{
	"id": "7b8618de-c4c1-4cbe-99e1-614f28633ad9",
	"created_at": "2026-04-06T15:52:51.380287Z",
	"updated_at": "2026-04-10T13:11:22.601698Z",
	"deleted_at": null,
	"sha1_hash": "afb0867b410d6a9a58b5cad557f8b6829640523c",
	"title": "Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62443,
	"plain_text": "Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign\r\nof Cyber Attacks Against U.S. Financial Sector\r\nPublished: 2016-03-24 · Archived: 2026-04-06 15:49:40 UTC\r\nOne Defendant Also Charged with Obtaining Unauthorized Access into Control Systems of a New York Dam\r\nA grand jury in the Southern District of New York indicted seven Iranian individuals who were employed by two\r\nIran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on\r\nbehalf of the Iranian Government, including the Islamic Revolutionary Guard Corps, on computer hacking charges\r\nrelated to their involvement in an extensive campaign of over 176 days of distributed denial of service (DDoS)\r\nattacks.\r\nAhmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid\r\nGhaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26, launched DDoS attacks against\r\n46 victims, primarily in the U.S financial sector, between late 2011 and mid-2013.  The attacks disabled victim\r\nbank websites, prevented customers from accessing their accounts online and collectively cost the victims tens of\r\nmillions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers.  In\r\naddition, Firoozi is charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition\r\n(SCADA) systems of the Bowman Dam, located in Rye, New York, in August and September of 2013.\r\nThe indictment was announced today by Attorney General Loretta E. Lynch, Director James B. Comey of the FBI,\r\nAssistant Attorney General for National Security John P. Carlin and U.S. Attorney Preet Bharara of the Southern\r\nDistrict of New York.\r\n“In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any\r\nindividual, group, or nation to sabotage American financial institutions or undermine the integrity of fair\r\ncompetition in the operation of the free market,” said Attorney General Lynch.  “Through the work of our National\r\nSecurity Division, the FBI, and U.S. Attorney’s Offices around the country, we will continue to pursue national\r\nsecurity cyber threats through the use of all available tools, including public criminal charges.  And as today’s\r\nunsealing makes clear, individuals who engage in computer hacking will be exposed for their criminal conduct\r\nand sought for apprehension and prosecution in an American court of law.”\r\n“The FBI will find those behind cyber intrusions and hold them accountable — wherever they are, and whoever\r\nthey are,” said Director Comey.  “By calling out the individuals and nations who use cyber attacks to threaten\r\nAmerican enterprise, as we have done in this indictment, we will change behavior.”\r\n“Like past nation state-sponsored hackers, these defendants and their backers believed that they could attack our\r\ncritical infrastructure without consequence, from behind a veil of cyber anonymity,” said Assistant Attorney\r\nGeneral Carlin.  “This indictment once again shows there is no such veil – we can and will expose malicious cyber\r\nhackers engaging in unlawful acts that threaten our public safety and national security.”\r\nhttps://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\r\nPage 1 of 4\n\n“The charges announced today respond directly to a cyber-assault on New York, its institutions and its\r\ninfrastructure,” said U.S. Attorney Bharara.  “The alleged onslaught of cyber-attacks on 46 of our largest financial\r\ninstitutions, many headquartered in New York City, resulted in hundreds of thousands of customers being unable\r\nto access their accounts and tens of millions of dollars being spent by the companies trying to stay online through\r\nthese attacks.  The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime. \r\nThese were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard\r\nand designed specifically to harm America and its people.  We now live in a world where devastating attacks on\r\nour financial system, our infrastructure and our way of life can be launched from anywhere in the world, with a\r\nclick of a mouse.  Confronting these types of cyber-attacks cannot be the job of just law enforcement.  The charges\r\nannounced today should serve as a wake-up call for everyone responsible for the security of our financial markets\r\nand for guarding our infrastructure.  Our future security depends on heeding this call.”\r\nAccording to the indictment unsealed today in federal court in New York City:\r\nDDoS Attacks\r\nThe DDoS campaign began in approximately December 2011, and the attacks occurred only sporadically until\r\nSeptember 2012, at which point they escalated in frequency to a near-weekly basis, between Tuesday and\r\nThursdays during normal business hours in the United States.  On certain days during the campaign, victim\r\ncomputer servers were hit with as much as 140 gigabits of data per second and hundreds of thousands of\r\ncustomers were cut off from online access to their bank accounts. \r\nFathi, Firoozi and Shokohi were responsible for ITSEC’s portion of the DDoS campaign against the U.S. financial\r\nsector and are charged with one count of conspiracy to commit and aid and abet computer hacking.  Fathi was the\r\nleader of ITSEC and was responsible for supervising and coordinating ITSEC’s portion of the DDoS campaign,\r\nalong with managing computer intrusion and cyberattack projects being conducted for the government of Iran. \r\nFiroozi was the network manager at ITSEC and, in that role, procured and managed computer servers that were\r\nused to coordinate and direct ITSEC’s portion of the DDoS campaign.  Shokohi is a computer hacker who helped\r\nbuild the botnet used by ITSEC to carry out its portion of the DDoS campaign and created malware used to direct\r\nthe botnet to engage in those attacks.  During the time that he worked in support of the DDoS campaign, Shokohi\r\nreceived credit for his computer intrusion work from the Iranian government towards his completion of his\r\nmandatory military service requirement in Iran.