Today, the U.S. Department of Justice revealed indictments for nine Iranian hackers and the U.S. Treasury sanctioned these same individuals as well as one entity, the Mabna Institute, for engaging in state-sponsored theft of intellectual property from 144 U.S. universities – estimated to value $3.4 billion. The campaign also targeted 176 universities across 21 foreign countries and 47 domestic and foreign private sector companies, including within Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, the Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the UK. The United Nations, the U.S. Department of Labor and the Federal Energy Regulatory Commission were also victims of the cyber espionage campaign.
Since 2013, the Iranian hackers have allegedly been working on behalf of the Iranian Revolutionary Guard Corps (IRGC), the protectors of the 1979 Iranian Revolution, who tasked them with stealing trade secrets and other intellectual property abroad. The revealed indictments and sanctions suggest the most widespread state-sponsored hacking campaign – stealing over 31.5 terabytes of data – to result in punitive legal and economic recourse.
The individuals charged were employed by the Mabna Institute, a Shiraz-based tech firm allegedly on contract with the IRGC. The UK's National Cyber Security Centre has also attributed the campaign to the Mabna Institute with "high confidence," but has not gone so far as to draw an explicit connection with the Iranian government.
Deputy Attorney General, Rod Rosenstein, said that the "indictments will help to deter state-sponsored hacking by stripping the infiltrators of their ability to hide behind their screen, their full names and photos are up for anyone to see.”
While the hackers are believed to be in Iran at this time and therefore unlikely to be arrested and extradited, the full disclosure of their identities will make it harder for them to travel freely outside of Iran. There is, however, a fear among some in the U.S. intelligence community that other countries, such as Russia, China or Iran, could reciprocally reveal the identities of U.S. cyber spies, opening them up to retribution abroad.
The Cipher Brief spoke with Rhea Siers, the former Deputy Associate Director for Policy at the National Security Agency, about what these new sanctions and indictments targeting Iranian hackers mean. The conversation has been adapted for print below.
This is not the first time the Department of Justice has zeroed in on the IRGC. Two years ago, they indicted seven Iranian-associated hackers accusing them of attempting to disrupt U.S. financial institutions and infiltrating the Bowman Avenue Dam in New York. So what’s the purpose of these indictments other than naming and shaming? Clearly, these indictments have not yet deterred the IRGC or the Iranian government – but they might deter other entities, such as financial institutions and other companies, from associating with them. In today’s case, the emphasis is on the theft of intellectual property – thus the potential economic and research and development impact is important. This includes the “Mabna Institute” - a technology company that is clearly connected to the Iranian government and the IRGC. This is an effort to “smoke out” these connections – both for their intelligence collection efforts as well as the profit they make from intellectual property theft.
There is a dual goal of shining a light on the IRGC’s economic espionage and potential for economic sabotage. Will it work? There’s an interesting debate about using indictments in this way – of ending the anonymity of individual hackers or organizations. It’s a good public signal about criminal activity and U.S. seriousness about norms in the cyber domain. But it’s difficult to assess its operational impact long-term. The IRGC isn’t about to hang up its hacking out of fear of U.S. indictments or “red lines", just as it continues to engage in a whole range of transnational criminal efforts (cyber and non-cyber) to support its activities and surrogates, such as Hezbollah. It is possible that the IRGC may be more careful in training and utilizing their surrogates (like Hezbollah) in an effort to hide their tracks better, but this remains to be seen. Indictments like this might help establish red lines, but there has to be operational activity in additional to sanctions to demonstrate a real determination to deter these IRGC activities.
Lauren Hutchison, an intern at The Cipher Brief, contributed to this report.
