The indictment was unsealed on Friday 23rd March, charging nine individuals associated with the Iran-based Mabna Institute of orchestrating a coordinated campaign of cyber intrusions dating back as far as 2013. They are alleged to have made their way into computer systems belonging to 144 US universities, 176 universities across 21 other countries, 47 US companies, and several US governmental departments, as well as the United Nations.
Over 30 terabytes of data were stolen, both academic data and intellectual property from the universities, and email inboxes from the company and government employees. The indictment claims that the nine people charged with the attack did so on behalf of the Islamic Revolutionary Guard Corps, an entity within Iran responsible for intelligence gathering.
This is one of the largest state-sponsored hacking campaigns seen, and it has brutally exposed the vulnerabilities of the cyber defences of many organisations. With high-value data at stake, one of the lessons that needs to be learned from this episode is the importance of good cyber security.
One of the techniques used in the attacks was “password spraying” – collecting employees’ names and email addresses from open internet searches, then combining them with default passwords, or those most commonly used (it’s a sorry fact that password and 12345 are still far too commonplace). Instituting a stronger policy of cyber security and educating employees over basic steps they can take to better prepare themselves against a future attack is of paramount importance.
Because all the defendants of the charges are in Iran, no arrests have been made, but Deputy US Attorney General Rod Rosenstein said the indictment was important for disrupting their hacking operations and for deterring anyone from committing similar crimes. The US Treasury Department’s Office of Foreign Assets Control has also imposed sanctions on the Mabna Institute.