A federal grand jury has handed up indictments against seven Iranian people who U.S. prosecutors allege led a series of cyber attacks against American computer systems dating back to 2011, including one against a dam in upstate New York.
Most of the attacks were distributed denial of service attacks against banking websites, prosecutors say. But one in particular is more worrying. Prosecutors allege that in the fall of 2013 one of the attackers gained access to the systems controlling the Bowman Dam in Rye, NY.
The attacker, prosecutors say, was 34-year-old Hamid Firoozi. In August and September of 2013, they say he “repeatedly obtained unauthorized access to the SCADA systems of the Bowman Dam” which allowed him to obtain information regarding its status and operations. This included access to a part of the dam called a sluice gate responsible for controlling water levels and flow rates. The level of access he obtained, they say, would have normally allowed him to change sluice gate settings. Luckily it was disconnected for maintenance at the time.
The systems involved were known as SCADA systems, which stands for Supervisory Control and Data Acquisition. These are essentially the systems used to control industrial machinery of any kind — whether it’s a dam, an electrical grid, traffic lights or a cookie factory.
It’s important to place the incident in context. Remember Stuxnet? First detected by security researchers in 2010, it was a digital weapon assembled by U.S. and Israeli intelligence agencies that was used to sabotage Iran’s nuclear research program. Stuxnet used so-called Zero-day vulnerabilities in Microsoft Windows to burrow into the targeted SCADA systems used to operate some nuclear centrifuges at the Natanz research site in Iran. Once under control of the attackers, the centrifuges were made to spin faster than normal and some even exploded.
While Stuxnet was a success on many fronts — it set back the Iranian program to build a nuclear bomb by a few years — it also had some unintended consequences. One of those, U.S. officials conceded in 2013, was to boost Iran’s resolve to strike back against its adversaries with its own cyberwar capabilities.
If ever arrested by U.S. authorities, the defendants are charged with conspiracy to commit computer hacking and face a maximum penalty of 10 years in prison.
Don’t expect that to happen. The people indicted are likely to remain beyond the reach of U.S. authorities for the foreseeable future. But it’s not the first time U.S. prosecutors have brought indictments against people they accuse of working on behalf of another country’s government. In 2014 they brought indictments against a group of officers in Unit 61398, the cyberwar unit of China’s People’s Liberation Army. At the time, China called the charges “made up.”
Here’s a copy of the current indictment.
This article originally appeared on Recode.net.