Indictment: Iranians made 'coordinated' cyberattacks on U.S. banks, dam "These sound like plot lines of a movie but they're not."

Hackers tied to the Iranian regime mounted "a coordinated cyber assault" on 46 banks and other U.S. financial institutions from 2011 to 2013, and tried to take control of a small dam just north of New York City, the Justice Department alleged in an indictment announced Thursday.

The charges against the seven Iranians amount to the most serious accusations yet that hackers linked to a foreign government had attacked so-called critical infrastructure in the U.S., one of the most feared scenarios in an era when everything from power plants to airports is increasingly connected to the Internet.


"These sound like plot lines of a movie, but they're not," said Preet Bharara, U.S. attorney for the Southern District of New York, who took part in the announcement with Attorney General Loretta Lynch and FBI Director James Comey. "They're real crimes committed by real people in the real world."

Some lawmakers called the charges a sign that Congress must move with haste to bolster the nation's cyber defenses.

“If hackers are able to access dams, the electrical grid, airports, our water supply or nuclear plants, the amount of damage they could do is enormous,” said Sen. Dianne Feinstein of California, the top Democrat on the Senate Intelligence Committee.

The accusations come at an especially sensitive time in relations between the two countries, as critics of the Obama administration's nuclear deal with Iran accuse the White House of weakness in the face of aggressive behavior by Tehran.

Targets of the cyberattacks included Bank of America, JPMorgan Chase, Citibank, Wells Fargo, American Express, the New York Stock Exchange and Nasdaq, the indictment says, as well as the computers that control a dam in Rye, N.Y. Because of the disruptions, at times hundreds of thousands of online banking customers were unable to get into their accounts, the government alleged.

This marks only the second time the U.S. has brought hacking charges against officials of another nation, following the 2014 indictments of five members of China’s People’s Liberation Army accused of hacking U.S. companies. As with the Chinese defendants, the Iranian defendants are not in the U.S. and authorities have no immediate way of arresting them — although Comey said it’s not a foregone conclusion they will never face justice.

“The world is small and our memories are long. We never say never,” Comey said. "We want them looking over their shoulder.”

One message of the indictment, he said, is that it’s not a “freebie” to hack U.S. infrastructure.

The attacks included "a large-scale coordinated campaign" to flood the computer systems of financial systems with flurries of hostile traffic in an attempt to overwhelm, slow or even disable their networks, for instance by cutting off the banks' online banking services. Those attacks occurred on a "near-weekly basis" from September 2012 to May 2013, often hitting the banks during business hours between Tuesday and Thursday, the indictment says.

In addition, one of the suspects probed the computerized control systems of the dam in New York, repeatedly obtaining information that could later be exploited for more serious attacks, the government alleged. The hacker was unable to do any physical damage because the dam's sluice gate — which controls water levels and flow — had been manually disconnected for maintenance.

The defendants worked for private computer security companies based in Iran that did work for the country's government and the Islamic Revolutionary Guard, the indictment says. All are believed to still be in Iran.

Sen. Chuck Schumer (D-N.Y.), who has criticized the nuclear pact, has described the attack on the dam as "a shot across our bow."

"They were saying that we can damage, seriously damage, our critical infrastructure and put the lives and property of people at risk," Schumer said during an appearance on Long Island earlier this month. On Thursday, he said the indictments show that the U.S. “must step up our counter-hacking game ASAP.”

The Justice Department portrayed the indictment as a return volley across the bow of anyone trying to damage the U.S. in cyberspace. Assistant Attorney General John Carlin linked the indictments to two other major cyber actions this week: hacking charges brought against two members of the Syrian Electronic Army and a guilty plea from a Chinese businessman who had helped hack U.S. companies including Boeing.

"They thought we couldn’t figure out who did it and they thought, if we could figure out who did it, we wouldn’t say it. Well, they’re wrong,” Carlin said Thursday. He added that the indictments should “reinforce the days of perceived anonymity are gone.”

Among earlier incidents, the cybersecurity firm Cylance reported in 2014 that Iranian hackers had breached U.S. military infrastructure including unclassified computers in San Diego’s Navy Marine Corps Intranet, and a major U.S. defense contractor. The report also described targets in 15 other nations, including hospitals, chemical companies, government agencies and airports in South Korea, Saudi Arabia and Pakistan. Cylance dubbed the hacking campaign “Operation Cleaver.”

The breached dam in Rye was not mentioned in the “Operation Cleaver” report, but Cylance Vice President Jon Miller told POLITICO this month that it was likely committed by the same group. “It’s the same MO, the same targets, the same sourcing,” he said.

Iran is also widely believed responsible for a massive cyberattack against the Saudi state oil company Saudi Aramco in 2012 that destroyed data on more than half the company’s computers and replaced them with images of a burning American flag.

Iran’s surge in cyber capability and attacks during the past half-decade are generally ascribed to revenge for the 2010 Stuxnet attack that destroyed Iranian nuclear equipment, which is believed to have dealt a serious blow to the country's weapons program. Experts have attributed that attack to the U.S. and Israel.

Unlike state-linked Chinese hackers who focus mainly on gathering trade secrets and intellectual property to benefit Chinese companies, Iran’s hackers are focused solely on probing critical infrastructure for possible destructive attacks, Miller said.

So far, Congress' response to cyber threats has been slow to come, amid varying concerns raised by privacy groups and industry.

Feinstein and Senate Intelligence Chairman Richard Burr (R-N.C.) co-sponsored legislation enacted last year that gives legal protections to companies that share cyber threat information with the government. Feinstein told POLITICO soon after that bill passed that protecting critical infrastructure is the obvious next step.

A section championed by Sen. Susan Collins (R-Maine) that was stripped from the final version of that bill would have required the Homeland Security Department to assess cyber vulnerabilities at about 65 critical infrastructure providers. Industry groups criticized that section, saying it could lead to cybersecurity mandates and increased regulation.

Josh Gerstein contributed to this report.

CORRECTION: CORRECTION: A previous version of this story included an incorrect title for Assistant Attorney General John Carlin.