Endpoint Protection

 View Only

Seven Iranians charged in relation to cyberattacks against US 

Mar 25, 2016 01:33 PM

cyberatacks.jpg

A grand jury in New York has indicted seven Iranian men on charges relating to a string of cyberattacks against US banks and other organizations. The attacks took place between 2011 and 2013, and usually took the form of distributed denial of service (DDoS) attacks, many of which involved malware known as Brobot (PHP.Brobot).

The seven men were alleged to be working on behalf of the Iranian government. In addition to the attacks on the financial sector, the group has also been accused of involvement in an attack on space agency NASA. One man has also been charged with mounting a cyberattack on the Bowman Dam in New York in 2013.

While the FBI did not explicitly mention the malware used by the attackers in its indictment, the timing of the attacks detailed by the FBI is consistent with attacks that Symantec observed employing these tools.

Two teams identified
The indicted men were alleged to have operated in two distinct teams. Ahmad Fathi, Hamid Firoozi, and Amin Shokohi worked for an Iran-based computer company, ITSecTeam. Sadegh Ahmadzadegan (aka Nitr0jen26), Omid Ghaffarinia (aka PLuS), Sina Keissar, and Nader Saedi (aka Turk Server) worked for a second company, Mersad. According to the indictment, both companies performed work on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps.

Extensive list of targets
The attacks began on September 18, 2011. At the time, a group calling themselves the Cyber Fighters of Izz Ad-din Al Aassam claimed responsibility. The team said they were attacking Bank of America and the New York Stock Exchange as a “first step” in a campaign they claimed was in retaliation for US involvement in making a “sacrilegious” movie.

The attacks continued until 2013, targeting a broad range of banks and other organizations. Targets of the Mersad group were reported to include Capital One Bank, ING Bank, BB&T, Fidelity National, US Bank, PNC Bank, the NASDAQ stock exchange, and telecoms firm AT&T.

The ITSec trio was meanwhile alleged to have targeted Ally Bank, American Express, Ameriprise, Bank of Montreal, BB&T, BBVA, Capital One, JP Morgan, Chase Bank, Citibank, Citizens Bank, Fifth Third Bank, FirstBank, HSBC, Key Bank, PNC, Regions Bank, State Street Bank, SunTrust Bank, Union Bank, US Bank, Wells Fargo, and Zions First National Bank.

Ahmadzadegan and Ghaffarinia are also alleged to have mounted a cyberattack on NASA in February 2012, during which a server was broken into and several NASA websites were defaced.

Firoozi was meanwhile charged with being responsible for the 2013 attack on the Bowman Dam. He allegedly obtained unauthorized access to the dam’s SCADA control systems, which provided him with access to information about water levels, temperatures, and the status of the sluice gates. Ordinarily, SCADA access would have permitted him to remotely operate the sluice gates, but unbeknownst to him, these had been manually disconnected for maintenance.

The attacks frequently disabled bank websites and prevented customers from accessing their accounts online. According to the Department of Justice, the attacks collectively cost the victims tens of millions of US dollars in remediation costs.

Brobot in action
Most of the attacks associated with the group involved botnets powered by Brobot malware. Brobot is mainly targeted at servers. The threat is designed to add the infected server to a botnet which is then used to mount DDoS attacks. The accused men are alleged to have built the botnet by scanning the internet for servers running older versions of a “popular website content management software” that had not been updated to patch known vulnerabilities. These vulnerabilities allowed them to install the Brobot malware on affected servers.

External attackers not immune to prosecution
While identifying individuals and organizations behind cyberattacks can often prove difficult, comprehensive law enforcement investigations such as this show that it is not impossible. This week’s indictment serves as a reminder that attackers operating from other regions are not immune from identification or prosecution in the US.

Even though it is unlikely that Iran would voluntarily send those indicted to the US to stand trial, the indictment would nevertheless limit their ability to travel outside Iran and could serve as a warning to future would-be attackers.

Protection
Symantec and Norton products detect these threat as:

Antivirus

Intrusion prevention system

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.