Federal investigators have charged nine Iranians for stealing troves of academic and intellectual property data from 144 universities and dozens of private companies in the US.
“The defendants stole research that cost those universities $3.4 billion to procure and maintain,” US deputy attorney general Rod Rosenstein said in a Friday press conference.
The nine suspects nabbed over 31 terabytes of data and fed it back to the Iranian military, according to the Department of Justice. Employing the hackers was the Mabna Institute, an Iranian government contractor founded by two of the suspects, Rosenstein said. The goal of the institute was to help Iranian universities gain access to scientific research.
In total, 320 universities across 22 countries were attacked. The suspects also breached 47 private companies, along with government offices like the US Department of Labor and the Federal Energy Regulatory Commission.
To steal the data, the suspects sent phishing emails to over 100,000 accounts from professors across the globe who tried to fool victims into handing over their sensitive password information. The emails did so by claiming interest in the professor’s research and including links to related academic articles. However, certain links in the phishing emails actually led to an internet domain under the hacker’s control, the Department of Justice said.
Once clicked, the malicious internet domains would display a website pretending to be the login page for the professor’s university. The aim was to trick victims into thinking they had logged out from the university system. “If a professor then entered his or her login credentials, those credentials were then logged and captured by the hackers,” the Department of Justice said.
Ultimately, the suspects compromised over 8,000 email accounts.
“The campaign started in approximately 2013, and has continued through at least December 2017,” DOJ said. Data stolen included academic journals, theses, dissertations, and electronic books. The suspects not only fed the stolen data to the Iranian military, but also sold the contents online through two websites at Gigapaper.ir and Megapaper.ir, the latter of which remains active.
When targeting private companies, the suspects simply collected email accounts of their intended victims and then gained access by typing in commonly used passwords.
Federal investigators said the Iranian case was one of the largest state-sponsored hacking campaigns the US had ever prosecuted. But bringing the suspects to justice is another matter. All of them are now wanted men, but they reside in Iran, making chances of extradition slim.
It also means the suspects are free to continue hacking their victims, leading some security experts to question the effectiveness of Friday’s indictment.
But federal investigators say the charges are intended to send a message to the suspected hackers. “These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest,” Manhattan U.S. Attorney Geoffrey S. Berman said in a statement.
“The only way they will see the outside world is through their computer screens, but stripped of their greatest asset —anonymity,” he added.
In addition to the charges, the US Treasury Department is punishing the Mabna Institute and the nine suspects with sanctions that forbid anyone in the US from conducting financial dealings with them.