By Dustin Volz
WASHINGTON (Reuters) - The United States on Friday charged and sanctioned nine Iranians and an Iranian company for attempting to hack into hundreds of universities worldwide, dozens of firms and parts of the U.S. government, including its main energy regulator, on behalf of Tehran's government.
The cyber attacks, beginning in at least 2013, pilfered more than 31 terabytes of academic data and intellectual property from 144 U.S. universities and 176 universities in 21 other countries, the U.S. Department of Justice said, describing the campaign as one of the largest state-sponsored hacks ever prosecuted.
The U.S. Treasury Department said it was placing sanctions on the nine people and the Mabna Institute, a company U.S. prosecutors characterized as designed to help Iranian research organizations steal information.
U.S. Deputy Attorney General Rod Rosenstein said the nine Iranians were considered fugitives who may face extradition in more than 100 countries if they travel outside Iran.
Authorities "will aggressively investigate and prosecute hostile actors who attempt to profit from America's ideas by infiltrating our computer systems and stealing intellectual property," Rosenstein told a news conference.
The case "will disrupt the defendants' hacking operations and deter similar crimes," he added.
The hackers were not accused of being directly employed by Iran's government. They were instead charged with criminal conduct waged primarily through the Mabna Institute on behalf of the Islamic Revolutionary Guard Corps, the elite military force assigned to defend Iran's Shi'ite theocracy from internal and external threats.
In Tehran, Iran's foreign ministry spokesman Bahram Qasemi denounced the move as "provocative, illegitimate, and without any justifiable reason and another sign of the hostility of the (U.S.) ruling circles toward the Iranian nation", state news agency IRNA said.
The targeting of the Federal Energy Regulatory Commission, or FERC, was a matter of special concern, U.S. Attorney Geoffrey Berman said, because it oversees the interstate regulation of energy and holds details of some of the country's "most sensitive infrastructure."
Hackers targeted email accounts of more than 100,000 professors worldwide, half in the United States, and compromised about 8,000, prosecutors said. Hackers also targeted the U.S. Labor Department, the United Nations and the computer systems of the U.S. states Hawaii and Indiana, prosecutors said.
Friday's actions are part of an effort by senior cyber security officials at the White House and across the U.S. government to blame foreign countries for malicious hacks.
They were announced a day after U.S. President Donald Trump named John Bolton, a former U.S. ambassador to the United Nations who is deeply skeptical of the 2015 international nuclear accord with Iran, as his new national security adviser.
Trump himself has repeatedly cast doubt on the nuclear deal, in which the U.S. and other world powers eased sanctions in exchange for Tehran putting limits on its nuclear program.
INTERNET FIRMS ALERTED
The Department of Justice on Friday privately warned major internet infrastructure companies to expect attacks from Iran, an executive at one company who received the alert said.
The officials said the most likely retaliation would be denial of service attacks on websites, which are not destructive but disrupt commerce and communication.
Britain's National Cyber Security Centre said on Twitter the Mabna Institute was "almost certainly responsible for cyber attacks targeting universities around the world."
The sanctions and charges were the fourth time in the past few months the Trump administration has blamed a foreign government for major cyber attacks, a practice that was rare under the Obama administration.
Last week, the administration accused the Russian government of cyber attacks stretching back at least two years that targeted the U.S. power grid.
Washington imposed new sanctions on 19 Russians and five groups, including Moscow’s intelligence services, for meddling in the 2016 U.S. election and other cyber attacks.
Friday's indictment in U.S. District Court in New York said the Iranian hackers did extensive background research of university professors before sending them "spearphishing" emails tailored to academic interests and scholarly publications.
The emails purported to be from professors at another university and indicated the sender had read an article written by them, prosecutors said.
The emails would then direct recipients to click on links to related articles directing them to a malicious internet domain that appeared similar to the victims' actual university portal, where they would be prompted to enter their login credentials.
Once accounts were compromised, the hackers would steal reams of academic data and intellectual property related to science and technology, engineering, social sciences and medicine, the indictment said.
Stolen data was obtained to benefit Iran's Revolutionary Guard and sold in Iran through the websites Megapaper and Gigapaper to universities there, prosecutors said.
Hackers targeted and compromised employee email accounts at 36 U.S.-based companies and 11 companies in countries including Britain, Germany and Italy, prosecutors said.
Victim companies in the United states included two media and entertainment companies, one law firm, 11 technology firms, and two bank and investment firms, among others.
Unlike the precise targeting of academics, companies were subjected to a broad technique known as "password spraying" that uncovers lists of company email accounts online and then tries to hack into them with common default passwords.
Once inside, the hackers would steal entire email mailboxes.
The Treasury Department also put sanctions on another Iranian, Behzad Mesri. Sometimes known as "Skote Vahshat," Mesri was charged in 2017 with hacking cable TV network HBO to leak unaired episodes of the fantasy drama Game of Thrones.
Mesri is still at large, officials said.
The Obama administration in 2016 indicted seven Iranians for distributed-denial-of-service attacks on dozens of U.S. banks and for trying to shut down a New York dam. Those hackers were also accused of working on behalf of Iran's government.
None of the Iranians indicted in 2016 have been arrested or extradited, a Justice Department spokesman said.
(Reporting by Dustin Volz and Joseph Menn; additional reporting by Lisa Lambert, Timothy Gardner, Susan Heavey and Dubai newsroom; Editing by Grant McCool and Clarence Fernandez)