U.S. Indicts 7 Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities for Coordinated Cyber Attacks Against the U.S. Financial Sector

Author: Bruce Zagaris*
Date: May 15, 2016

On March 24, 2016, Attorney General Loretta E. Lynch, Director James B. Comey of the FBI, Assistant Attorney General for National Security John P. Carlin and U.S. Attorney Preet Bharara of the Southern District of New York announced a grand jury in the Southern District of New York indicted seven Iranian individuals who were employed by two Iran-based computer companies on computer hacking charges related to their involvement in an extensive campaign of over 176 days of distributed denial of service (DDoS) attacks. The companies for whom they worked were ITSecTeam (ITSEC) and Mersad Company (MERSAD), both of which worked on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps.1

The indictment charges Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26, started DDoS attacks against 46 victims, primarily in the U.S. financial sector, between 2011 and mid-2013. The attacks disabled victim bank websites, prevented customers from accessing their accounts online and collectively cost the victims tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers. The indictment also charges Firoozi with obtaining unauthorized access into the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam, located in Rye, New York, in August and September 2013.

1. DDoS Attacks

In December 2011, the defendants started the DDoS campaign. The attacks occurred only sporadically until September 2012, when they escalated in frequency to a near-weekly basis, between Tuesday and Thursdays during normal business hours in the U.S. On certain days, victim computer servers were hit with as much as 140 gigabits of data per second and hundreds of thousands of customers were prohibited from online access to their bank accounts.

Faithi, Firozzi and Shokohi had responsibility for ITSEC’s part of the DDoS campaign against the U.S. financial sector. The indictment charges them with one count of conspiracy to commit and aid and abet computer hacking. The indictment alleges that Fathi was the leader of ITSEC and had responsibility to supervise and coordinate ITSEC’s part of the DDoS campaign, along with managing computer intrusion and cyberattack projects being conducted for the government of Iran. Firoozi was the network manager at ITSEC and, in that role, procured and managed computer servers that were used to coordinate and direct ITSEC’s part of the DDoS campaign. Shokohi is allegedly a computer hacker who helped build the botnet used by ITSEC to engage in those attacks. When he worked in support of the DDoS campaign, Shokohi obtained credit for his computer intrusion work from the Iranian government towards his completion of his mandatory military service requirement in Iran.

The indictment alleges Ahmadzadegan, Ghaffarinia, Keissar and Saedi were responsible for managing the botnet used by MERSAD’s part of the campaign, and charges them with one count of conspiracy to commit and aid and abet computer hacking. Ahmadzadegan was a co-founder of MERSAD and had responsibility to manage the botnet used in MERSAD’s part of the DDoS campaign. He was also associated with Iranian hacking groups Sun Army and Ashiyane Digital Security Team (ADST), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (NASA) in February 2012. Ahmadzadegan has also trained Iranian intelligence personnel. Ghaffarinia was a co-founder of MERSAD and established malicious computer code used to compromise computer servers and build MERSAD’s botnet. Ghaffarinia was also associated with Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February 2012, as well as thousands of other servers in the U.S., the United Kingdom and Israel. Keissar procured computer servers used by MERSAD to access and manipulate MERSAD’s botnet, and also did preliminary testing of the same botnet prior to its use in MERSADS’s part of the DDoS campaign. Saedi was an employee of MERSAD and a former Sun Army computer hacker who expressly touted himself as an expert in DDoS attacks. Saedi wrote computer scripts used to locate vulnerable servers to build the MERSAD botnet used in its part of the DDoS campaign.

To carry out the attacks, each group built and maintained their own botnets, which consisted of thousands of compromised computer systems owned by unwitting third parties that had been infected with the defendants’ malware, and subject to their remote command and control. The defendants and/or their unindicted co-conspirators then sent orders to their botnets to direct significant amounts of malicious traffic at computer servers used to operate the websites for victim financial institutions, which overwhelmed victim servers and disabled them from customers seeking to legitimately access the websites or their online bank accounts. While the DDoS campaign caused damage to the financial sector victims and interfered with their customers’ ability to do online banking, the attacks did not affect or result in the theft of customer account data.

2. DDoS Botnet Remediation

Since the attacks, the Department of Justice and FBI have cooperated with the private sector to effectively neutralize and remediate the defendants’ botnets. In particular, through approximately 20 FBI Liaison Alert System (FLASH) messages, the FBI regularly provided updated information collected from the investigation concerning the identity of systems that had been infected with the defendants’ malware and operating as bots within the malicious botnets. Additionally, the FBI conducted extensive direct outreach to Internet service providers responsible for hosting systems that have been infected with the defendants’ malware to provide them information and assistance in removing the malware to protect their customers and other potential victims of the defendants’ unlawful cyber activities. Through these outreach efforts and cooperation of the private sector, over 95 percent of the known part of the defendants’ botnets have been successfully remediated.

