Two Iranians accused in hacking at U of Calgary
Pair netted $6M from 200 organizations
The indictment, at times, reads like a scene from a spy thriller.
Two men, usually in the dead of night, work stealthily to infiltrate government agencies or companies to get access to their secrets.
Except in this case, the accused were IT geeks sitting in front of computers halfway around the world in Iran. Instead of using bolt cutters and night-vision goggles to break into these organizations, they allegedly used keystrokes and encryption software to infiltrate their computer networks and to hold sensitive data hostage until a ransom was paid.
Federal authorities in the U.S. said Wednesday the pair extorted more than $6 million from their victims. The University of Calgary was one of them.
“They’re hitting the most critical targets because they want to maximize their profits, but they’re also trying to maximize the damage they can do,” Craig Carpenito, U.S. Attorney for the District of New Jersey, said at a news conference in Washington, D.C. “They looked for the institutions that could afford least to have downtime.”
According to the U.S. Department of Justice, the accused pair — Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27 — carried out an international hacking and extortion scheme that targeted more than 200 organizations, including municipalities (Newark, N.J., and Atlanta, Ga.), public institutions (Port of San Diego, Calif., and Colorado Department of Transportation), health-care facilities (Hollywood Presbyterian Medical Center in Los Angeles and Kansas Heart Hospital in Wichita) and schools (University of Calgary).
The indictment alleges that beginning in December 2015, the two used “reconnaissance” techniques to scan computer networks for security vulnerabilities they could exploit. Once inside, they allegedly installed malicious software or malware they created, known as “Samsam Ransomware,” on as many computers within the network as possible. The ransomware would encrypt data on those computers — rendering that data inaccessible to the victims.
To maximize the impact, the hackers launched their attacks outside regular business hours and also targeted backups of victims’ data, authorities said.
Victims were told to pay a ransom in the form of the virtual currency, Bitcoin, in order to get decryption keys that would unlock their data. They were typically told that if they didn’t comply within seven days, the decryption keys would be deleted permanently. Sometimes, victims were directed to web pages that included a timer clock to make them move quickly.
Federal prosecutors said the accused exchanged the Bitcoin proceeds into Iranian rial currency. The attacks, meanwhile, crippled victims’ business operations and resulted in losses of more than $30 million.
“These defendants didn’t just indiscriminately cross their fingers and hope their ransomware randomly compromised any computer system. Rather, they deliberately engaged in an extreme form of 21st-century digital blackmail,” assistant Attorney General Brian Benczkowski told reporters.
Though the FBI says it encourages organizations not to pay ransoms in such situations, the University of Calgary confirmed in 2016 it had agreed to pay $20,000 to the hackers, whose identities were unknown at the time.
Citing the university’s “world-class research,” Linda Dalgetty, the vice-president of finances and services, told reporters the school needed to “protect the quality and the nature of the information we generate at the university.”
In a statement Wednesday, Dalgetty thanked law enforcement, including Calgary Police, for the investigative work they did. “Students, faculty and staff showed tremendous patience and understanding as the university worked through this challenging issue, and we hope they can take satisfaction in knowing that the suspected perpetrators are being charged,” she said.
Asked what the likelihood was that the two Iranian men will be brought to justice, since Iran does not have an extradition treaty with the U.S., Benczkowski said: “We’re always hopeful in these circumstances that we’ll be able to catch them in travel or by some other means and we’ll work with entities like Interpol … to restrict their travel and hopefully, if they slip up, we’ll pick them up.”
Savandi and Mansouri have been charged with conspiracy to commit wire fraud, conspiracy to commit fraud in connection with computers, intentional damage to a protected computer, and making a demand in relation to damaging a protected computer. None of the charges has been tested in court.
IF THEY SLIP UP, WE’LL PICK THEM UP.