Iranian Group Claims Credit For Hack Attack on New York Dam

Group warns Dept. of Energy: ‘OpWinterIsComing’

Bowman Avenue Dam

Sunday the Wall Street Journal revealed that Iranian hackers had penetrated the controls of a dam located about 20 miles from New York City. Another shoe in the troubling story dropped Wednesday, when NBC News reported a group of Iranian hacktivists had taken specific credit for the intrusion:

The group, SOBH Cyber Jihad, sent a message through another Iran-linked hacker outfit, Parastoo, promising that it would release the technical information that proves it was behind the 2013 intrusion, according to Flashpoint Intelligence [. . .] The hackers claimed they kept quiet about the attack for two years because of a “state-level” warning not to go public with it “for the greater good.”

The Wall Street Journal report was the catalyst that prompted SOBH Cyber Jihad to stake their claim they hacked into computer systems for the Bowman Avenue Dam in Rye, N.Y. 

NBC News managed to get a look at the Dept. of Homeland Security’s 2013 report on the hack. It revealed that intruders had been able to see files containing vital information such as passwords a half dozen times between the end of August and and late September, 2013. An NBC source said the intrusions had been tracked to Iran but there wasn’t evidence to support accusing that country’s government of sponsoring the attack

As chilling as it is to think of foreign hackers having control of something vital like a dam, the hackers in this case never had access to any systems that might control major dam functions. NBC reported only one Bowman Avenue Dam sluice gate was even wired for remote computer control but it has “never fully worked,” according to Rye officials.

SOBH Cyber Jihad doesn’t have a particularly deep internet footprint for a group that claims to be hacktivists. However, in September, 2015, a document bearing the group’s name was uploaded to, a site devoted to collecting information about national security, intelligence, and government secrecy, among other things. 

Screenshot from Cryptome doc
Header image on SOBH Cyber Jihad document published in Sept. by Cryptome.

The document was titled “OpWinterIsComing” and addressed to “DOE,” the Dept. of Energy. 

The author or authors of the document, which despite the name may or may not be the same group cited in the dam hack, stated they “tried to understand under what circumstances you would be vulnerable to a total Energy chaos as a nation of voters and fat defense contractors.” They continued on to say their “target was mainly U.S Department of Energy (DOE) and several national labs that help this organization works.” The document also contained screenshots and aerial map views of various locations and long lists of “pwned” email addresses as well as servers—most of them with .gov suffixes. 

At the end of the document the SOBH Cyber Jihad writer or writers said that the DOE was “pwned without harm.”
They stated that they “could vandalize obviously but there was no sense to it.”

Whoever is really behind this cyber jihad seems to know what they’re doing. Given the Rye dam incident and possible evidence of some pretty thorough digging into DOE servers and emails, it could just be a matter of time before they decide to do more than “pwn without harm.”