Massive cyberhack by Iran allegedly stole research from 320 universities, governments, and companies

Nine Iranians working on behalf of the Islamic Revolutionary Guard Corps hacked the computers of 7998 professors at 320 universities around the world over the past 5 years, an indictment filed by a federal grand jury alleges. The hackers stole 31.5 terabytes of documents and data, including scientific research, journals, and dissertations, the indictment alleges. Their targets also included the United Nations, 30 U.S. companies, and five U.S. government agencies.

The “massive and brazen cyber assault” is “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” U.S. Attorney Geoffrey Berman of the Southern District of New York, where the indictment was filed, said at a press conference this morning. The hacks came to light through investigations by the Federal Bureau of Investigation and reports from victims. “The hackers targeted innovations and intellectual property from our country’s greatest minds,” Berman said, adding that they went after data and research from many fields.

According to the indictment, 3768 of the hacked professors were at 144 U.S. universities, and the attackers stole data that cost these institutions about $3.4 billion to “procure and access.” The accused allegedly set up an institute in Iran called Mabna that coordinated and paid for the hacks. The defendants then sold the stolen data through two websites, Gigapaper and Megapaper. The institute, the indictment says, aimed to “assist Iranian universities, as well as scientific and research organizations, to obtain access to non-Iranian scientific resources.”

The indictment does not name academic institutions or companies that were hacked, but does specify that victims included academic publishers, a biotechnology company, and 11 technology companies.

The indictment offers more detail about government breaches, noting that hacks in the United States occurred in the states of Hawaii and Indiana, as well as at the Federal Energy Regulatory Commission and Department of Labor, both in Washington, D.C. The defendants also allegedly hacked the United Nations Children’s Fund. Other countries targeted include Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, the Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the United Kingdom.

The charges against the accused include wire fraud, aggravated identity theft, and conspiracy to commit computer intrusions. The indictment says the university breaches involved “spearfishing,” in which the accused sent emails to targets that tricked them into providing their login credentials. The emails supposedly came from professors who read articles by the targets and asked to see more of their work, providing links. A click on the link took the victim to a fake internet domain that resembled their own university’s website and asked them to log in. For the private sector, the indictment says hackers used “password spraying,” cracking into accounts with commonly used passwords; then they “exfiltrated entire email mailboxes from the victims” and also captured new outgoing and incoming email from compromised individuals.

Berman said all nine defendants are now believed to be in Iran. “These defendants are no longer free to travel outside of Iran without the fear of being arrested and extradited to the United States,” Berman said. “The only way they can see the rest of the world is through their computer screen, but now stripped of their greatest asset, anonymity.”