The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government.
The indictment notes that the nationals engaged in a number of tactics to gain unauthorized access to systems including: (1) targeting customized spear phishing emails based on publicly available information about the email recipients; (2) obtaining stolen credentials to access accounts; and (3) “password spraying,” whereby the nationals would collect lists of names and email addresses through Internet searches and attempt to gain access to accounts through commonly used passwords.
While the indictment states that the attacks by the nationals cost U.S.-based universities over $3.4 billion in academic and intellectual property theft, the DOJ did not indicate whether sensitive information was stolen from FERC. Notably, FERC collects information from across the energy sector regarding critical infrastructure, called “Critical Electric/Energy Infrastructure” (“CEII”). In late 2015, Congress required FERC to publish regulations enhancing protection for CEII from disclosure, though it did not specifically direct FERC to increase security for CEII. FERC published these regulations in December 2016.