The Trump administration announced criminal charges and sanctions Friday against Iranians accused in a hacking scheme to pilfer sensitive information from hundreds of universities, private companies and American government agencies.
The nine defendants, accused of working at the behest of the Iranian government-tied Islamic Revolutionary Guard Corps, hacked the computer systems of about 320 universities in the United States and abroad to steal expensive science and engineering research that was then used by the government or sold for profit, prosecutors said.
The hackers also are accused of breaking into the networks of government organizations, such as the Department of Labor, the Federal Energy Regulatory Commission and the United Nations, and private sector entities including technology companies and law and consulting firms.
The Justice Department said the hackers were affiliated with an Iranian company called the Mabna Institute, which prosecutors say contracted with the Iranian government to steal scientific research from other countries. The institute was founded by two of the defendants.
“By bringing these criminal charges, we reinforce the norm that most of the civilized world accepts: nation-states should not steal intellectual property for the purpose of giving domestic industries an advantage,” Deputy Attorney General Rod Rosenstein said in announcing the charges.
Also Friday, the Treasury Department targeted the Mabna Institute and 10 Iranians — the nine defendants and one charged in a separate case last year — for sanctions that officials say will make it harder for them to do business outside Iran.
The defendants are unlikely to ever be prosecuted in an American courtroom since there’s no extradition treaty with Iran. But the grand jury indictment, filed in federal court in Manhattan, is part of the government’s “name and shame” strategy to publicly identify foreign hackers, block them from traveling without risk of arrest and put their countries on notice.
The approach has been employed with past indictments accusing Iranian hackers of a digital break-in of a New York dam, Chinese military officials of large-scale hacks at energy corporations and Russians of a massive breach of Yahoo user accounts.
“People travel. They take vacations, they make plans with their families,” said FBI Deputy Director David Bowdich. “Having your name, face and description on a ‘Wanted’ poster makes moving freely much more difficult.”
According to the indictment, the Iranians broke into universities through relatively simple but common means — tricking professors to click on compromised links.
The spear-phishing emails purported to be from professors at one university to those at another and contained what appeared to be authentic article links. But once clicked on, the links steered the professors to a malicious Internet domain that led them to believe they’d been logged out of their systems and that asked them to enter their log-in credentials.
Those credentials were logged and stolen by the hackers, prosecutors say.
The Justice Department says the hackers stole roughly 31 terabytes of academic research and intellectual property that was then sent to servers outside the United States for profit. The information that was stolen, which was sold through two websites to customers in Iran, cost U.S. universities about $3.4 billion to procure and access.
More than 100,000 professors worldwide were targeted with spear-phishing emails. The affected professors and their universities were not identified.
“Just in case you’re wondering, they’re not admiring our work,” Bowdich said. “They’re stealing it, and they’re taking credit for it, and they’re selling it to others.”