U.S. charges, sanctions Iranians for global cyber attacks on behalf of Tehran

By Dustin Volz WASHINGTON (Reuters) - The United States on Friday charged and sanctioned nine Iranians and an Iranian company for attempting to hack into hundreds of universities worldwide, dozens of companies and parts of the U.S. government, including its main energy regulator, on behalf of Tehran's government. The cyber attacks, beginning in at least 2013, pilfered more than 31 terabytes of academic data and intellectual property from 144 U.S. universities and 176 universities in 21 other countries, the U.S. Department of Justice said, describing the campaign as one of the largest state-sponsored hacks ever prosecuted. The U.S. Treasury Department said that it was placing sanctions on the nine people and the Mabna Institute, a company U.S. prosecutors characterized as designed to help Iranian research organizations steal information. U.S. Deputy Attorney General Rod Rosenstein said the nine Iranians were considered fugitives who may face extradition in more than 100 countries if they travel outside of Iran. Authorities "will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property," Rosenstein said at a news conference. He said the case "will disrupt the defendants’ hacking operations and deter similar crimes." The hackers were not accused of being directly employed by Iran's government. They were instead charged with criminal conduct waged primarily through the Mabna Institute on behalf of the Islamic Revolutionary Guard Corps, the elite military force assigned to defend Iran’s Shi’ite theocracy from internal and external threats. There was no immediate response to the charges and sanctions in Iran's state-run media. The targeting of the Federal Energy Regulatory Commission, or FERC, was especially concerning, U.S. Attorney Geoffrey Berman said, because it oversees the interstate regulation of energy in the United States and holds details of some of the country's "most sensitive infrastructure." Hackers targeted email accounts of more than 100,000 professors worldwide, half located in the United States, and compromised about 8,000 of them, prosecutors said. Hackers also targeted the U.S. Labor Department, the United Nations and the computer systems of the U.S. states Hawaii and Indiana, prosecutors said. Friday's actions are part of an effort by senior cyber security officials at the White House and across the U.S. government to blame foreign countries for malicious hacks. They were announced a day after U.S. President Donald Trump named John Bolton, a former U.S. ambassador to the United Nations who is deeply skeptical of the 2015 international nuclear accord with Iran, as his new national security adviser. Trump himself has repeatedly cast doubt on the nuclear deal, in which the U.S. and other world powers eased sanctions in exchange for Tehran putting limits on its nuclear program. INTERNET FIRMS ALERTED The Department of Justice on Friday privately warned major internet infrastructure companies to expect attacks from Iran, an executive at one company who received the alert said. The officials said the most likely retaliation would be denial of service attacks on websites, which are not destructive but disrupt commerce and communication. Britain's National Cyber Security Centre said on Twitter that the Mabna Institute was "almost certainly responsible for cyber attacks targeting universities around the world." The sanctions and charges were the fourth time in the past few months that the Trump administration has blamed a foreign government for major cyber attacks, a practice that was relatively rare under the Obama administration. Last week, the administration accused the Russian government of cyber attacks stretching back at least two years that targeted the U.S. power grid. Washington imposed new sanctions on 19 Russians and five groups, including Moscow’s intelligence services, for meddling in the 2016 U.S. election and other cyber attacks. Friday's indictment in U.S. District Court in New York said the Iranian hackers did extensive background research of university professors before sending them "spearphishing" emails tailored to their academic interests and scholarly published articles. The emails purported to be from professors at another university and indicated the sender had read an article written by them, prosecutors said. The emails would then direct recipients to click on links to related articles that would direct victims to a malicious internet domain that appeared similar to the victim's actual university portal, where they would be prompted to enter their login credentials. Once accounts were compromised, the hackers would steal reams of academic data and intellectual property related to science and technology, engineering, social sciences and medicine, the indictment said. Stolen data was obtained to benefit Iran's Revolutionary Guard and sold within Iran through the websites Megapaper and Gigapaper to universities in Iran, prosecutors said. 'PASSWORD SPRAYING' Hackers targeted and compromised employee email accounts for 36 U.S.-based companies and 11 companies in countries including Germany, Italy and Britain, prosecutors said. Victim companies in the United states included two media and entertainment companies, one law firm, 11 technology firms, and two bank and investment firms, among others. Unlike the precise targeting of professors, companies fell victim to a broad technique known as "password spraying" that involves finding lists of company email accounts online and then attempting to hack into them by using common default passwords. Once inside, the hackers would steal entire email mailboxes. The Treasury Department also placed sanctions on another Iranian, Behzad Mesri. Sometimes known as "Skote Vahshat," Mesri was charged in 2017 with hacking cable TV network HBO to leak unaired episodes of the fantasy drama Game of Thrones. Mesri is still at large, officials said. The Obama administration in 2016 indicted seven Iranians for distributed-denial-of-service attacks on dozens of U.S. banks and for trying to shut down a New York dam. Those hackers were also accused of working on behalf of Iran's government. None of the Iranians indicted in 2016 have been arrested or extradited, a Justice Department spokesman said. (Reporting by Dustin Volz and Joseph Menn; additional reporting by Lisa Lambert, Timothy Gardner and Susan Heavey; editing by Grant McCool)