How to Handle Those Dam Hackers
Written By: A. Wilt
The US Department of Justice unsealed an indictment on Thursday, March 24, charging seven Iranian hackers with dozens of cyber-attacks. The attacks, which took place between December 2011 and May 2013, primarily targeted financial institutions, though also affected a small dam in Rye, New York, with distributed denial of service (DDoS) attacks.
The attacks on the dam themselves were considered minor, though it's important to note that is because the dam was offline at the time for maintenance. The hackers were able to study the dam's defenses and would have been able to control the sluice gates, had they not been under maintenance. The Department of Homeland Security believes that the hackers were attempting to use this information to target a larger dam in Oregon.
The financial sector was the larger immediate threat of these attacks. On that side, the attacks affected 46 major financial institutions, and occurred over the course of 176 days. During those times, hundreds of thousands of customers were unable to access any of their bank information.
DDoS attacks are carried out by seizing remote control of a computer system and installing malicious software onto that system. Such software operates by flooding the server with information, which overwhelms the server. In these attacks, the servers were hit with up to three times of the server's total capacity, making them unable to handle legitimate requests.
DDoS Stacheldraht attack diagram.
This indictment is not the first indictment naming individuals for cyber-attacks, though these indictments are a relatively new tool, and represent a large shift in how US security agencies handle these types of attacks. Once upon a time, these attacks would have been investigated as an intelligence matter. They would have been classified and security agencies would have been reluctant to even acknowledge that they had occurred.
However, since cyber-attacks are becoming more and more frequent and have the ability to do more damage, that thinking has changed, and they are now being investigated and handled as a criminal matter.
This strategy, known as 'name and shame,' has been in place since 2012, and has been used in other cases. The most notable examples are the Chinese military espionage case, and the Sony hack, which was traced to North Korea.
Both cases made a publicity splash, but the charges have never gone anywhere and the indictments have not turned into convictions. Still, supporters say the strategy is a valuable tool, noting that the US has imposed financial sanctions against North Korea, in part, due to the Sony attack. Many also credit the 2014 indictment of Chinese officers with contributing to a 2015 agreement between the US and China to curb cyber espionage.
Five Chinese on an FBI 'Wanted' list.
Critics point out that international law regarding these attacks has not been settled, and that those individuals, particularly in the Chinese case, were following orders their government had deemed lawful. Many nations around the world, including the US, conduct this type of cyber spying.
In cases where there is a clear attack, such as the Iranian case, charging individuals also allows the Iranian government to have an out, by laying the blame at individuals' feet and claiming a lack of knowledge of these activities.
It's unlikely that these Iranian citizens will ever see the inside of a courtroom. Iran is not going turn their citizens over to the US. Handling these types of issues is a new phase in the legal world, both in the US and internationally. Publicly charging individuals could prove to be an effective strategy. FBI Director James B. Comey put it like this:
"The world is small, and our memories are long. We never say never. People often like to travel for vacation or education, and we want them looking over their shoulder."
Lee, R. M. (2016, March 26). Feds Set a Risky Precedent by Indicting 7 Iranian Hackers. Retrieved from Wired.
Nakashima, E., & Zapotosky, M. (2016, March 24). U.S. charges Iran-lonked hackers with targeting banks, N.Y. dam. Retrieved from The Washington Post.
United States of America V Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan..., 16 CRIM 48 (Grand Jury Indictment: United States District Court Souther District of New York March 24, 2016).
Other Articles of Interest:
Iranian Hackers Hit NYC Dam in…2013?
Under Attack: Ransomware Attack Against LA Hospital
Was it China Again? Millions of Federal Government Employee Records Hacked
The FBI vs. Apple: Privacy and Public Safety Collide
And Don't Forget to sign up for our Newsletter with all types of Great Ideas
We produce Stories and Articles about life in America - products made in the USA - to benefit America jobs. Buy American!