They operate and get almost of their income from the government.\u201d<\/p>\n Broadly, the effort to take public action against nation-state hackers is consistent with an approach adopted by the Obama administration\u2019s Justice Department to move nation-state cybersecurity cases out of the shadows and to bring public prosecutions when possible. In May 2014, in the first-of-its-kind case, the Justice Department indicted five members of the Chinese military\u2019s Unit 61398<\/a>, its elite hacking team, for economic espionage.<\/p>\n Rosenstein at Friday\u2019s press conference argued that such efforts were not an empty threat.<\/p>\n \u201c[The Iranian] defendants are now fugitives from justice. There are more than 100 countries where they may face arrest and extradition to the United States. Thanks to [related sanctions by] the Treasury Department, the defendants will find it difficult to engage in business or financial transactions outside of Iran,\u201d the deputy attorney general said. \u201cBy making clear the criminal actions have consequences, we deter schemes to victimize the United States, its companies, and its citizens, and we help to protect our foreign allies.\u201d<\/p>\n Indeed, while Berman said that the government believes that all nine individuals are inside Iran right now, it\u2019s not impossible that one someday face a US courtroom. One of the three Iranians charged in the defense contractor hack, Nima Golestaneh, was caught while vacationing in Turkey and extradited to the United States, where he pleaded guilty.<\/p>\n Garrett M. Graff (@vermontgmg<\/a>) is a contributing editor for WIRED and can be reached at \u202fgarrett.graff@gmail.com.<\/em><\/p>\n