\r\nAhmadzadegan, Ghaffarinia, Keissar and Saedi were responsible for managing the botnet used in MERSAD’s\r\nportion of the campaign, and are also charged with one count of conspiracy to commit and aid and abet computer\r\nhacking.  Ahmadzadegan was a co-founder of MERSAD and was responsible for managing the botnet used in\r\nMERSAD’s portion of the DDoS campaign.  He was also associated with Iranian hacking groups Sun Army and\r\nthe Ashiyane Digital Security Team (ADST), and claimed responsibility for hacking servers belonging to the\r\nNational Aeronautics and Space Administration (NASA) in February 2012.  Ahmadzadegan has also provided\r\ntraining to Iranian intelligence personnel.  Ghaffarinia was a co-founder of MERSAD and created malicious\r\ncomputer code used to compromise computer servers and build MERSAD’s botnet.  Ghaffarinia was also\r\nassociated with Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February\r\n2012, as well as thousands of other servers in the United States, the United Kingdom and Israel.  Keissar procured\r\ncomputer servers used by MERSAD to access and manipulate MERSAD’s botnet, and also performed preliminary\r\nhttps://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\r\nPage 2 of 4\n\ntesting of the same botnet prior to its use in MERSAD’s portion of the DDoS campaign.  Saedi was an employee\r\nof MERSAD and a former Sun Army computer hacker who expressly touted himself as an expert in DDoS\r\nattacks.  Saedi wrote computer scripts used to locate vulnerable servers to build the MERSAD botnet used in its\r\nportion of the DDoS campaign.\r\nFor the purpose of carrying out the attacks, each group built and maintained their own botnets, which consisted of\r\nthousands of compromised computer systems owned by unwitting third parties that had been infected with the\r\ndefendants’ malware, and subject to their remote command and control.  The defendants and/or their unindicted\r\nco-conspirators then sent orders to their botnets to direct significant amounts of malicious traffic at computer\r\nservers used to operate the websites for victim financial institutions, which overwhelmed victim servers and\r\ndisabled them from customers seeking to legitimately access the websites or their online bank accounts.  Although\r\nthe DDoS campaign caused damage to the financial sector victims and interfered with their customers’ ability to\r\ndo online banking, the attacks did not affect or result in the theft of customer account data.\r\nDDoS Botnet Remediation\r\nSince the attacks, the Department of Justice and the FBI have worked together with the private sector to\r\neffectively neutralize and remediate the defendants’ botnets.  Specifically, through approximately 20 FBI Liaison\r\nAlert System (FLASH) messages, the FBI regularly provided updated information collected from the investigation\r\nregarding the identity of systems that been infected with the defendants’ malware and operating as bots within the\r\nmalicious botnets.  In addition, the FBI conducted extensive direct outreach to Internet service providers\r\nresponsible for hosting systems that have been infected with the defendants’ malware to provide them information\r\nand assistance in removing the malware to protect their customers and other potential victims of the defendants’\r\nunlawful cyber activities.  Through these outreach efforts and the cooperation of the private sector, over 95\r\npercent of the known part of the defendants’ botnets have been successfully remediated.\r\nBowman Dam Intrusion\r\nBetween Aug. 28, 2013, and Sept. 18, 2013, Firoozi repeatedly obtained unauthorized access to the SCADA\r\nsystems of the Bowman Dam, and is charged with one substantive count of obtaining and aiding and abetting\r\ncomputer hacking.  This unauthorized access allowed him to repeatedly obtain information regarding the status\r\nand operation of the dam, including information about the water levels, temperature and status of the sluice gate,\r\nwhich is responsible for controlling water levels and flow rates.  Although that access would normally have\r\npermitted Firoozi to remotely operate and manipulate the Bowman Dam’s sluice gate, Firoozi did not have that\r\ncapability because the sluice gate had been manually disconnected for maintenance at the time of the intrusion.\r\nRemediation for the Bowman Dam intrusion cost over $30,000.\r\n* * *\r\nAll seven defendants face a maximum sentence of 10 years in prison for conspiracy to commit and aid and abet\r\ncomputer hacking.  Firoozi faces an additional five years in prison for obtaining and aiding and abetting\r\nunauthorized access to a protected computer at the Bowman Dam.\r\nAn indictment is merely an accusation and all defendants are presumed innocent unless proven guilty in a court of\r\nlaw.\r\nhttps://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\r\nPage 3 of 4\n\nThe case was investigated by the FBI, including the Chicago; Cincinnati; New York; Newark, New Jersey;\r\nPhoenix; and San Francisco Field Offices.  This case is being prosecuted by Assistant U.S. Attorney Timothy T.\r\nHoward of the Southern District of New York, with the substantial assistance of Deputy Chief Sean M. Newell of\r\nthe National Security Division’s Counterintelligence and Export Control Section.\r\n Fathi et al Indictment.pdf\r\nSource: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\r\nhttps://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged"
	],
	"report_names": [
		"seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged"
	],
	"threat_actors": [
		{
			"id": "9663cdbf-646e-4579-881a-a8ebc3aabf63",
			"created_at": "2023-01-06T13:46:38.360862Z",
			"updated_at": "2026-04-10T02:00:02.942852Z",
			"deleted_at": null,
			"main_name": "Cutting Kitten",
			"aliases": [
				"ITsecTeam"
			],
			"source_name": "MISPGALAXY:Cutting Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775490771,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afb0867b410d6a9a58b5cad557f8b6829640523c.pdf",
		"text": "https://archive.orkl.eu/afb0867b410d6a9a58b5cad557f8b6829640523c.txt",
		"img": "https://archive.orkl.eu/afb0867b410d6a9a58b5cad557f8b6829640523c.jpg"
	}
}