U.S. Charges 9 Iranians in Huge Theft of Intellectual Property

WASHINGTON — Nine Iranians stole secrets from U.S. government agencies, universities and companies in a yearslong cyberattack, federal law enforcement officials said Friday, calling out Tehran amid fears that the Trump administration will dismantle the Iran nuclear deal.

The suspects worked as managers, contractors, associates and hackers for hire at the Mabna Institute, based in Iran, a contractor for the Iranian government working on behalf of the elite Islamic Revolutionary Guards Corps, which benefited from the sensitive information obtained in the hacking, the officials said.

The suspects live in Iran and will not be extradited; the United States and Iran have no diplomatic relations. Though they are unlikely to ever be arrested, the Justice Department has used indictments against foreign citizens to signal to outside powers that they have crossed a line, including the indictments against 13 Russians last month accusing them of interfering in the 2016 presidential campaign.

Because of the indictment, the Iranians will not be able to travel abroad without risk of arrest, and the Treasury Department also imposed sanctions on them as well as on the Mabna Institute.

“Hostile individuals, organizations and nation-states have taken note of our success,” Rod J. Rosenstein, the deputy attorney general, said at a news conference Friday. “They increasingly attempt to profit from America’s ingenuity by infiltrating our computer systems, stealing our intellectual property and evading our controls on technology exports.”

The hacking case comes at a tenuous time for the fragile relationship between the United States and Iran. The Trump administration is threatening to withdraw from the Iran nuclear deal, the accord reached in 2015 between Iran and six world powers that limited nuclear programs in exchange for sanctions relief.

President Donald Trump has said that he wants to impose harsh sanctions on Iran, a move that could compel Iran to leave the agreement.

Security experts worry that if Trump follows through on his threats to dismantle the agreement — he announced Thursday that John R. Bolton, an opponent of the deal, would be his next national security adviser — U.S. companies will be targeted in an increasing number of cyberattacks from Iran.

“The nuclear deal imposed a constraint on them and when the deal goes away, so does their constraint,” said James A. Lewis, a digital security expert at the Center for Strategic and International Studies, a Washington think tank.

Targets could include critical infrastructure in the United States, not unlike the attacks on Saudi petrochemical companies over the past year that experts at Symantec suspect were the work of Iran.

The Iranian government first employed online breaches to combat domestic political opposition and then turned its focus overseas in a series of escalating attacks on private companies in the United States and its allies, according to multiple reports by U.S. intelligence officials and private digital security firms. Private security researchers and intelligence officials who have tracked Iranian cyberactivity say the country has increasingly relied on proxy forces — a mix of contractors, volunteers, patriotic hackers and engineers at Iranian universities, and even its religious schools — to strike at Iran’s geopolitical enemies.

“Relying on these irregulars and contractors gives the state some semblance of deniability,” Lewis said.

Over the past five years, Iranian hackers demonstrated increasing sophistication, with a spate of attacks that took down the online banking websites of some dozen U.S. banks in late 2012. That same year, government officials and private researchers at CrowdStrike tied Iranian hackers to a digital strike at Saudi Aramco, the world’s biggest oil company, which wiped data on some 30,000 Aramco machines, replacing it with an image of a burning American flag.

Less than two years later, Iranian hackers pulled off a similar feat at the Sands Hotel and Casino in Las Vegas, after its owner, Sheldon Adelson, advocated a nuclear strike on Iran. The hackers deployed malware that brought the casino’s operations to a halt, wiped data off its machines, replaced websites with a photograph of Adelson with Prime Minister Benjamin Netanyahu of Israel and signed their online screeds the “Anti W.M.D. Team.”

But security experts note that Iranian attacks have dropped off since the signing of the nuclear deal. “They’ve been on their best behavior because of the nuclear deal,” Lewis said. “To avoid having the nuclear deal collapse, they have not been willing to risk it.”

But on Friday, the government said that a new group of hackers stole innovative work and intellectual property from the computer systems of 144 U.S. universities, the Labor Department, the Federal Energy Regulatory Commission and the states of Hawaii and Indiana.

They also infiltrated the United Nations, 176 universities in 21 countries, and dozens of domestic and foreign companies, some in banking, health care and the law, the officials said.

In a scheme that continued for more than four years, the Mabna Institute is accused of stealing more than 31 terabytes of academic data and intellectual property, as well as the contents of employee email accounts. The hackers sent phishing emails to unsuspecting people, who gave them access to their computers after opening those emails.

The scheme “should send a message around the world about Iran’s continued deceptive practices,” Sigal P. Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence, said during the news conference.