DDoS Protection , Security Operations

US Sanctions Iranian Nationals Over DDoS Bank Attacks

7 Iranians Already Indicted by Justice Department Over US Banking Disruptions
US Sanctions Iranian Nationals Over DDoS Bank Attacks

The U.S. Treasury Department has announced sanctions against 11 individuals and organizations with alleged ties to Iran, some of whom have been accused of helping to launch distributed denial-of-service attacks against dozens of U.S. banks from 2011 to 2013.

See Also: Protecting Financial Institutions from DDoS Attacks

The sanctions follow the Justice Department in March 2016 indicting seven Iranians suspected of participating in the DDoS campaign against U.S. banks. Some allegedly worked on behalf of the Iranian government, including the Iranian Revolutionary Guard Corps - a branch of Iran's armed forces (see 7 Iranians Indicted for DDoS Attacks Against U.S. Banks).

Now, those same seven Iranian nationals, who remain at large, have been added to the Treasury Department's Specially Designated Nationals list. "Their assets are blocked and U.S. persons are generally prohibited from dealing with them," according to the Treasury Department.

"Treasury will continue to take strong actions to counter Iran's provocations, including support for the IRGC-Qods Force and terrorist extremists, the ongoing campaign of violence in Syria, and cyberattacks meant to destabilize the U.S. financial system," Treasury Secretary Steven T. Mnuchin said.

The Treasury Department did not immediately respond to a query about why it waited 18 months after the indictment was unsealed to bring sanctions against the alleged DDoS attackers.

DDoS Campaigns Targeted US Banks

According to the indictment unsealed in 2016, the DDoS attacks allegedly perpetrated by the suspects ran sporadically from December 2011 until September 2012, when they escalated to near-daily attacks through May 2013.

The disruptions targeted 46 major financial institutions and corporations, including Bank of America, Capital One, JPMorgan Chase and PNC Banks, as well as the New York Stock Exchange and Nasdaq, according to the indictment.

"On certain days during the campaign, victim computer servers were hit with as much as 140 gigabits of data per second and hundreds of thousands of customers were cut off from online access to their bank accounts," according to the Justice Department. Targeted organizations spent millions of dollars attempting to mitigate the DDoS disruptions, it adds.

Credit for the attacks was taken by a group that called itself the Izz ad-Din al-Qassam Cyber Fighters, which said the attacks were reprisal for a YouTube movie trailer that the group deemed to have cast Islam in a negative light. Many security experts, however, suggested that this explanation was a ruse, and that the DDoS disruptions could be Iran's response to the Stuxnet malware attack, ascribed to a U.S.-Israeli cyberweapon program. Stuxnet crippled Iranian nuclear centrifuges in 2010.

ITSec Team and Mersad Co.

The Justice Department indictment named the DDoS campaign suspects as:

  • Sadegh Ahmadzadegan, aka "Nitr0jen26";
  • Ahmad Fathi, aka "M3HRAN";
  • Hamid Firoozi, aka "H4mid@Tm3l";
  • Omid Ghaffarinia, aka "PLuS";
  • Sina Keissar, aka "sina_molove";
  • Nader Saedi, aka "Turk Server";
  • Amin Shokohi, aka "Pejvak".

Prosecutors allege they worked for ITSecTeam (aka ITSEC) or Mersad Company, which is allegedly affiliated with Iraq's Islamic Revolutionary Guard Corps, also known as the IRGC-Qods Force.

Both firms were described as being Iranian private security companies that performed work on behalf of the Iranian government.

The Justice Department accused Fathi, Firoozi and Shokohi of running "ITSEC's portion of the DDoS campaign," alleging that Shokohi, a computer hacker who helped build the botnet that was used to launch DDoS attacks, "received credit for his computer intrusion work from the Iranian government towards his completion of his mandatory military service requirement in Iran."

The Justice Department accused Ahmadzadegan, Ghaffarinia, Keissar and Saedi of being responsible for "managing the botnet used in Mersad's portion of the campaign."

Ahmadzadegan, Mersad's co-founder, "was also associated with Iranian hacking groups Sun Army and the Ashiyane Digital Security Team (ADST), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (NASA) in February 2012," the Justice Department alleged.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.