In an indictment unsealed on March 23, 2018, the Department of Justice (DOJ) brought criminal charges against nine Iranian nationals affiliated with the Mabna Institute in Iran, alleging computer intrusion, fraud, and aggravated identity theft.[1]  Prosecutors charged the defendants with conspiring to steal a massive amount of intellectual property from universities, private companies, and government institutions worldwide, obtaining more than 31 terabytes of data.  The defendants allegedly acted on behalf of the Islamic Revolutionary Guard Corps (IRGC), which is an arm of the Iranian government whose responsibilities include foreign operations and intelligence gathering.  In addition to the announced charges, the nine defendants and the Mabna Institute were also designated for sanctions by the Treasury Department, Office of Foreign Asset Control, pursuant to Executive Order 13694 “Blocking the Property of certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[2]

According to the DOJ press release, the Mabna Institute began a coordinated campaign of cyber intrusions in 2013 that targeted hundreds of U.S. and overseas universities, 47 domestic and foreign private sector companies, and several government entities, including the United States Department of Labor, the Federal Energy Regulatory Commission, the States of Hawaii and Indiana, and the United Nations.[3]  The affected private sector companies span a wide range of industries including technology, marketing, academic publishing, media, consulting, healthcare, law, and financial services.

The defendants used a variety of hacking methods, including spearphishing (emails designed to induce the recipient to unwittingly provide access to the recipient’s computer system, such as by providing account login credentials) and password spraying (obtaining access to victim company accounts by matching publicly-available email accounts with commonly-used and default passwords).  In addition to exfiltrating data stored in compromised accounts, the defendants set up rules that would automatically forward to the defendants all future emails sent to and from the compromised accounts.  The FBI issued an alert through its FBI Liaison Alert System (FLASH) that provides additional details on the specific attack methods and vulnerabilities exploited by the hackers.

The indictment underscores the substantial ongoing threat of cybercrime targeting the theft of intellectual property and highlights the difficulties in defending against advanced persistent threat attacks sponsored by nation states.  Cybercriminals will no doubt continue to target companies’ trade secrets and other intellectual “crown jewels,” and not just client data, subjecting the victim company to heightened risk of competitive losses should that intellectual property be shared with rivals.  As discussed in our memorandum on mitigating risk exposure from cyber-attacks, it is critical for companies to take prophylactic steps and employ cybersecurity and information technology defensive measures to limit the likelihood that cyber-actors will successfully obtain sensitive data and potentially limit liability and losses if such an attack occurs.  In addition, companies and institutions should maintain, update, and practice their cyber incident response plans to facilitate an effective response to any such attacks.

[1] Indictment, U.S. v. Rafatnejad, et al., 18 Cr. ___ (S.D.N.Y.), available at

[2]Treasury Sanctions Iranian Cyber Actors for Malicious Cyber-Enabled Activities Targeting Hundreds of Universities, DOT Press Release (Mar. 23, 2018) available at

[3]Nine Iranians Charged With Conducting Massive Cyber Theft Campaign On Behalf Of The Islamic Revolutionary Guard Corps, DOJ Press Release No. 18-089 (Mar. 23, 2018) available at