Google Search Technique Aided N.Y. Dam Hacker in Iran
March 28, 2016
Shah Sheikh (1294 articles)

Google Search Technique Aided N.Y. Dam Hacker in Iran

An Iranian charged with hacking the computer system that controlled a New York dam used a readily available Google search process to identify the vulnerable system, according to people familiar with the federal investigation.

The process, known as “Google dorking,” isn’t as simple as an ordinary online search. Yet anyone with a computer and Internet access can perform it with a few special techniques. Federal authorities say it is increasingly used by hackers to identify computer vulnerabilities throughout the U.S.

Hamid Firoozi, who was charged Thursday by federal prosecutors, stumbled onto the Bowman Avenue Dam in Rye Brook, N.Y., in 2013 by using the technique to identify an unprotected computer that controlled the dam’s sluice gates and other functions, said people briefed on the investigation. Once he identified the dam, he allegedly hacked his way in using other methods.

“He was just trolling around, and Google-dorked his way onto the dam,” one person familiar with the investigation said.

The search technique has been around for about 10 years, said cybersecurity experts, and is neither illegal nor always malicious. It is primarily used by “white hat hackers,” computer specialists who test an organization’s computer system for vulnerabilities, saidMichael Bazzell, a former computer crime investigator for the Federal Bureau of Investigation.

“You can look for hardware online that you can access without a password, or for a certain type of login portal,” said Mr. Bazzell, now a cybersecurity consultant. “It’s very effective.”

The technique is also used by criminal hackers, said John Carlin, assistant attorney general for national security and the Justice Department’s top national security attorney, in an interview.

Google Inc. didn’t respond to requests for comment.

The Justice Department last week accused Mr. Firoozi and six other Iranian hackers of attacking the U.S. financial system, in what was the first public indictment against hackers tied to the Iranian government. The seven defendants worked for two private computer-security companies that performed work for the Iranian government, including the Islamic Revolutionary Guard Corps, Iran’s elite military force, prosecutors said.

The defendants are believed to be in Iran and could be arrested if they leave the country. Neither they nor their lawyers could be reached for comment.

Federal officials announced indictments last week of seven Iranians, who allegedly  hacked into the computers of U.S. financial companies and a Rye Brook, N.Y., dam, on behalf of the Iranian government. ENLARGE
Federal officials announced indictments last week of seven Iranians, who allegedly hacked into the computers of U.S. financial companies and a Rye Brook, N.Y., dam, on behalf of the Iranian government. PHOTO: ALEX WONG/GETTY IMAGES

The 2013 attack on the Bowman Avenue Dam startled U.S. authorities, sparking concerns that reached the White House, former and current U.S. officials previously told The Wall Street Journal. The dam is a small structure less than 20 miles north of New York City used mostly for flood control, and gaining control likely posed little threat. But the move underscored that hackers were targeting U.S. infrastructure.

The infiltration of the Bowman Avenue Dam represents a “frightening new frontier for cybercrime,” U.S. Attorney Preet Bharara said at a news conference Thursday.

The ease with which Mr. Firoozi allegedly found the dam is a major concern for U.S. officials. Many computers controlling industrial and infrastructure systems are old and predate the consumer Internet.

Companies, often against the advice of hacking experts, increasingly have brought such systems online as a way to add “smarts” to U.S. infrastructure. But older systems can have weaknesses that can readily be found through Google dorking, and then exploited, experts said.

While the alleged intrusion into the dam was sophisticated, demonstrating that Iran had greater digital-warfare capability than believed, the methods used to find the dam were relatively mundane.

Mr. Firoozi allegedly had been using the Google technique for months in search of vulnerable U.S. industrial-control systems, such as a computer using an old operating system or one that hadn’t been updated with a security patch, the people familiar with probe said.

A website called Exploit Database lists dozens of technical search terms that will scour a website or computer hardware for vulnerabilities, using commands akin to software coding.

Mr. Firoozi allegedly used such specific search parameters to scour websites connected to U.S. infrastructure sites for vulnerable hardware systems. From a computer thousands of miles away in Iran, Mr. Firoozi found what he was looking for in the Bowman Avenue Dam, prosecutors allege.

“Google is a very powerful tool,” said Mr. Bazzell. “It’s global, it’s something that doesn’t have any boundaries.”

Next, he allegedly applied more complicated computer skills to hack into the dam’s controls. Mr. Firoozi gained access to the dam’s supervisory control and data-acquisition system in August 2013, according to an unsealed indictment in Manhattan federal court. If the sluice gate hadn’t been manually disconnected due to maintenance issues, Mr. Firoozi would have been able to remotely operate it, according to the indictment.

U.S. intelligence agencies noticed the intrusion as they monitored computers linked to Iranian hackers targeting American financial institutions, according to people familiar with the matter. Mr. Firoozi and the other defendants were also charged with attackingBank of America Corp., Nasdaq OMX Group Inc., the New York Stock Exchange, Capital One Financial Corp. and dozens of others.

The FBI and the Department of Homeland Security warned public safety and security organizations in 2014 of potential vulnerabilities through dorking.

“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyberattacks,” an intelligence document warned.

Mr. Carlin said while many experts use dorking for benign purposes, the government has warned organizations to be on the lookout for the tactic as a sign hackers could be afoot. It has also advised them to use the technique on themselves to see whether they inadvertently have left information or systems vulnerable to exposure.

Mr. Bazzell said it is up to companies and organizations to protect themselves and ensure Google can’t access data they want to keep private. “Google is simply indexing everything that’s public; it’s not doing anything wrong,” he said. “It’s the obligation of the installer to secure that network or that device.”