Iran Says It Was Hit With ‘Very Big’ Cyberattack


Iran’s government has acknowledged that it faced a “very big” cyberattack, following a report in The New York Times this week that information from 15 million Iranian bank accounts was stolen and published online after widespread street protests were crushed in November.

Iran’s telecommunication minister, Mohammad Javad Azari Jahromi — who had previously dismissed the bank-account theft as an insider extortion plot — said the attack had been state sponsored, but he offered no evidence to back up the claim. He said details and the country deemed responsible would be revealed after investigations had been completed.

Mr. Azari Jahromi said Iran’s cybersecurity unit had thwarted the attack, making no direct mention of the compromised bank accounts.

“We faced a very well-coordinated state-sponsored cyberattack on the government’s digital infrastructure,” Mr. Azari Jahromi told reporters in Tehran on Wednesday. “It was a very big attack.”

He made the announcement the same day that Telegram, the popular phone app widely used in Iran, shut down the channel where the bank account details had been revealed for all to see.

The Telegram channel was created on Nov. 27 and until Dec. 5 had been home to the uploaded names and details for debit cards tied to the accounts of millions of Iranians who are clients of three banks — Mellat, Tejarat and Sarmayeh.

All three were the target of United States sanctions a year earlier over what American officials described as prohibited financial transfers done on behalf of Iran’s Islamic Revolutionary Guards Corps.

“We routinely close down channels which publish personal data like passport scans or credit card numbers,” said Markus Ra, spokesman for Telegram. This channel was closed, he said, when a user reported it to the company after the publication of The Times article.

A week earlier, Mr. Azari Jahromi had characterized the breaching of the bank accounts as the act of a disgruntled former contractor he said had obtained access to the information and was using it for extortion. As of Thursday, the banks had not issued a public statement about the breached accounts.

But it appeared the problem continued even after the channel was erased from Telegram.

Some Iranians posted screenshots of emails they had received from accounts with addresses identical to the customer service departments at two of the banks. The emails showed the account holders’ personal identification details and warned them: “We are in control of your bank information and your bank is lying to you.”

The emails advised these customers to take immediate action but did not specify what it should be. One Iranian said on Twitter that some of these emails contained an attachment file with the numbers of millions of leaked accounts.

An Iranian cybersecurity expert based in New York, Amir Rashidi, said he had traced the emails to a server in Germany.

Cybersecurity experts said that a breach of this magnitude could have been the work of a state actor, although there have been sophisticated attacks on Western banking systems that turned out to be organized by criminal groups.

They also said there was always the possibility that the attack had been the work of an insider.

Iranian media said the attack was the largest banking security breach in Iran’s history.

While there is constant cyberconflict between the United States and Iran, American financial institutions and the Federal Reserve have long been leery of offensive actions by the United States government against other countries’ financial systems. They fear that might legitimize reprisals against American accounts.

For Iran, the breach is the latest in a wave of challenges.

In the past month, Iran announced it was facing a significant budget deficit because of American economic sanctions, it crushed nationwide demonstrations with a deadly response that has been widely criticized, and it contended with growing regional resentment. That is especially the case in Iraq, where Iran has exerted significant influence.

Experts said that the bank breach, at the very least, could create a crisis of public trust with the country’s financial institutions.

Boaz Dolev, chief executive of ClearSky, a cybersecurity company that was among the first outside Iran to spot the banking breach, said he believed the affected banks had deliberately kept quiet. Mr. Dolev speculated that the banks did not cancel the accounts “because they do not want to panic the public or they will find it very difficult to issue new cards.”

In Israel — which, like the United States, has engaged in cyberconflict with Iran — news about the banking breach raised suspicions that Iran might blame Israel and take revenge. An Israeli banking official said two of the country’s biggest banks on Wednesday raised their cyberattack warnings to “top alert.”

A Middle Eastern intelligence official who tracks Iran and opposes its foreign policy said that over the past week top Iranian intelligence agencies, including the large cyberunit inside Iran’s Ministry of Intelligence, had been trying to track down the source of the banking breach and those behind the creation of the now-erased Telegram channel.

The official, who spoke on the condition of anonymity to discuss intelligence matters, said the security authorities in Iran were taking a serious stance on the breach and believe it had increased the potential for a renewed flare-up of antigovernment demonstrations, given the “damage to many citizens and the regime’s failure to prevent such information leaks.”

David E. Sanger contributed reporting.