U.S. Charges Seven Iranians in Hacking Attacks

The U.S. Justice Department unsealed charges against seven alleged Iranian hackers Thursday, saying they attacked the U.S. financial system and servers for a dam in New York in the first public indictment against hackers tied to the Iranian government.

U.S. officials have long accused Iran of sponsoring hackers, but Thursday’s charges are the most explicit accusation to date. The indictment didn’t specifically allege the Iranian government directed the attacks, but said that one of the hackers received credit toward completion of his mandatory military service for the attacks and that another had trained Iranian intelligence officials, among other things.

The unsealing of the charges comes after months of consultations among the Justice Department, the State Department and a handful of intelligence agencies, said a person familiar with the matter. Over the last two years U.S. officials say they have changed their approach and begun to treat nation-state affiliated hacking attacks like terrorism threats.

“In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,” Attorney General Loretta Lynch said at a news conference in Washington, D.C.

Some officials privately expressed concerns that unsealing charges against individuals the U.S. has no hopes of arresting would only serve to agitate countries with which the U.S. has fraught relations, including China and Iran, the person familiar with the matter said.

“The world is small and our memory is long,” Federal Bureau of Investigation Director James Comey said during the Thursday news conference. “We want them looking over their shoulders.”

New York federal prosecutors alleged in the indictment that the defendants worked for two private computer-security companies that performed work for the Iranian government, including for the Islamic Revolutionary Guard Corps, Iran’s elite military force.

According to prosecutors, one of the suspects, Hamid Firoozi, in 2013 accessed the server that controlled a dam in Rye, N.Y. The attack didn’t gain operational control of the dam, according to the indictment, but caused thousands of dollars in damages to the computer system.

The infiltration of the Bowman Avenue dam represents a “frightening new frontier for cybercrime,” said U.S. Attorney Preet Bharara, speaking at the event in Washington.

In other attacks starting in 2011, hackers working for Iranian security companies ITSec Team and Mersad began launching so-called denial-of-service attacks on the U.S. financial system, according to prosecutors. The attacks affected around 46 financial institutions over roughly 176 days and prevented customers from accessing their accounts online. The attacks were coordinated between the two companies and cost the victim banks tens of millions of dollars, prosecutors said.

In a denial-of-service attack, hackers overwhelm targeted servers with a flood of electronic communications from thousands of computers, incapacitating the systems.

Prosecutors said the suspected ITSec Team hackers—Ahmad Fathi, Mr. Firoozi and Amin Shokohi—launched denial-of-service attacks targeting Bank of America, Nasdaq, the New York Stock Exchange, Capital One Bank, ING Bank, PNC Bank and others. Two of the men also targeted AT&T.

The suspected Mersad hackers—Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar and Nader Saedi—also launched denial-of-service attacks on the financial system, including J.P. Morgan Chase, Citibank, Wells Fargo and others.

The defendants weren’t reachable for comment. U.S. officials said the hackers are believed to be in Iran, with which the U.S. doesn’t have an extradition treaty. If the defendants left Iran, U.S. law enforcement could try to arrest them, the officials said.

The charges represent an evolving U.S. policy on unsealing charges against state-backed hackers, a practice frequently called “naming and shaming,” because such defendants are usually beyond the reach of law enforcement.

The first such case was unsealed in 2014 when prosecutors accused five Chinese-government backed hackers of attacking U.S. companies. Ms. Lynch said that, following that case, the U.S. has seen “some significant changes in our interactions with the Chinese government in terms of cybersecurity norms.”

That case differed slightly from Thursday’s. At the time, U.S. officials said the Justice Department pursued the case not just because it involved hacking, but because the hackers were engaging in economic espionage, stealing corporate secrets to benefit competitors based in China. The indictment unsealed Thursday identifies two dozen financial institutions that were allegedly attacked, but doesn’t describe what benefit the hackers sought to gain from the attacks. The connection to the Iranian government was also more attenuated than the government in the China case.

The unsealing of the charges against the Iranian hackers was the Justice Department’s third major cybersecurity event this week. Hacking charges were unsealed Tuesday against three current or former members of the Syrian Electronic Army and a Chinese national Wednesday pleaded guilty to participating in a yearslong attempt to hack into the networks of major U.S. defense contractors and send stolen military data to China.

—Aruna Viswanatha contributed to this article.

Write to Christopher M. Matthews at christopher.matthews@wsj.com