A federal grand jury indicted two Iranian men accused of holding the Colorado Department of Transportation information system hostage at the start of this year as part of a vast international computer hacking and extortion program.
The malware has infected critical systems nationwide, including hospitals, and has extorted over 200 victims who have paid the attackers $ 6 million, according to federal authorities.
In February, the New Jersey Federal Reserve courts, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, had access to the CDOT system and installed the SamSam ransomware on their computers.
Prosecutors accuse the two attackers, while in Iran, they asked CDOT to pay a bitcoin ransom in exchange for keys to decrypt the data, leading the agency to close 1,700 employee IT systems.
It took over six weeks for state authorities to clean up infected machines at an estimated cost of $ 1.5 million up to $ 2 million, said Deborah Blyth, head of information security for the state's government office. information technology.
"Today's accusation shows how seriously we take this kind of criminal activity." We want to thank the FBI for their cooperation and commitment in pursuing the evil actors who are responsible for these devastating cyber attacks ", Blyth said.
Deputy Attorney General Rod Rosenstein, in a press conference on Wednesday, said the defendants "tried to stop critical transportation infrastructure".
"Publicly revealing this nefarious hacking system makes it harder for authors, and others like them, to do business in the future," he said. "Following the accusation, the defendants have now escaped from justice, facing arrest and extradition in the United States in many nations that honor the rule of law".
MORE: Read the accusation
The two men began to target computer security vulnerabilities in various organizations around December 2015. Once inside, they installed and ran SamSam ransomware, which encrypts the data and asked bitcoins if the victims wanted to return the data.
SamSam infected CDOT computers on February 21st starting with a car, Blyth said. But that particular machine was what the agency was using to test a new business process.
It has not been configured for current security standards, since it should have been online for only a short period, he said.
But the malware immediately spread to 1,300 dependent computers plus 400 servers – all with Windows software – on the same day. The employees were told to turn off their computers to prevent the spread.
"We got a pop-up window on everyone's computer screen that was encrypted in. If you want to use your computer and decrypt it, you need to pay with bitcoin," Blyth said. "I think he gave us a seven day time frame."
CDOT has chosen not to pay.
One reason was that the state had good digital backups, so it was sure that it could restore any tampered data. It also had segmented network operations, so if a group of computers were hit, the infection did not spread to other departments or agencies. That's why computers that control traffic lights or other road systems in Colorado have not been impacted.
But another reason not to pay?
"We did not want to pay criminals and finance criminal activities, we did not want to make it a precedent so they could feel like they were talking to the public sector, they could get paid," Blyth said. "(Pay) seemed like it would be the worst decision we could have made."
But some organizations attacked by SamSam have chosen to pay.
Hancock Health, in Indiana, paid $ 55,000 to retrieve files that included patient records, according to a story by The Greenfield Reporter. The attackers have changed more than 1,400 files in "I'm sorry" and have given the hospital seven days to pay, otherwise the files would have been deleted.
Paying back important data is discouraged by the authorities, but it is a difficult choice for entrepreneurs, said Steven Fulton, director of the Center for Information Assurance Studies at Regis University.
"We do not know who these people are and we do not know what these people are doing with money, but it's one thing if they're trying to feed their families, but it's another thing if they're trying to start another bad enterprise, "he said. "Every minute your computer does not work, you're losing money and I understand and appreciate this, but if your system is not supported, you're starting at Ground Zero and it will cost you a lot to go again."
When SamSam broke out in the city of Atlanta, he eliminated the computer systems that residents used to pay for traffic tickets, report graffiti and access Wi-Fi at the airport, according to the New York Times. The city's systems were out for days.
The federal prosecutors claim that, in all, the Iranians have caused their victims losses of 30 million dollars.
Colorado has not paid a cent to the attackers, but the incident costs the state's money.
Blyth says there were costs for overtime, the National Guard of Colorado and the price of food and other expenses. The staff has grown from 24 IT employees to almost 150 at the most. And this does not include the inconvenience of employees who do not have access to their computers.
The service interruption meant that employees could not get into their emails, time sheets or financial systems to pay the sellers. But alternative solutions have been made. Employees used personal devices to check email because Internet-based systems were not impacted.
Now that it's over, Blyth is happy to have contacted the FBI and created partnerships with commercial security companies, local cybersecurity experts and other agency technology professionals. His team also decided to accelerate the implementation of other security projects already under way.
"I probably think about it every day since it was such a big event, it influenced my work and my personal life," said Blyth, who received a courtesy notification on the federal charge Tuesday. "(The accusation) was a pleasant surprise."
More information on policy and government coverage from The Colorado Sun.
According to the federal indictment, the other SamSam victims included the port of San Diego, the cities of Atlanta and Newark, New Jersey, and various health facilities. In all, there were more than 200 victims in 10 states and in Canada.
Savandi and Mansouri, working in Iran, looked for online goals and used online scanning techniques to find vulnerable computers. The attacks occurred outside of normal business hours, which made it more difficult for immediate mitigation. And the attacks continued with the last alleged incident that occurred on September 25, according to the indictment.
By targeting their victims, the two attackers were able to make a greater impact, said Jason Davison, an advanced threat research analyst for Webroot at Broomfield.
"This approach is much more selective than other modern methods of malware distribution," said Davison. "Once access to the network was achieved, the threat actors made an internal reconnaissance of their organization of reference and further profiled their victims before releasing SamSam and extorting the target.We should expect to see more attacks following this trend of victims and highly targeted attacks ".
Local IT security experts say thieves have been caught due to the way they cashed their bitcoins. They used a normal exchange of coins.
"From official court documents, it appears that the criminals did not convert their bitcoins into Monero (an open source and more discrete cryptocurrency) or another crypt of the private registry – they sent their bitcoins directly to the exchange," said Tyler Moffitt, senior research analyst on Webroot threats. "This seems like a stupid mistake because you can track transactions from the ransom address until the exchange."
The US Department of Justice states that the indictment of Savandi, 34, and Mansouri 27, followed a 34-month plan that was probed by the highest levels of federal law enforcement. Savandi and Mansouri have been charged with a conspiracy count to commit cyber fraud, a conspiracy count to commit fraud and related activities in relation to computers, two substantial counts of intentional harm to a protected computer, and two substantial counts of transmission of an application in relation to damage to a protected computer.
"The defendants have chosen to focus their scheme on public bodies, hospitals and municipalities," said Rosenstein. "They knew that closing these computer systems could cause significant harm to innocent victims."
More from The Colorado Sun