A massive data breach of Iranian banks that saw millions of customers’ debit card information published online may have been carried out by a foreign state, rather then by a local hacker, The New York Times reported Wednesday, citing a cybersecurity expert.
During recent rioting in Iran over a fuel price hike, hundreds of bank branches were burned. At the same time, details of millions of debit cards were published on social media after an attack that targeted three of Iran’s largest banks — Mellat, Tejarat and Sarmayeh.
All three of the banks were sanctioned over a year ago by the US Treasury for allegedly transferring money on behalf of entities of Iran’s Islamic Revolutionary Guard Corps, which was designated a terror organization by the Trump administration last April. None of the banks have issued statements about the hack but Iran’s information and telecommunications minister, Mohammad Javad Azari Jahromi, finally admitted to the breach on Sunday, the first official acknowledgement that anything was happening.
By Tuesday, information for some 15 million cards, representing about a fifth of the country’s population, had been leaked to the internet, in what was reportedly the largest hack in Iran’s history.
Jahromi denied the banks had been hacked and said the data theft was carried out by “a disgruntled contractor” as part of an extortion plot, the Times report said.
However, experts questioned the claim and said that such a large information breach was more likely to have been carried out by state actors aiming to generate further instability in Iran. Fearful customers may pull their money from the banks, which would have a long-term impact on the institutions.
Boaz Dolev, the CEO of ClearSky, an Israeli cybersecurity firm, assessed that those responsible had “high technological capability, which is usually at the hand of state intelligence services.”
On December 3 ClearSky warned Israeli credit card companies that the Iranians may try to counterattack if Tehran believes the hack was carried out by foreign powers.
Neither the White House nor the Israel Defense Forces commented on the report.
The hack first began to show up on November 27 when account information was published on Telegram, a mobile communication app popular in Iran. Hackers wrote they had demanded money from the banks to keep the information safe but, since their requests were ignored they were going to publish the card details. Hours later the information was posted.
The leaked data included account holder names and numbers, but the PIN codes for the cards were hidden. The messages also instructed readers on how to make forgeries of the cards.
Impacted banks responded by contacting their clients, while the Iranian police unit in charge of cyber investigations sent out an email urging customers to have their cards replaced, the report said, citing a copy of the email published by Iranian media.
The attack came amid instability in Iran, where demonstrations began in mid-November after the government raised minimum gasoline prices. Amnesty International has said at least 208 were killed as the regime suppressed the rioting, while the US has said as many as 1,000 may have been killed. During the violence Iran repeatedly accused the Western powers of stoking the unrest.
Both the US and Israel are believed to have carried out cyber-attacks on Iran in the past, and the Islamic Republic has hit back with its own assaults. In October the US reportedly conducted a cyber-attack against Iran in the wake a cruise missile and drone strike on key Saudi oil facilities the month before, which many Western countries have blamed on the Islamic Republic.
Earlier in the month Microsoft said that it believed that hackers linked to the Iranian government had been targeting a US presidential campaign, as well as government officials, media targets and prominent expatriate Iranians.
In June, cybersecurity firms said Iran has increased its cyber-attacks against the US government and critical infrastructure as tensions have grown between the two nations.
Hackers believed to be working for the Iranian government have targeted US government agencies, as well as sectors of the economy, including oil and gas, sending waves of spear-phishing emails, according to representatives of cybersecurity companies CrowdStrike and FireEye, which regularly track such activity.
Iran has long targeted the US oil and gas sectors and other critical infrastructure, but those efforts dropped significantly after the nuclear agreement was signed in 2015. After Trump withdrew the US from the deal in May 2018, cyber experts say they have seen an increase in Iranian hacking efforts.
In 2010, the so-called Stuxnet virus disrupted the operation of thousands of centrifuges at a uranium enrichment facility in Iran. Iran accused the US and Israel of trying to undermine its nuclear program through covert operations.
Iranian hackers in 2012 launched an attack against state-owned oil company Saudi Aramco, releasing a virus that erased data on 30,000 computers and left an image of a burning American flag on screens.
In 2016, the US indicted Iranian hackers for a series of punishing cyber-attacks on US banks and a small dam outside of New York City.
Tensions have risen in the Persian Gulf since May last year when Trump unilaterally abandoned the nuclear deal between major powers and Iran and began reimposing crippling sanctions in a campaign of “maximum pressure.”
They flared again this May when Iran began reducing its own commitments under the deal and the US deployed military assets to the region.
Since then, ships have been attacked, drones downed and oil tankers seized. This month, twin attacks on Saudi oil infrastructure, which knocked out half the kingdom’s production, drew accusations of blame from Washington and Europe.
Tehran has denied any involvement in the attacks which were claimed by Iran-backed rebels fighting a Saudi-led coalition in Yemen.