3. Bowman Dam Intrusion

Between August 28, 2013 and September 18, 2013, Firoozi repeatedly obtained unauthorized access to the SCADA systems of the Bowman Dam. The indictment charges him with one substantive count of obtaining and aiding and abetting computer hacking. This unauthorized access permitted him to repeatedly obtain information concerning the status and operation of the dam, including information about the water levels, temperature and status of the sluice gate, which is responsible for controlling water levels and flow rates. While that access would normally have allowed Firoozi to remotely operate and manipulate the Bowman Dam’s sluice gate, Firoozi did not have that capability because the sluice gate had been manually disconnected for maintenance at the time of intrusion.

Remediation for the Bowman Dam intrusion cost over $30,000.

4. Analysis

All seven defendants face a maximum sentence of 10 years in prison for conspiracy to commit and aid and abet computer hacking. Firoozi faces an additional five years in prison for obtaining and aiding and abetting unauthorized access to a protected computer at the Bowman Dam.

The indictment represents the first time the Obama administration had acted against Iranians for a wave of computer attacks on the U.S. and which paralyzed some banks and froze customers out of online banking.2

The effort against the Bowman Dam appeared to be an effort to take over the dam itself. The effort failed because it was under repair and offline. The attempt preoccupied U.S. investors more because it was directed at seizing control of a piece of infrastructure.3

The mention of the relationship between the defendants and the Islamic Revolutionary Guards Corps, and the fact that Shokohi obtained credit for his computer intrusion work from the Iranian government towards his completion of his mandatory military service requirement in Iran – all of these factors show participation by the Iranian government.4

While the defendants are free in Iran and it will not be easy to arrest and take custody of them, on March 23, 2016, a Chinese businessman pleaded guilty in U.S. Court in Los Angeles to helping two Chinese military hackers carry out a damaging series of thefts of sensitive military secrets from U.S. contractors. Two years ago the U.S. brought the first indictment for economic cyberespionage against hackers working for a foreign government.5

Even though the defendants in the new indictment are free in Iran and the U.S. does not have an extradition treaty with Iran, the indictment represents a restraint on the ability of the defendants to travel without risk of being arrested and extradited to the U.S. Hence, such a restraint is itself a punishment. In addition, the U.S. law enforcement and national security community hopes that the indictment will help persuade the Iranian government from shifting activity from its nuclear program to its growing corps of cyberwarriors, some of whom work directly for the government, while others, such as the ones named in the indictment, appear to be contractors.6 Such indictments hope to persuade other governments, especially ones not so friendly to the U.S., not to deploy their cyberwarriors against the U.S.

Until the indictment two years ago against the Chinese military hackers, the U.S. government had treated hacking campaigns carried out by foreign governments as matters of national security that are classified. U.S. officials were reluctant to acknowledge a major intrusion by a foreign country either for diplomatic or intelligence reasons. However, according to Assistant Attorney General John Carlin, whose National Security Division was created in 2006 to help prevent terrorist attacks, the efforts to indict hackers connected to governments reflects a “new approach” that borrows from counterterrorism. In 2012, the DOJ started to train prosecutors tow work with both the intelligence community and law enforcement to bring cyber-cases.7

According to some administration officials, the unsealing of the indictment against the Iranian hackers could facilitate the imposition of economic sanctions. In April, President Obama issued an executive order establishing the authority to impose such sanctions specifically for malicious cyber-activity. Until now the authority has not been used.8

*IELR, Volume 32, Issue 4, April 1 – April 30, 2016, P. 152-153. Bruce Zagaris is partner with the law firm of Berliner, Corcoran & Rowe, LLP. He can be reached at bzagaris@bcr-dc.com.


1 U.S. Department of Justice, Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector, Press Release, Mar. 24, 2016.

2 David E. Sanger, U.S. Indicts 7 Tied to Iranian Unit in Cyberattacks, N.Y. TIMES, Mar. 25, 2016, at A3, col. 1.

3 Id.

4 Christopher M. Matthews and Kate O’Keefe, Iranians Charged in U.S. Hacking, WALL ST. J., Mar. 25, 2016, at A3, col. 1.

5 Ellen Nakashima, Guilty plea in Chinese hacking case, WASH. POST, Mar. 24, 2016, at A16, col. 1.

6 Sanger, supra

7 Ellen Nakashima and Matt Zapotosky, U.S. indicts 7 in connection with cyberattacks linked to Iranian government, WASH. POST, Mar. 25, 2016, at A14, col. 1.

8 Id.

Recent Articles