UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK UNITED STATES OF AMERICA SEALED INDICTMENT - V - 16 Cr AHMAD FATE-II HAMID FIROOZI AMIN SHOKOHI i with SADEGH AHMADZADEGAN a k a NitrOjen26 OMID GHAFFARINIA a k a SINA KEISSAR and NADER SAEDI a k a Turk Server If I v W3 Defendants COUNT ONE CONSPIRACY TO COMMIT COMPUTER HACKING ITSEC TEAM The Grand Jury charges BACKROUND ON THE DEFENDANTS AND RELATED ENTITIES I At all times relevant to this Indictment Team and Mersad Co Mersad were private computer security companies based in the Islamic Republic of Iran Iran that performed work on behalf of the Iranian Government including the Islamic Revolutionary Guard Corps which is one of several entities within the Iranian Government responsible for Iranian intelligence 2 At certain times relevant to this Indictment AHMAD FATHI HAMID FIROOZI and AMIN SHOKOHI the defendants collectively the Team Defendants were experienced computer hackers who worked for Team 3 At certain times relevant to this Indictment SADEGH AHMADZADEGAN a k a NitrOjen26 OMID GHAFFARINIA a k a SINA KEISSAR and NADER SAEDI a k a Turk Server the defendants collectively the Mersad Defendants were experienced computer hackers who worked for Mersad BACKGROUND ON DDOS ATTACKS 4 In general a distributed denial of service attack is a type of cyberattack in which a malicious actor seeks to overwhelm and thereby disable the victim s Internet accessible computer servers through one of several means 5 In preparing for a attack the malicious actor typically compromises and gains remote control of computers and computer servers by placing malicious software or malware on them The malicious actor often collects hundreds or thousands of such compromised computers and servers which are described individually as bots and collectively as a botnet Once the malicious actor has gained control over the botnet he can direct the computers or servers comprising the botnet to carry out computer network attack and computer network exploitation activity including attacks 6 In conducting a attack the malicious actor can for example remotely command the botnet to flood the victim server with electronic communications in order to overwhelm the server s resources As a result of this type of attack the victim server becomes unable to receive and maintain connections from legitimate Internet traffic and is thereby disabled during the duration of the attack THE U S FINANCIAL INDUSTRY DDOS ATTACKS 7 At certain times relevant to this Indictment the Team_Defendants and Mersad Defendants conducted extensive computer network exploitation and computer network attacks against victim corporations in the United States These included among other things a large scale coordinated campaign of attacks against U S financial institutions and other corporations in the financial sector including institutions based in the Southern District of New York the Financial Industry Attacks intended to undermine the business of those companies In particular through the U S Financial Industry Attacks the defendants variously disabled and attempted to disable computer servers belonging to these corporations in an effort to prevent the corporations from conducting business with customers online during the-course of the attacks including among other things providing online banking services and other information to customers 8 After they began in approximately December 2011 the U S Financial Industry Attacks occurred on a sporadic basis until September 2012 when they escalated in frequency and occurred on a near weekly basis and typically between Tuesdays and Thursdays during normal business hours in the United States through in or about May 2013 During the course of this coordinated campaign victims computer servers were hit with as much as approximately 140 Gigabits of data per second which depending on the victim_institution was up to as much as three- times the entire operating capacity of a victim institution s servers The U S Financial Industry DDOS Attacks impacted at a minimum approximately 46 major financial institutions and other financial sector corporations in the United States over a total of at least approximately 176 days of attacks On certain days during these attacks hundreds of thousands of customers were unable to access their bank accounts online As a result of these attacks those victim institutions incurred tens of millions of dollars in remediation costs as they worked to mitigate and neutralize the attacks on their computer servers 9 As set forth below the Team Defendants and the Mersad Defendants each facilitated part of the U S Financial Industry Attacks using their own botnets and computer network infrastructure The attacks were coordinated in timing targets technique and nature THE ITSEC TEAM CYBER INTRUSIONS AND DDOS ATTACKS 10 Starting at least in or about December 2011 up to and including at least in or about December 2012 AHMAD FATHI HAMID FIROOZI and AMIN SHOKOHI the defendants and their co conspirators planned and executed certain of the 0 8 Financial Industry Attacks including attacks targeting Bank of