On March 24, 2016, the US Department of Justice announced that it was indicting 7 Iranian hackers for coordinating service attacks on a number of US banks’ websites and breaking into the computer system of a dam in New York. While these charges may not seem much because they took place between 2011 and 2013 and did not cause too much damage, these indictments are more important to the US for the cyber-enforcement precedent it seeks to set.
Between 2011 and 2013, the hackers conducted a series of distributed denial of service (DDoS) attacks against at least 46 US financial institutions, blocking consumer access to the websites of companies like JP Morgan, Wells Fargo, and Bank of America. While the attacks may have only limited one avenue of financial services, US attorney general Loretta Lynch pointed out that remedying those attacks had cost banks “tens of millions of dollars.”
Additionally, one of the 7 indicted hackers has been charged with hacking into the computer system of the Bowman Dam in Rye, New York. While the Bowman Dam has been identified as non-crucial and no action was taken by the hacker while in the system, the hack is troubling because of what could have happened because of the lack of network security in infrastructure. US investigators found that hacker Hamid Firoozi was able to access the dam’s sluice gate, which could have been used to change water levels and flow rates – the only thing stopping him was that the sluice gate was disconnected for maintenance.
Though the actions taken by the Iranian hackers had small effects, they do speak to larger possible impact hackers can have on financial and physical infrastructure. Lynch argued this point, saying that the attacks “threatened our economic well-being and our ability to compete fairly in the global marketplace – both of which are directly linked to [US] national security.”
But why is the US charging these hackers now, over 3 years after these hacks were initially conducted? The reasons can be attributed to the diplomatic element of these cyber attacks – an element that brings real meaning to the indictments now.
With the Iran Deal on the table at the time of US investigations into the bank and dam attacks, investigators were “discouraged” from making formal charges on the individual Iranians. Politically speaking, that was probably a good move – especially since some of the US-Iran cyber conflict was initiated by the US.
Ever since the US released the Stuxnet virus in an Iranian nuclear plant (a cyberattack damaging a large number of the plant’s centrifuges) in 2008, there has been the possibility of an Iranian cyber counter-attack. By 2012, Iran had increased its spending allocation towards improving cyber capabilities. Given that the seven individuals could not have attacked bank sites without additional technological resources and support, US officials may have reasonable belief to link the Iranian government to the attacks.
For now, the Department of Justice’s indictments of the Iranian individuals (with possible state involvement) is enough to make a statement on the US’ intolerance for cyber attacks on infrastructure. There is a 10 year maximum prison sentence for charges of conspiracy to commit and aid computer hacking, but since the seven individuals live in Iran, they will probably never see that sentence since it is unlikely that the Iranian government will extradite them. So for the case of the seven Iranian hackers, the US is simply “naming and shaming” – making it clear to those who engage in cyber attacks against the US, individually or for a state, that their freedoms (including the ability to travel) will be limited.
There are, however, more troubling aspects that these indictments have brought to light. First is the lack of network security for critical infrastructure in the US. According to Shodan, more than 57,000 power grids and industrial-control systems are connected to the Internet, meaning they are vulnerable to cyber attacks. As the infrastructure cyber attack at the end of 2015 on Ukraine demonstrated, this may have huge implications on civilian life in the US.
What is perhaps more worrisome is what these individual hackers are doing now that we know their disruptive hacking capabilities. One of the indicted Iranian hackers, Sadegh Ahmadzadegan, has been wreaking cyber havoc on the US and Iran – he has even been identified as the founder of Ashiyaneh, a group of Iranian hackers working for the Islamic Republic.
Those two concerns are peripheral to the indictments themselves, but they do speak to the importance of knowing each individual element of state-sponsored cyber attacks. Where the diplomatic nature of cyber war is beginning to look more like “if you attack me, I’ll attack you,” it is important that we be ready for those retaliations and ready to consider what types of people are making those attacks on us.