Last week, the U.S. Justice Department issued criminal indictments against seven Iranian hackers. These hackers, working for private companies in Iran, are accused of orchestrating DDoS attacks against U.S. financial institutions from 2011-2013 as well as intruding into the control panel of a small dam in Rye, New York. It is thought that these attacks were a response to the U.S. tightening financial restrictions on Iran during those years and the NSA-based Stuxnet attack on their uranium enrichment facility in 2010.
The seven men charged, Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan (Nitr0jen26), Omid Ghaffarinia (PLuS), Sina Keissar, and Nader Saedi (Turk Server), all worked for two firms connected to the Iranian military, ITSecTeam and Mersad Co.
They are accused of commandeering web servers around the world to serve as zombies in their massive flood of packets aimed at targets in the States. If you remember from last year, I pointed out here that U.S. financial institutions were being attacked daily with DDoS attacks; These were apparently the attacks the Iranians were indicted for.
The significance of this indictment is probably most important in highlighting how international relations and warfare are being conducted in the 21st century.
At least 29 nations now have dedicated cyberwar departments whose task is to spy on and intrude on their enemies' computer systems. Many other nations, like the U.S., Russia, and apparently Iran now, contract out out some of these activities to private companies. Several U.S. Department of Defense contractors now have cyber warfare and cyber espionage units.
I can personally testify that both the CIA and NSA contract out these services to private companies, as I have trained many of their personnel at these companies.
This also highlights why I contend that hacking is the most important and valuable skill set in the 21st century. Nations without a cyberwar unit are like countries without an air force; they simply will not have a chance of success in any future conflicts. As such, nations around the world are scrambling to hire skilled hackers to man their cyber warfare units.
The UK's Ministry of Defence recently dropped its grooming requirements for its hacking units, and the U.S. Army has talked about dropping grooming and fitness requirements for similar jobs (they have been using waivers on a case-by-case basis so far), hoping to attract more long-haired, overweight, and bearded hackers.
The downside to this indictment is that the U.S., instead of indicting and verbally attacking Iran for these activities, is indicting the individuals who were ordered to undertake these attacks. This means that if these individuals travel to a country where the U.S. has jurisdiction, they may be arrested and brought stateside for trial.
Although that may seem like an appropriate response, remember that these types of actions can go both ways. If you are working for a contractor of the DoD or another nation's military, and you are given orders to hack their financial infrastructure, you may be indicted by the that nation's law enforcement. Then, while vacationing someplace on a sunny beach with the love of your life, you could be arrested and detained for your "crimes." I think this sets a very dangerous precedent. Its akin to charging individual soldiers for crimes in a war.
It is likely that all nations will continue to heat up their cyber warfare efforts, driving the demand for skilled hackers in coming years. That's great for all of us. Let's hope, though, that this indictment of Iranian hackers does not set a precedent as it will put all hackers taking orders from their government at risk.