America N A Bank of America NASDAQ New York Stock Exchange Capital One Bank N A Capital One ING Bank Branch Banking and Trust Company Fidelity National Information Services 0 8 Bank N A Bank and PNC Bank In addition as set forth below FATHI FIROOZI SHOKOHI and their co conspirators carried out a series of attacks against Inc in or about August 2012 The Team Defendants 11 At all times relevant to this Indictment AHMAD FATHI the defendant was the leader of the Team Defendants In that capacity among other things FATHI was responsible for supervising and coordinating Team s participation in the attacks against the 0 8 financial sector and As the leader of TEAM FATHI was responsible for managing computer intrusion and cyberattack projects being conducted on behalf of the Government of Iran 12 At certain times relevant to this Indictment HAMID FIROOZI the defendant was a network manager at Team In that role as set forth below FIROOZI procured computer servers in the United States and elsewhere for Team s botnet that were used to coordinate and direct the U S Financial Industry Attacks 13 At certain times relevant to this Indictment AMIN SHOKOHI the defendant was a computer hacker who worked for Team Among other things SHOKOHI helped to build the Team botnet used in the U S Financial Industry Attacks and created malware used to direct the botnet to engage in those attacks During the time in which he worked in support of the U S Financial Industry DDOS Attacks SHOKOHI received credit for his computer intrusion work from the Iranian Government towards completion of his mandatory military service in Iran Means and Methods of the Conspiracy With Respect to Team's U S Financial Industry Attacks l4 AHMAD FATHI HAMID FIROOZI and AMIN SHOKOHI the defendants and their co-conspirators planned and participated in the U S Financial Industry Attacks against the victims listed above as follows a Among other things with knowledge SHOKOHI and other comconspirators built the Team botnet used in the attacks of the victim institutions Specifically by scanning the Internet they identified computers and computer servers running versions of pOpular website content management software that had not been updated to address certain known security vulnerabilities FATHI SHOKOHI and other co conspirators subsequently obtained unauthorized access to thousands of such computers and computer servers some of which were located within the United States Thereafter the co conspirators installed on the compromised computers and computer servers malicious software authored by SHOKOHI and others which gave them remote access to and control of these compromised machines which together constituted the Team botnet used in the U S Financial Industry Attacks and the attacks targeting b In addition to building the botnet FATHI SHOKOHI and their co conspirators authored and obtained malicious computer scripts that were designed to cause computers to execute specific types of attacks attack scripts and installed them on the compromised computers within the Team botnet used to execute the attacks c To coordinate the botnet s activity FIROOZI directed others to lease computer servers in the United States and elsewhere servers which FIROOZI and FATHI could then access and control to serve as command and control or servers for the attacks The C2 servers transmitted commands to the compromised computers within the Team botnet to execute the attack scripts in order to overwhelm and disable the targeted victim computer servers Further and among other things the defendants and their co conspirators used these C2 servers to perform online surveillance of victims servers prior to the attacks and to monitor the impact of the attacks on the victims servers STATUTORY ALLEGATIONS 15 From at least in or about December 2011 up to and including at least in or about December 2012 in the Southern District of New York and elsewhere AHMAD FATHI HAMID FIROOZI and AMIN SHOKOHI the defendants who will first be brought to the Southern District of New York and others known and unknown willfully and knowingly combined conspired confederated and agreed together and with each other to engage in computer hacking and to aid and abet the same in violation of Title 18 United States Code Sections 1030 a 5 part and an object of the conspiracy that AHMAD FATHI HAMID FIROOZI and AMIN SHOKOHI the defendants and others known and unknown willfully and knowingly would and did cause the transmission of a program information code and command and as a result of such conduct would and did intentionally cause damage without authorization to a protected computer which would and did cause a loss including loss resulting from a related course of conduct affecting one and more other protected computers aggregating to at least $5 000 to one and more persons during any one year period and caused damages affecting ten or more protected computers during any one year period and would and did aid and abet such unauthorized access in violation of Title 18 United States Code Sections 1030 a k5 A 1H1 C 4 A VI and 2 Title 18 United States Code