U.S. Indicts Nine Iranians for Attempted Cyber Attacks, Allegedly on Orders From Tehran

Hackers stole swaths of academic data to benefit the Revolutionary Guard and sold to Iranian universities, prosecutors say

Pictures of nine Iranians charged with conducting massive cyber theft campaign displayed at the Justice Department in Washington, U.S., March 23, 2018
Pictures of nine Iranians charged with conducting massive cyber theft campaign displayed at the Justice Department in Washington, U.S., March 23, 2018Credit: \ HANDOUT/ REUTERS

The United States on Friday charged and sanctioned nine Iranians and an Iranian company for attempting to hack into hundreds of universities worldwide, dozens of companies and parts of the U.S. government, including its main energy regulator, on behalf the government in Tehran.

The cyber attacks, beginning in at least 2013, pilfered more than 31 terabytes of academic data and intellectual property from 144 U.S. universities and 176 universities in 21 other countries, the U.S. Department of Justice said, describing the campaign as one of the largest state-sponsored hacks ever prosecuted.

The U.S. Treasury Department said that it was placing sanctions on the nine people and the Mabna Institute, a company U.S. prosecutors characterized as designed to help Iranian research organizations steal information.

U.S. Deputy Attorney General Rod Rosenstein said the nine Iranians were considered fugitives who may face extradition in more than 100 countries if they travel outside of Iran.

Authorities “will aggressively investigate and prosecute hostile actors who attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property,” Rosenstein said at a news conference.

He said the case “will disrupt the defendants’ hacking operations and deter similar crimes.”

The hackers were not accused of being directly employed by Iran’s government. They were instead charged with criminal conduct waged primarily through the Mabna Institute on behalf of the Islamic Revolutionary Guard Corps, the elite military force assigned to defend Iran’s Shi’ite theocracy from internal and external threats.

There was no immediate response to the charges and sanctions in Iran’s state-run media.

The targeting of the Federal Energy Regulatory Commission, or FERC, was especially concerning, U.S. Attorney Geoffrey Berman said, because it oversees the interstate regulation of energy in the United States and holds details of some of the country’s “most sensitive infrastructure.”

Hackers targeted email accounts of more than 100,000 professors worldwide, half located in the United States, and compromised about 8,000 of them, prosecutors said. Hackers also targeted the U.S. Labor Department, the United Nations and the computer systems of the U.S. states Hawaii and Indiana, prosecutors said.

Friday’s actions are part of an effort by senior cyber security officials at the White House and across the U.S. government to blame foreign countries for malicious hacks.


The Department of Justice on Friday privately warned major internet infrastructure companies to expect attacks from Iran, an executive at one company who received the alert said. The officials said the most likely response would be denial of service attacks on websites, which are not destructive but disrupt commerce and communication.

Britain’s National Cyber Security Center said on Twitter that the Mabna Institute was “almost certainly responsible for cyber attacks targeting universities around the world.”

The sanctions and charges were the fourth time in the past few months that the Trump administration has blamed a foreign government for major cyber attacks, a practice that was relatively rare under the Obama administration.

Last week, the administration accused the Russian government of cyber attacks stretching back at least two years that targeted the U.S. power grid. Washington imposed new sanctions on 19 Russians and five groups, including Moscow’s intelligence services, for meddling in the 2016 U.S. election and other cyber attacks.

Friday’s indictment in U.S. District Court in New York said the Iranian hackers did extensive background research of university professors before sending them “spearphishing” emails tailored to their academic interests and scholarly published articles.

The emails purported to be from professors at another university and indicated the sender had read an article written by them, prosecutors said.

The emails would then direct recipients to click on links to related articles that would direct victims to a malicious internet domain that appeared similar to the victim’s actual university portal, where they would be prompted to enter their login credentials.

Once accounts were compromised, the hackers would steal reams of academic data and intellectual property related to science and technology, engineering, social sciences and medicine, the indictment said.

Stolen data was obtained to benefit Iran’s Revolutionary Guard and sold within Iran through the websites Megapaper and Gigapaper to universities in Iran, prosecutors said.


Hackers targeted and compromised employee email accounts for 36 U.S.-based companies and 11 companies in countries including Germany, Italy and Britain, prosecutors said. Victim companies in the United States included two media and entertainment companies, one law firm, 11 technology firms, and two bank and investment firms, among others.

Unlike the precise targeting of professors, companies fell victim to a broad technique known as “password spraying” that involves finding lists of company email accounts online and then attempting to hack into them by using common default passwords. Once inside, the hackers would steal entire email mailboxes.

The Treasury Department also placed sanctions on another Iranian, Behzad Mesri. Sometimes known as “Skote Vahshat,” Mesri was charged in 2017 with hacking cable TV network HBO to leak unaired episodes of the fantasy drama Game of Thrones. Mesri is still at large, officials said.

In 2016, The Obama administration indicted seven Iranians for distributed-denial-of-service attacks on dozens of U.S. banks and for trying to shut down a New York dam. Those hackers were also accused of working on behalf of Iran’s government.

None of the Iranians indicted in 2016 have been arrested or extradited, a Justice Department spokesman said.

Click the alert icon to follow topics:



Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN


Dr. Claris Harbon in the neighborhood where she grew up in Ashdod.

A Women's Rights Lawyer Felt She Didn't Belong in Israel. So She Moved to Morocco

Mohammed 'Moha' Alshawamreh.

'It Was Real Shock to Move From a Little Muslim Village, to a Big Open World'

From the cover of 'Shmutz.'

'There Are Similarities Between the Hasidic Community and Pornography’

A scene from Netflix's "RRR."

‘RRR’: If Cocaine Were a Movie, It Would Look Like This

Prime Minister Yair Lapid.

Yair Lapid's Journey: From Late-night Host to Israel's Prime Minister

Lake Kinneret. The high water level created lagoons at the northern end of the lake.

Lake Kinneret as You’ve Never Experienced It Before