In its latest drumbeat against the cyber activities of Iran, the US government Friday charged nine Iranian hackers with a massive three-year campaign to penetrate and steal more than 31 terabytes of information—totaling more than $3 billion in intellectual property—from more than 300 American and foreign universities.
The effort, detailed in a 21-page indictment unsealed Friday, amounted to “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” said Geoffrey Berman, the US Attorney for the Southern District, which brought the case. The effort netted a lengthy list of victims, including 144 universities based in the US, and another 176 spread across 21 foreign countries. The group also hit 47 private sector companies, government targets as varied as the US Department of Labor, the Federal Energy Regulatory Commission, and the states of Hawaii and Indiana, along with the United Nations.
The hacking campaign focused on a Tehran-based organization called the Mabna Institute, which served as a clearinghouse for contractors and hackers-for-hire who were tasked with penetrating and stealing data, intellectual property, and the contents of professors’ email inboxes. According to the FBI’s investigation, two of the defendants—Gholamreza Rafatnejad and Ehsan Mohammadi—founded the Mabna Institute around 2013. “While the company’s name may sound legitimate, the so-called institute was set up for one reason only: To steal scientific resources from other countries around the world,” Berman said.
Rafatnejad organized the hacking efforts and coordinated with Iran’s Islamic Revolutionary Guard Corps, while Mohammadi served as Mabna’s managing director.
“This case is critically important because it will disrupt the activities of the Institute and it will deter similar crimes by other perpetrators. The indictment publicly identifies the conspirators. In this time of public identification, it helps to deter state-sponsored computer intrusions by stripping hackers of their anonymity and by imposing real consequences,” Rod Rosenstein, the deputy attorney general, said at the morning announcement in Washington. “Revealing the Mabna Institute’s nefarious activities makes it harder for them to do business.”
According to the Justice Department, many of the network intrusions began with sophisticated “spear-phishing” campaigns, with emails to target professors appearing to come from fellow academics at other schools. Links in the emails would direct the professors to pages that made it appear that they had accidentally logged out of their university account and needed to reenter their user credentials. All together, the campaign targeted more than 100,000 professors, and the Iranian hackers managed to successfully penetrate about 8,000 accounts, including 3,768 at US schools. One of the defendants, Mostafa Sadeghi, who the indictment labels a “prolific Iran-based computer hacker,” was single-handedly responsible for the compromise of more than 1,000 of those accounts, and helped train the others on hacking techniques.
The stolen data was used by the IRGC as well as sold through two websites, Megapaper.ir, which was partially owned by Sadeghi, and Gigapaper.ir. According to the indictment, Gigapaper offered stolen university credentials for sale so customers could directly access the online library resources, like electronic books and LEXIS-NEXIS databases, of US and foreign universities.
The hacking effort also targeted private sector companies, including media and entertainment companies, a law firm, two banking and investment firms, a healthcare company, and even a stock images company. In that effort, the indictment says, the hackers used “password spraying” tactics to assemble publicly available lists of user emails and then attempt to access them using common passwords; the approach allowed them access to 36 American companies and 11 more in Europe. Once the hackers gained access to an account, they would both exfiltrate the existing contents and also set up forwarding rules to pass future emails directly to them.