Sections 1030 b and 2 Title 18 United States Code Section 3238 COUNT TWO CONSPIRACY T0 COMMIT COMPUTER BACKING MERSAD The Grand Jury further charges 17 The allegations in paragraphs I and 3 through 9 of this Indictment are repeated and realleged as though fully set forth herein THE MERSAD DDOS ATTACKS 18 As set forth below from at least in or about September 2012 up to and including at least in or about May 2013 the Mersad Defendants and their co conspirators participated in the U S Financial Industry Attacks In 9 particular as described below the Mersad Defendants and their coeconspirators executed approximately 150 days of coordinated attacks against at least approximately 24 U S financial sector corporations including Ally Bank American Express Ameriprise Bank of America Bank of Montreal Banco Nilbao Vizyana Argentaria Capital One J P Morgan Chase Bank Citibank N A Citizens Bank Fifth Third Bank FirstBank HSBC Key Bank NYSE PNC Regions Bank State Street Bank SunTrust Bank Union Bank N A US Bank Wells Fargo and Zions First National Bank Background on Mersad and the Mersad Defendants 19 Mersad was founded in or about early 2011 by members of Iran based computer hacking groups Sun Army and Ashiyane Digital Security Team including SADEGH AHMADZADEGAN a k a NitrOjen26 and OMID a k a the defendants Sun Army and ADST have publicly claimed responsibility for performing network attacks on computer servers of the United States Government and ADST has publicly claimed to perform computer hacking work on behalf of the Government of Iran As Sun Army members AHMADZADEGAN and GHAFFARINIA claimed responsibility for hacking into computer servers belonging to the National Aeronautics and Space Administration and the defacement of approximately nine NASA websites in or about February 2012 10 20 At all relevant times in addition to being a co founder of Mersad and a computer hacker associated with Sun Army and ADST SADEGH AHMADZADEGAN a k a NitrOjen26 the defendant was responsible for managing the Mersad botnet used in the 0 8 Financial Industry Attacks AHMADZADEGAN also provided training to Iranian intelligence personnel 21 At all relevant times in addition to being a co- founder of Mersad and a former computer hacker with Sun Army and ADST OMID GHAFFARINIA a k a the defendant created malicious computer code that remotely compromised computer servers to support building the Mersad botnet which was used to conduct computer network intrusions and cyberattacks including the U S Financial Industry Attacks GHAFFARINIA has also claimed to have successfully performed computer intrusions on thousands of computer servers based in the United States the United Kingdom and Israel 22 At all relevant times NADER SAEDI a k a Turk Server the defendant was an employee of Mersad and a former computer hacker with Sun Army who has expressly touted himself as an expert in DDOS attacks As an employee of Mersad SAEDI wrote computer scripts used to locate and exploit vulnerable servers to help build the Mersad botnet used in the U S Financial Industry Attacks ll 23 At all relevant times SINA KEISSAR the defendant was an employee of Mersad In that capacity KEISSAR procured U S based computer servers used by Mersad to access and manipulate the Mersad botnet used in the U S Financial Industry attacks KEISSAR also performed preliminary testing of the same botnet prior to its use in the U S Financial Industry Attacks Means and Methods of the Conspiracy 24 SADEGH AHMADZADEGAN a k a NitrOjen26 OMID GHAFFARINIA a k a NADER SAEDI a k a Turk Server and SINA KEISSAR the defendants and their co conspirators planned and assisted in the U S Financial Industry Attacks against the victims listed above as follows a AHMADZADEGAN GHAFFARINIA SAEDI KEISSAR and their co conspirators built the Mersad botnet by obtaining unauthorized access to and compromising thousands of computers and computer servers some of which were located in the United States AHMADZADEGAN GHAFFARINIA SAEDI and KEISSAR also developed malware and computer scripts which they installed on the compromised computers and computer servers that constituted the Mersad botnet which allowed for remote access and control of the compromised computers b Thereafter AHMADZADEGAN GHAFFARINIA SAEDI and KEISSAR placed malicious computer scripts on the 12 compromised computers and computer servers within the botnet which performed several functions during the U S Financial Industry Attacks including but not limited to directing malicious internet traffic to overwhelm and disable targeted victim servers and sending instructions to other compromised computers and computer servers within the botnet to execute attacks against victim servers STATUTORY ALLEGATIONS 25 From at least in or about September 2012 up to and including at least in or about May 2013 in the Southern District of New York and elsewhere SADEGH AHMADZADEGAN a k a NitrOjen26 OMID GHAFFARINIA a k a NADER SAEDI a k a Turk Server and KEISSAR the defendants who will first be brought to the Southern District of New York and others known and unknown willfully and knowingly combined