WASHINGTON — The Trump administration announced criminal charges and sanctions Friday against Iranians accused in a government-sponsored hacking scheme to pilfer sensitive information from hundreds of universities, private companies and American government agencies.
The nine defendants, accused of working at the behest of the Iranian government-tied Islamic Revolutionary Guard Corps, hacked the computer systems of about 320 universities in the United States and abroad to steal expensive science and engineering research that was then used or sold for profit, prosecutors said.
The hackers also are accused of breaking into the networks of dozens of government organizations, such as the Department of Labor, the United Nations and Federal Energy Regulatory Commission, and companies including law firms and biotechnology corporations.
The Justice Department said the hackers were affiliated with an Iranian company called the Mabna Institute, which prosecutors say contracted since at least 2013 with the Iranian government to steal scientific research from other countries.
“By bringing these criminal charges, we reinforce the norm that most of the civilized world accepts: nation-states should not steal intellectual property for the purpose of giving domestic industries an advantage,” Deputy Attorney General Rod Rosenstein said in announcing the charges.
Also Friday, the Treasury Department targeted the Mabna Institute and 10 Iranians — the nine defendants and one charged in a separate case last year — for sanctions that will bar them from doing business in the United States.
The defendants are unlikely to ever be prosecuted in an American courtroom since there’s no extradition treaty with Iran. But the grand jury indictment — filed in federal court in Manhattan — is part of the government’s “name and shame” strategy to publicly identify foreign hackers, block them from traveling without risk of arrest and put their countries on notice.
The strategy has been employed with past indictments accusing Iranian hackers of a digital break-in of a New York dam, Chinese military officials of large-scale hacks at energy corporations and Russians of a massive breach of Yahoo user accounts.
“People travel. They take vacations, they make plans with their families,” said FBI Deputy Director David Bowdich. “Having your name, face and description on a ‘wanted’ poster makes moving freely much more difficult.”
According to the indictment, the Iranians broke into universities through relatively simple, but common means — tricking professors to click on compromised links. The spear-phishing emails purported to be from professors at one university to those at another and contained what appeared to be authentic article links.
But once clicked on, the links steered the professors to a malicious Internet domain that led them to believe they had been logged out of their systems and asked them to enter their log-in. The credentials were then logged and stolen by the hackers, prosecutors say.
From there, according to the Justice Department, the hackers stole roughly 15 billion pages of academic research and intellectual property that was then sent outside the United States for profit.
More than 100,000 professors worldwide were targeted with spear-phishing emails, and the information that was stolen cost U.S. universities about $3.4 billion to procure and access.
“Just in case you’re wondering, they’re not admiring our work,” Bowdich said. “They’re stealing it, and they’re taking credit for it, and they’re selling it to others.”