US Charges 9 Iranians in Massive Academic Research Theft

The United States Department of Justice has charged nine Iranian nationals for engaging in a massive phishing campaign on behalf of the Iranian Revolutionary Guard. The allegations include the theft of US$3.4 billion in research and intellectual property from 320 colleges and universities in the U.S. and abroad, as well as from 47 foreign and domestic companies, plus several federal agencies, state governments, and the United Nations.

All of the defendants were affiliated with the Mabna Institute, an Iranian firm that launched a massive cybercampaign in 2013, eventually stealing 31.5 terabytes of email account data from thousands of U.S. and foreign corporate employees and university faculty members around the world.

The nine defendants: Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah Kharima, aka Vahid Kharima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24; Abuzar Gohari Moqadam, 37; Sajjad Tahmasebi, 30. All of the defendants are Iranian citizens.

The defendants have been charged with one count of conspiracy to commit computer intrusion, which carries a five-year sentence; one count of conspiracy to commit wire fraud, which carries a 20-year sentence; two counts of unauthorized access to a computer, which carry five years each; two counts of wire fraud, which carry up to 20 years; and one count of aggravated identity theft, which carries a mandatory two years in prison.

The Treasury Department sanctioned the Mabna Institute and 10 Iranians — the nine defendants named in this case and Behzad Mesri, who previously was indicted in a case last fall. In that case, Mesri is accused of hacking and trying to extort HBO for $6 million in bitcoins, after stealing episodes of unaired episodes of various shows, including Ballers, Insecure, and Game of Thrones.

The various agencies and governments hit by the latest attack include the U.S. Department of Labor, the Federal Energy Regulatory Commission, the states of Hawaii and Indiana, the United Nations, and the United Nations Children’s Fund.

Iran’s Foreign Ministry condemned the sanctions as provocative and illegal.

The U.S. “will not be able to use such ploys to stop or prevent Iranian people’s scientific progress,” said spokesperson Bahram Qassemi.

Brute Force

The defendants targeted the accounts of 100,000 professors around the world, but ultimately compromised 8,000 of them, according to the DoJ. Among those breached were 144 U.S. and 176 foreign universities in 21 countries, including the UK, China, Canada, South Korea, Spain, Israel, Turkey and other Western European nations.

The attacks, which ran from 2013 until December 2017, gained unauthorized access to various professors’ accounts to steal dissertations, academic journals, theses and electronic books. The targeted documents spanned a variety of fields, including technology, medicine, engineering and social science.

The stolen information was sold through two websites: Megapaper.ir, a firm controlled by Falinoos Co., which Karima controlled; and Gigapaper.ir., which was affiliated with Karima.

Megapaper sold stolen academic information to customers in Iran, including colleges and universities there, while Gigapaper sold access to stolen professor credentials, which were sold to gain access to library systems in U.S. universities overseas, according to the DoJ.

“Academic institutions are prime targets for foreign cybercriminals,” said Deputy Attorney General Rod J. Rosenstein when he announced the indictments last week.

“Universities can thrive as marketplaces of ideas and engines of research and development only if their work is protected from theft,” he added. “The events described in this indictment highlight the need for universities and other organizations to emphasize cybersecurity, increase threat awareness and harden their computer networks.”

The Iranians are far from new to cyberespionage or cyberwarfare. They were the victims of the Stuxnet computer worm attack that famously targeted the Iranian nuclear program. As cyberactors, the Iranians reportedly were behind APT33, a group that targeted energy, aerospace and other industries in the U.S., Saudi Arabia and South Korea.

“The Iranians continue to improve and become more sophisticated in their cybercapabilities. In my opinion, they are in the top five of countries with significant capabilities,” said Verodin Chief Strategy Officer Earl Matthews, Maj. Gen., USAF (Ret.).

“This attack represents the continued loss of intellectual property of our nation. It wouldn’t surprise me if many of these universities were specifically targeted because they are doing research and development on behalf of the U.S. government,” he told the E-Commerce Times.

“When the investigation details come out on how the breach was accomplished, we will once again find that cyberhygiene and social engineering will be the cause. These attacks can be mitigated if organizations would continuously automate and measure the validity, value, and effectiveness of their cybersecurity controls. We are well beyond just doing checklist compliance and thinking we are safe,” Matthews said.

Vulnerable Targets

The indictment shows that phishing attacks played a central role in how the Iranians were able to access this data, said Kevin O’Brien, president of GreatHorn.

More than 8,000 professors around the world were compromised by the attack, court documents show, through a link to a “complimentary note” regarding an article that actually turned out to be a malicious website.

The research and intellectual property, and the personal identity information stolen from universities can generate major returns in underground marketplaces, O’Brien told the E-Commerce Times.

“Universities are both places where IP can be both found and stolen, and repositories of significant amounts of personally identifiable information about students, ranging from names and addresses to detailed financial records. Both are highly valuable and can be resold to fund more significantly nefarious and dangerous activities,” he said.

The latest indictments should not spark greater concerns over the vulnerability of U.S. cybersecurity, suggested Chris Bronk, associate director of the Center for Information Security Research at the University of Houston.

“You can panic about things like this, I don’t,” he told the E-Commerce Times. “Compared to 10 or 15 years ago, U.S. entities are better prepared.”


David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain’s New York Business and The New York Times.