Feds Indict Iranian for HBO Hack—But Good Luck Arresting Him
Four months ago, HBO faced a punishing series of leaks of unreleased episodes, scripts, and even celebrities’ contact information. On Tuesday, the Department of Justice named the alleged culprit behind that extortion campaign: An Iranian hacker named Behzad Mesri. By indicting Mesri, prosecutors have sent a message that even anonymous cybercriminals in countries as distant as Iran can be tracked down and unmasked.
The more muted part of that message: Stay in Iran, and you’ll probably never face a US trial.
The Justice Department’s indictment charges 39-year-old Mesri, also known as “Skote Vashat” or “Mr. Smith” to his victims, with computer fraud, wire fraud, identity theft, and the rarer charge of using a computer for extortion. The indictment describes how Mesri stole HBO’s data—totaling no less than 1.5 terabytes, by his measure—demanded $6 million in bitcoin from HBO, and released a series of damaging data dumps to coerce the company to pay. Those dumps included draft scripts for unaired episodes of Game of Thrones, full, unaired episodes of shows including Ballers, Curb Your Enthusiasm, and The Deuce, emails, contracts, and even cast and crew contact lists that included actors’ personal phone numbers.
“Mersi allegedly organized his hacking scheme from halfway around the world, in Iran,” Southern District of New York district attorney Joon Kim told reporters at a Tuesday press conference. “He now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice.”
The United States, however, has no extradition treaty with Iran. And even as it announced those charges, the Justice Department seemed to admit that it would likely never actually lay hands on Mesri. “Because Mesri is in Iran we are unfortunately unable to arrest him,” Kim said flatly.
The feds could have strategically kept the charges against Mesri sealed until he could be lured out of Iran, detained, and extradited, but apparently viewed that scenario as a long shot. “We made the determination we were not likely to get him,” Kim said. “We weighed that against sending a message. That was the balancing we did, and we decided now was the right time to do it.”
As one might expect from such an audacious intrusion, Mesri is no ordinary criminal hacker. According to the indictment, he worked at times on the behalf of the Iranian military to hack other countries’ military systems, nuclear software systems—exactly what kind isn’t clear—and Israeli infrastructure. Aside from that state-sponsored hacking, he was also allegedly a member of a group known as the Turk Black Hat Security Team, which is responsible for defacing hundreds of website in the US and elsewhere.
But the penetration of HBO that Mesri is accused of carrying out went far beyond mere website defacement. The indictment states that starting with reconnaissance activities in May, he compromised HBO staffer accounts to gain deep access to the company’s network. In late July, he began releasing his stolen data, along with a series of ransom letters sent to HBO’s executives and to the press. A message in one video he is alleged to have created and shared with press, including WIRED, read, “Leakage will be your worst nightmare…So make a wise decision!” The video adopted the “Winter is Coming” warning from Game of Thrones, adding “HBO is Falling,” and ended with an image of the “Night King”—the archvillain in the show—with his arms raised, the word “standing” in one hand and “falling” in the other.
Despite Mesri’s ties to the Iranian government, the indictment doesn’t include any claim that the HBO extortion was a state-sponsored campaign. But by publicly linking Mesri’s past hacking to the Iranian government, the Justice Department may have made it even less likely that Tehran will cooperate with US law enforcement, or prosecute him in Iran for his alleged criminal hacking.
“I suspect that the Iranian government wouldn’t want to lend credence to anything the US government has said,” says J. Michael Daniel, who served as the Obama administration’s cybersecurity coordinate when the Justice Department indicted seven Iranians for cyberattacks on US banks and a New York dam. None of those hackers ever faced trial in the US. Will Mesri? “I wouldn’t expect it to be overly likely,” Daniel says.
But Daniel still argues that charges against hackers in non-extradition countries, like those against Mesri, serve a purpose. “There are ultimately other ways you can make use of an indictment,” Daniel says. “It’s a signal to other potential hackers that if we can get to you, you might end up in a US courtroom. It’s still a deterrent in that sense.”
One element of that deterrent message may be the use of the extortion charge in particular against Mesri, says Tor Ekeland, an attorney who frequently defends high-profile hacker cases. He sees the indictment as a warning to the growing number of ransomware-focused hackers that they can also be identified and charged—and they may not be as geographically insulated as Mesri. “One thing they’re signaling is that they’re going to start aggressively prosecuting ransomware, and they don’t care where you are in the world,” Ekeland says.
But for Mesri, like so many Russian, Chinese, and North Korean cybercriminals, that threat may not mean actual time in a US prison so much as a severe limitation on foreign travel, given that the US Justice Department has often nabbed indicted criminals when they so much as vacation in a country with a US extradition treaty. “Pragmatically, it just means he can’t travel to anywhere the US can grab him. They’ve imprisoned him in his own country,” Ekeland says of Mesri. “They’ve made him a marked man.”
In his press conference Tuesday, Kim crystalized that threat. “The memory of American law enforcement is very long,” he said. “For hackers who test our resolve in protecting our intellectual property – even those hiding behind keyboards in countries far away – eventually, winter will come.” For Mesri, at least, there will be no more tropical vacations abroad to escape it.
Powered by WPeMatico