conspired confederated and agreed together and with each other to engage in computer hacking and to aid and abet the same in violation of Title 18 United States Code Sections 1030 a 5 part and an object of the conspiracy that SADEGH AHMADZADEGAN a k a NitrOjen26 OMID GHAFFARINIA a k a NADER SAEDI a k a Turk Server and SINA KEISSAR the defendants and others known and unknown willfully and knowingly would and did cause the transmission of a program information code and command and as a result of such conduct 13 would and did intentionally cause damage without authorization to a protected computer and would and did aid and abet the same which would and did cause a loss including loss resulting from a related course of conduct affecting one and more other protected computers aggregating to at least $5 000 to one and more persons during any one year period and caused damages affecting ten or more protected computers during any one year period in Violation of Title 18 United States Code Sections 1030 a 5 A 1030 Title 18 United States Code Sections 1030 b and 2 Title 18 United States Code Section 3238 COUNT THREE UNAUTHORIZED ACCESS TO A PROTECTED COMPUTER HAMID FIROOZI The Grand Jury further charges INTRUSION INTO THE SERVER CONTROLLING A NEW YORK DAM 27 Between at least on or about August 28 2013 and at least on or about September 18 2013 HAMID FIROOZI the defendant repeatedly obtained unauthorized remote access to a computer which controlled the supervisory control and data acquisition system for the Bowman Dam a dam located in Rye New York Access to the SCADA system for the Bowman Dam allowed FIROOZI to repeatedly obtain information regarding the status and operation of the Bowman Dam including among other 14 things information regarding water levels and temperature and the status of the sluice gate which is responsible for controlling water levels and flow rates Although access to the SCADA system typically would have also permitted FIROOZI to remotely operate and manipulate the sluice gate on the Bowman Dam unbeknownst to FIROOZI the sluice gate control had been manually disconnected for maintenance issues prior to the time FIROOZI gained access to the systems STATUTORY ALLEGAT ION 28 From at least on or about August 28 2013 and on or about September 18 2013 in the Southern District of New York and elsewhere HAMID FIROOZI the defendant willfully and intentionally accessed a protected computer without authorization and as a result of such conduct would and did recklessly cause damage and would and did aid and abet the Isame which would and did cause a loss including loss resulting from a related course of conduct affecting one or more other protected computers aggregating to at least $5 000 in value during any one year period and would and did attempt to cause a threat to public health or safety to wit FIROOZI from a computer in Iran accessed without authorization the SCADA system for the Bowman Dam a dam located in Rye New York and obtained information regarding the status and operation of 15 controls for the dam and caused over $30 000 in remediation costs Title 18 United States Code Sections 1030 a 5 B and 2 FORFEITURE ALLEGATION 29 As a result of committing one or more of the offenses alleged in Counts One through Three of this Indictment AHMAD FATHI HAMID FIROOZI AMIN SHOKOHI SADEGH AHMADZADEGAN a k a NitrOjen26 OMID GHAFFARINIA a k a NADER SAEDI a k a Turk Server and SINA KEISSAR the defendants shall forfeit to the United States pursuant to 18 0 8 0 ss 982ta 2 s and 1030 i 1 the defendants interests in any personal property that was used or intended to be used to commit or facilitate the commission of such offenses and any property yconstituting or derived from proceeds obtained directly or indirectly as a result of one or both of the said offenses including but not limited to a sum of money representing the amount of proceeds obtained as a result of one or both of the said offenses SUBSTITUTE ASSETS PROVISION 30 If any of the above described forfeitable property as a result of any act or omission of the defendants a cannot be located upon the exercise of due diligence l6 b has been transferred or sold to or deposited with a third person c has been placed beyond the jurisdiction of the Court d has been substantially diminished in value or e has been commingled with other property which cannot be subdivided without difficulty it is the intent of the United States pursuant to 18 U S C 982 b 1 and 21 U S C 853 p to seek forfeiture of any other property of said defendants up to the value of the above forfeitable property Title 18 United States Code Sections 982 a 2 B and and Title 21 United States Code Section PM PREET BHARARA - United States Attorney 17 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK UNITED STATES OF AMERICA v - AHMAD FATHI HAMID FIROOZI AMIN SADEGH AHMADZADEGAN a k a NitrOjen26 OMID GHAFFARINIA a k a SINA KEISSAR and NADER SAEDI a k a Turk Server Defendants INDICTMENT 16 Cr Title 18 United States Code Sections 1030 b 2 1030 a 5 B and 2 PREET BHARARA United States Attorney A TRUE BILL tar '3 '741 1 Hh Foreperson