Indictments announced Friday allege nine Iranians working on behalf of the Iranian government hacked university computers to access scientific research, while also targeting one law firm, private companies and government agencies.
Entities hacked included the U.S. Department of Labor, the Federal Energy Regulatory Commission, the United Nations, the United Nations Children’s Fund and the states of Hawaii and Indiana, prosecutors said.
The indictments were announced by Deputy Attorney General Rod Rosenstein, U.S. Attorney Geoffrey Berman of the Southern District of New York and other officials. The hacked law firm was not named. Rosenstein’s remarks are here and a press release is here.
The hackers were working for the Mabna Institute, a group founded to help Iranian universities access scientific research, Rosenstein said. The group gave the information to the Islamic Revolutionary Guard Corps, one of several Iranian entities that gather intelligence, which used the information or sold it, according to Rosenstein.
The defendants face several charges, including wire fraud, computer fraud, conspiracy and identity theft.
The hackers are accused of obtaining information from about 320 universities in 22 countries, including 144 American universities. The defendants stole research that cost the universities about $3.4 billion to procure and maintain, Rosenstein said.
The hackers accessed university information by getting college professors to click on links in phishing emails that appeared to be sent by a professor from another university. When professors clicked on the links, they were taken to a login page of an internet domain that resembled the that of the professor’s university. Believing they had been logged out of their university computer system, the professors would enter login information. The hackers used the login information to access university research.
The law firm was among 36 U.S. companies that were hacked. The other victims were three academic publishers, two media and entertainment companies, 11 technology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two online car sales companies, one healthcare company, one employee benefits company, one industrial machinery company, one biotechnology company, one food and beverage company, and one stock images company. Hackers also targeted 11 companies in other countries.
Hackers used a “password spraying” technique to access the private entities. It worked this way: Hackers would collect names and email accounts associated with the targeted company, then it would try commonly used passwords to access the accounts. After hacking into an email, the hackers “exfiltrated entire email mailboxes from the victims,” the press release says. In many cases, the hackers set up automatic forwarding rules for compromised email accounts that allowed the hackers to receive all incoming and outgoing email messages from the accounts.
Password spraying was also used to access the government and nongovernmental organizations.
All the defendants are citizens and residents of Iran.