Skip to content
Wall Street. Image courtesy of Shutterstock.
Naked Security Naked Security

US indicts 7 Iranians for cyber attacks against Wall Street, NY dam

NASDAQ, the New York Stock Exchange and more were bombarded with DDoS attacks between 2011 and 2013, and a dam's SCADA control system was breached.

The US has indicted seven Iranians for bombarding Wall Street with distributed denial-of-service (DDoS) attacks that crippled 46 financial institutions between 2011 and 2013.

The indictment, unsealed on Thursday, also charged one of the Iranians with breaching the SCADA control system for a dam located a scant 20 miles from New York City around the same time frame.

The seven men worked for two private security firms based in Iran — ITSec Team and Mersad — that do work on behalf of the Iranian government. That includes working with the Islamic Revolutionary Guard Corps, which is one of the government’s intelligence arms.

The court document detailed the series of attacks:

The U.S. Financial Industry DDoS Attacks impacted, at a minimum, approximately 46 major financial institutions and other financial-sector corporations in the United States over a total of at least approximately 176 days of DDoS attacks. On certain days during these attacks, hundreds of thousands of customers were unable to access their bank accounts online. As a result of these attacks, those victim institutions incurred tens of millions of dollars in remediation costs as they worked to mitigate and neutralize the attacks on their computer servers.

The Feds say that the attacks on the financial industry began around December 2011.

ITSec Team and Mersad allegedly created botnets comprising thousands of malware-infected slave computers that they ordered to fire-hose Wall Street. Those botnets were launched off equipment that included servers leased in the US.

The DDoS attacks were sporadic until about September 2012, when they were ratcheted up to the point of occurring nearly weekly, typically between Tuesdays and Thursdays during normal business hours in the US.

They kept up, with gusto, until about May 2013.

From the indictment:

During the course of this coordinated campaign, victims’ computer servers were hit with as much as approximately 140 Gigabits of data per second which, depending on the victim institution, was up to as much as three times the entire operating capacity of a victim institution’s servers.

The targets included financial heavyweights like Bank of America, NASDAQ, and the New York Stock Exchange.

One of the defendants, Hamid Firoozi, also allegedly hacked into the Bowman Avenue Dam near Rye Brook, New York.

Rye Brook Mayor Paul Rosenberg told CNN that the dam is used to control water flow when it rains, to prevent flooding downstream.

Rosenberg said that the dam’s managed by a piece of software that’s “industry standard” and “very common.”

Remote access to the dam’s controls allegedly let Firoozi get at the dam’s status and operational status, including water levels and temperature and the status for the sluice gate, which controls water levels and flow rates.

That kind of access should have given him the power to remotely operate the sluice gate.

But according to the indictment, unbeknownst to Firoozi, the sluice gate control had been manually disconnected for maintenance before he allegedly gained access to the dam’s SCADA system.

What is SCADA?

SCADA, which stands for Supervisory Control and Data Acquisition, is a system for remote monitoring and control that operates with coded signals over communication channels that include the internet, with all the mischief-makers and malfeasance that portends.

SCADA ties together a slew of vital physical infrastructure: from power, oil, and gas pipelines to water distribution and wastewater collection systems.

These systems were initially designed to be open, robust, and easily operated and repaired, but security has often been left out of the picture entirely.

There’s already an established set of worries about SCADA’s susceptibility to malicious attack.

Recent add-ons to that pile of worries have included alarming lack of password hygiene by those who work at national infrastructure centers.

One example: power grid workers posting selfies that inadvertently expose critical information.

That’s not just pie-in-the-sky security worrying: real-world examples include Prince William when he was an RAF Search and Rescue helicopter pilot. As you might recall, there were login details written on a piece of paper that was pasted over his head for all to see in widely distributed photos.

Then too, there was the proudly presented video shot inside the 2014 FIFA World Cup security control room, where the Wi-Fi SSID and password (and an internal email address used to communicate with a Brazilian government agency) were clearly legible on the big screen.

It’s even rumored that the creators of the Stuxnet malware (which is thought to have been designed to infiltrate Iran’s uranium enrichment facilities) relied on an image of a SCADA control system monitor to figure out the configuration of the facility’s centrifuges.

The source of the image: a series of 48 photos depicting President Mahmoud Ahmadinejad’s tour of the desert site, released by the country’s own government.

Indicting the seven Iranians allegedly behind these attacks on the nation’s financial and physical infrastructure is just the latest show of force from an administration that’s determined to show that it’s not taking cyber attacks lying down.

Last week, the day before the administration announced its indictment of the Iranians, it announced that it had struck a plea deal with an aviation expert from China who admitted to funneling sensitive military information out of the US and back home to hackers.

His accomplices in China infiltrated computer systems, including those of aviation giant Boeing Company.

Like the prosecution of Chinese national Su Bin, Attorney General Loretta E. Lynch said in a press conference on Thursday that the Iranians’ indictment was meant to send a “powerful” message that:

We will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market.

She said that these types of cyber attacks hit at national security:

The attacks were relentless, systematic and widespread. They threatened our economic well-being and our ability to compete fairly in the global marketplace — both of which are directly linked to our national security.

Image of Wall Street courtesy of Shutterstock.com

2 Comments

If engineers at a dam in New York hadn’t disconnected water gates from its electronic control center for maintenance work, a major disaster would have happened. On that day, hackers said to be belonging to the IRGC managed to hack the dam’s electronic control center in order to unlock its gates and drown the area. Unfortunately, only the direct perpetrators were made accused in these cases and no charges were framed against the Iranian regime, which should have been held responsible for those attacks. Threatening action against regimes involved in cyber attacks, whether Iranian or any other, builds deterrence against similar attacks in the future. Targeting civil facilities to sabotage them and harm civilians are acts of terrorism, prohibited internationally even in times of war. These terrorist attacks should be categorized as per international law and their activities should be declared prohibited.

Still waiting for any evidence at all that indicates anyone.
Lesson from the sony hack that was blamed on NK solely by Norse Corp, which turned out to be 100% BS/fraud.
Ya gotta wonder if they pick the accused before the supposed crime is committed with some of these.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?