Today, @TheJusticeDept, #FBI, @USTreasury, @NewYorkFBI, & @SDNYnews announced charges against nine Iranians for conducting massive #cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps. https://t.co/WS382CZPUm pic.twitter.com/qHHd2bajTa
— FBI (@FBI) March 23, 2018
A Charleston startup’s research into some fishy online conduct led to the indictment of nine Iranian nationals charged with cyber theft by the Department of Justice in documents that were unsealed last Friday.
According to federal prosecutors, more than 31 terabytes of documents and data were stolen from universities, research institutions, and various governments and either sold on the open market or passed on to an Iranian intelligence agency using a technique called phishing — the practice of sending fraudulent e-mails purported to be from reputable institutions asking for personal information, like verified log-in credentials.
Crane Hassold is the director of threat intelligence at PhishLabs, a Charleston cybersecurity firm. He spent 11 years at the FBI, and shared his findings with his previous employer after a deep-dive into two domains in early December revealed dozens of phishing pages targeting university library login pages.
The group behind this unique campaign was even codenamed “Silent Librarian” at PhishLabs.
Hassold says he began sharing information with the FBI a couple of weeks after his discovery.
“I’ve been interested in university phishing attacks for a while, just because there seems to be a rise in them,” Hassold tells CP. “In the universities in general, it’s interesting because they don’t seem to care too much about them.”
No universities in South Carolina were targeted, but students and professors at more than 300 universities in 22 countries fell prey to the fake sites in 750 attacks that date all the way back to September 2013, according to data from PhishLabs. The Department of Justice says that the U.S. Department of Labor, the United Nations, UNICEF, and the state of Hawaii were also targeted in the attacks.
Hassold says that organizations like the Electric Power Research Institute and Thomson Reuters were also targeted. He believes that the hackers were mainly focused on infiltrating academic research data from journals.
Some of the information obtained in the phishing attacks was passed on to the Islamic Revolutionary Guard Corps, a branch of Iran’s military primarily focused on intelligence and national security. Friday’s indictment shows that the credentials were also sold for profit on two Iranian websites, and PhishLabs has identified a third such website likely run by Mostafa Sadeghi, one of the nine people indicted by the Justice Department.
“When you look at Iran specifically, there’s a lot of limited access to research internally just from an academic standpoint,” Hassold says. “Where a lot of universities because of sanctions that have been levied, they aren’t able to get access to databases that most Western European and American universities have access to.”
The nine defendants were each leaders, contractors, associates, hackers-for-hire, and affiliates of the Mabna Institute, an Iranian company working for the IRGC.
They are each charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, unauthorized access of a computer, wire fraud, and aggravated identity theft.
The Department of Treasury issued sanctions for the nine indicted Iranians that will prevent them from conducting business in America.
“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies,” said Treasury undersecretary Sigal Mandelker. “The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data. We will not tolerate the theft of U.S. intellectual property, or intrusions into our research institutions and universities.”