Hacker Charged in Breach of New York Dam

Attorney General Loretta Lynch announced charges filed against seven Iranian nationals over a campaign of denial of service attacks and the compromise of a Rye, New York dam.
Attorney General Loretta Lynch announced charges filed against seven Iranian nationals over a campaign of denial of service attacks and the compromise of a Rye, New York dam.

In-brief: The Department of Justice on Thursday announced charges against seven Iranian men in connection with a campaign of attacks on U.S. banks, financial services firms and critical infrastructure, including a Rye, New York dam. 

The Department of Justice on Thursday announced that a grand jury in the Southern District of New York indicted seven Iranian men on computer hacking charges stemming from a campaign of distributed denial of service (DDoS) attacks against U.S. firms and critical infrastructure, including Supervisory Control and Data Acquisition (SCADA) systems controlling the Bowman Dam, a small flood-control facility in Rye, New York.

The indictment was announced today by Attorney General Loretta E. Lynch, Director James B. Comey of the FBI, Assistant Attorney General for National Security John P. Carlin and U.S. Attorney Preet Bharara of the Southern District of New York.

According to a statement from the DOJ, the attacks “disabled victim bank websites, prevented customers from accessing their accounts online and collectively cost the victims tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers.” The attacks on the Bowman Dam occurred in August and September of 2013. The Wall Street Journal first reported on a link to hackers based in Iran in December.

The Bowman Avenue Dam in Rye, New York, was one target of a group of hackers based in Iran, according to charges unveiled on Thursday.
The Bowman Avenue Dam in Rye, New York, was one target of a group of hackers based in Iran, according to charges unveiled on Thursday.

According to a DOJ indictment (PDF), the men, ages 23 to 37, were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD) that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps. The group has been linked to 46 attacks over more than 170 days from late 2011 until the middle of 2013.

The DOJ also released names and photos of the accused. They are Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26. Firoozi is charged with the hack of the Bowman Dam.

“The charges announced today respond directly to a cyber-assault on New York, its institutions and its infrastructure,” said U.S. Attorney Bharara. “The infiltration of the Bowman Avenue dam represents a frightening new frontier in cyber crime,” he said. “We now live in a world where devastating attacks on our financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a click of a mouse.”

According to the indictment, Firoozi accessed the Bowman Avenue facility repeatedly for around three weeks, between Aug. 28, 2013, and Sept. 18, 2013. He was able to obtain “unauthorized access to the SCADA systems of the Bowman Dam,” allowing him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature and status of the sluice gate, which is responsible for controlling water levels and flow rates, the DOJ said.

He had adequate access to remotely operate and manipulate the Bowman Dam’s sluice gate, but the sluice gate had been manually disconnected for maintenance at the time of the intrusion, the statement said.

Attacks on critical infrastructure from state-sponsored advanced persistent threat (or APT) actors isn’t a new problem. An investigation by Associated Press found evidence of many, unreported intrusions into U.S. critical infrastructure. In March, for example, a DHS report revealed that there were 245 incidents involving critical infrastructure in 2014. Among those were cases of malicious software infections on control systems that were believed to be “air gapped” – or physically isolated from the Internet and the use of previously unknown or “zero day” vulnerabilities in industrial control system software.

In that report, DHS found 55% involved APT or sophisticated actors. Hactivists, malicious insiders and cyber criminals were behind other incidents. In many other cases, asset owners were unable to determine who or what was attacking them, the report said.

U.S. critical infrastructure is increasingly connected to and managed via shared infrastructure such as cellular networks. Facilities like the Rye, New York, dam, for example, rely on cellular modems to provide technicians with remote access to the equipment used to operate the facility. However, if that equipment is not properly deployed or secured, it can provide easy access even to casual attackers using tools like the Shodan search engine. The Department of Homeland Security said in a 2014 bulletin that a “sophisticated threat actor” accessed the control system server of what was described as an “Internet-connected, control system operating a mechanical device.” Upon investigation, DHS determined that the device was attached to the Internet via a cellular modem but was “directly Internet accessible and … not protected by a firewall or authentication access controls.”

It has been reported that a cellular modem also connected the Bowman Avenue dam to the Internet and may have provided an entry point for attackers. However, the recently released indictment does not mention the means by which Firoozi, the Iranian hacker, accessed the facility.