Iranian hacker indictment part of US name-and-shame tactic
WASHINGTON (AP) — The indictment charging seven Iranian hackers with attacking dozens of banks and a small dam near New York City is part of a strategy to name and shame foreign governments that support such attacks, the Justice Department’s top national security official said Friday.
Where punishing cyberattacks were once investigated mostly for intelligence purposes, U.S. officials are increasingly investigating them with an eye toward building a criminal prosecution and identifying by name the hackers believed responsible — and the foreign nation that may be sponsoring them.
“We need to show that these are not anonymous, that there’s no free pass because you do it behind a keyboard in a country far away,” Assistant Attorney General John Carlin, the head of the department’s national security division, said in an interview with The Associated Press.
U.S. officials say the strategy known colloquially as “name and shame,” in place since 2012, also is demonstrated in indictments two years ago linking Chinese military hackers to economic espionage of American corporations and in the public blaming of North Korea for a cyberattack against Sony Pictures Entertainment.
The goal, Carlin said, is to have a new “sheriff” patrolling a cyberspace that he says has long resembled the Wild West, where foreign hackers have acted with impunity.
“If you let someone walk across your lawn long enough and don’t tell them to stop, they get the right to walk across your lawn,” he said.
It’s hard to prove the strategy’s effectiveness, or whether such indictments actually lead to a decrease in hacking attempts. It’s also unclear whether any of the Iranian hackers will ever be apprehended. The five Chinese defendants indicted on similar charges in May 2014 have yet to appear in an American courtroom, leading to criticism that the cases make a publicity splash but have little practical impact.
But government officials say their tactic can at least put foreign governments on notice that their actions are being watched, trap the defendants in their home countries and encourage a more frank dialogue. Some officials and experts, for instance, see a link between the Chinese hacking case and an agreement between China and the U.S. last year to curb economic cyberespionage.
“The Chinese response over the last 10 years was, ‘We don’t hack.’ Now (you) have the president of China saying, ‘We’re going to make changes’,” said Shawn Henry, a former FBI executive assistant director and president of CrowdStrike Services, a cybersecurity company.
Henry said the prosecutions can take time to yield results and the success of the tactics needs to be evaluated over the long run. For instance, a CrowdStrike report issued last fall — weeks after China and the U.S. announced their agreement — showed continued Chinese hacking attempts on American corporate intellectual property
In publicly announcing charges, federal officials have likely deterred the hackers from ever traveling, which probably limit their chances of being arrested.
In other cases, though, prosecutors have brought charges under seal that were unveiled only after the targeted defendant traveled. That was the case with Su Bin, a Chinese businessman arrested in Canada two years ago and who pleaded guilty Wednesday to hacking U.S. defense contractors and stealing military information.
The most recent case, announced Thursday, accuses Tehran-linked hackers of reaching into the U.S. infrastructure and disrupting its financial system. It was the first time the FBI attributed a breach of a U.S. computer system that controls critical infrastructure to a hacker linked to a foreign government.
The intrusions between 2011 and 2013 targeted 46 victims, disabling bank websites and interfering with customers’ ability to do online banking, the indictment states. The entire coordinated campaign occurred sporadically over 176 days and cost the institutions tens of millions of dollars in remediation costs; no customers lost money or had their personal information stolen.
The hackers worked for two Iranian computer companies linked to the Iranian government, including the Islamic Revolutionary Guard Corps, the U.S. said. Charges include violating U.S. laws on computer hacking and gaining unauthorized access to a protected computer.
Iranian officials in Tehran could not be immediately reached for comment amid the country’s celebration of the annual Nowruz holiday, which marks the Persian New Year and the arrival of spring. Iran’s mission to the United Nations did not immediately respond to a request for comment.
Iran has previously been suspected in hacking attempts. A Wall Street Journal report in November linked Iran’s Revolutionary Guard to similar hacking and phishing attempts targeting the email and social-media accounts of Obama administration officials.
Associated Press writers Jon Gambrell in Dubai, United Arab Emirates, and Bradley Klapper in Washington contributed to this report.