Skip to contents
Crime and Courts

Two Iranians indicted in hacking scheme that held CDOT computers hostage and cost Colorado up to $2 million

State's chief information security officer shares how the malware took out 1,700 computers for six weeks

A command center set up in March 2018 to deal with the SamSam ransomware attack on the Colorado Department of Transportation. (Provided by the Governor’s Office of Information Technology)
  • Credibility:

A federal grand jury has indicted two Iranian men accused of holding the Colorado Department of Transportation’s computer system hostage earlier this year as part of a wide-reaching international computer hacking and extortion scheme.

The malware infected critical systems nationwide, including hospitals, and extorted more than 200 victims who paid the attackers $6 million, according to federal authorities.

Federal court documents out of New Jersey allege Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri in February accessed the CDOT system and deployed the SamSam ransomware on its computers.

Prosecutors allege the two attackers, while in Iran, demanded that CDOT pay a ransom in bitcoin in exchange for keys to decrypt data, leading the agency to shut down 1,700 employee computer systems.

It took more than six weeks for state authorities to clean up infected machines at an estimated cost of $1.5 million to $2 million, said Deborah Blyth, chief information security officer for the state’s Office of Information Technology.

“Today’s indictment shows how seriously we take this type of criminal activity. We want to thank the FBI for their partnership and commitment to prosecuting the malicious actors who are responsible for these devastating cyber attacks,” Blyth said.

Deputy U.S. Attorney General Rod Rosenstein, at a news conference Wednesday, said the defendants “sought to interrupt critical transportation infrastructure.”

“Publicly revealing this nefarious hacking scheme makes it harder for the perpetrators, and others like them, to do business in the future,” he said. “As a result of the indictment, the defendants are now fugitives from justice.  They face arrest and extradition to the United States in many nations that honor the rule of law.”

MORE: Read the indictment

The two men began targeting computer security vulnerabilities at various organizations sometime around December 2015. Once in, they would install and execute the SamSam ransomware, which encrypted data and demanded bitcoin if the victims wanted the data back.

SamSam infected CDOT computers on Feb. 21 starting with one machine, Blyth said. But that particular machine happened to be one the agency was using to test a new business process.

It wasn’t configured to current security standards since it was expected to be online only for a short period, she said.

But the malware immediately spread to 1,300 employee computers plus 400 servers — all using Windows software — on the same day. Employees were told to turn off their computers to prevent the spread.

“We got a pop-up on the screen of everyone’s computer that was encrypted. If you wanted to use your computer and decrypt it, you’ll have to pay with bitcoin,” Blyth said. “I think it gave us a time frame of seven days.”

CDOT chose not to pay.

One reason was that the state had good digital backups so it was confident it could restore any of the tampered data. It also had segmented network operations so if one set of computers was hit, the infection wouldn’t spread to other departments or agencies. That’s why computers controlling traffic lights or other road systems in Colorado were not impacted.

But another reason to not pay?

“We didn’t want to pay criminals and fund criminal activity. We didn’t want to make it a precedent so they could feel like if they target the public sector, they could get paid,” Blyth said. “(Paying) seemed like it would be the worst decision we could make.”

A command center set up earlier this year to deal with the SamSam ransomware attack on the Colorado Department of Transportation. (Provided by the Governor’s Office of Information Technology)

But some organizations attacked by SamSam chose to pay.

Hancock Health in Indiana paid $55,000 to get back files that included patient medical records, according to a story by The Greenfield Reporter. The attackers changed more than 1,400 files to “I’m sorry” and gave the hospital seven days to pay up or else the files would be deleted.

Paying for the return of important data is discouraged by authorities but it’s a difficult choice for business owners, said Steven Fulton, Director at the Center for Information Assurance Studies at Regis University.

“We don’t know who these people are and we don’t know what these people are doing with the money. It’s one thing if they’re trying to feed their families, but it’s another thing if they’re trying to start another bad enterprise,” he said. “Every minute your computer is down you’re losing money and I understand and appreciate that. But if your system is not backed up, you’re starting at ground zero and it will cost you a lot to get going again.”

When SamSam was unleashed on the City of Atlanta, it took out computer systems that residents used to pay traffic tickets, report graffiti and access Wi-Fi at the airport, according to The New York Times. City systems were out for days.

Federal prosecutors allege that in all, the Iranians caused their victims $30 million in losses.

Colorado didn’t pay a cent to the attackers, but the incident cost the state money.

Blyth says there were costs for overtime, hiring the Colorado National Guard, and the price of food and other expenses. Staff swelled from 24 IT employees to nearly 150 at the peak. And that doesn’t include the inconvenience of employees not having access to their computers.

The outage meant employees couldn’t get into their email, time cards or the financial systems to pay vendors. But workarounds were made. Employees used personal devices to check email since internet-based systems weren’t impacted.

Now that it’s over, Blyth is glad she reached out to the FBI early on and created the partnerships with commercial security companies, local cybersecurity experts and other agency tech professionals. Her team also decided to speed up the rollout of more security projects already under way.

“I probably think about it every single day since it was such a huge event. It impacted both my work and personal life,” said Blyth, who received a courtesy notification about the federal indictment on Tuesday. “(The indictment) was a pleasant surprise.”

MORE: Read more politics and government coverage from The Colorado Sun.

According to the federal indictment, SamSam’s other victims included the Port of San Diego, the cities of Atlanta and Newark, N.J., and several health care facilities. In all, there were more than 200 victims in 10 states and Canada.

Savandi and Mansouri, working in Iran, researched targets online and used online scanning techniques to find vulnerable computers. Attacks occurred outside of regular business hours, which often made it more difficult to mitigate immediately. And the attacks continued with the latest alleged incident occurring on Sept. 25, according to the indictment.

By targeting their victims, the two attackers were able to have more impact, said Jason Davison, an Advanced Threat Research Analyst for Webroot in Broomfield.

“This approach is much more selective than other modern malware distribution methods,” Davison said. “Once network access was gained, the threat actors would perform internal recon on their target organization and further profile their victims before releasing SamSam and extorting the target. We should expect to see more attacks following this trend of highly targeted victims and attacks.”

Local cybersecurity experts say the thieves got caught because of how they cashed in their bitcoin. They used a regular coin exchange.

“From the official court documents, it appears the criminals didn’t convert their bitcoin to Monero (an open-source and more discreet cryptocurrency) or another private-ledger crypto – they sent their bitcoin straight to the exchange,” said Tyler Moffitt, senior threat research analyst at Webroot. “This seems like a silly error because you can track transactions from the ransom address all the way to the exchange.”

The U.S. Department of Justice says the indictment of Savandi, 34, and Mansouri 27, followed a 34-month-long scheme that was probed by the highest levels of federal law enforcement. Savandi and Mansouri have each been charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.

“The defendants chose to focus their scheme on public entities, hospitals, and municipalities,” Rosenstein said. “They knew that shutting down those computer systems could cause significant harm to innocent victims.”


We believe vital information needs to be seen by the people impacted, whether it’s a public health crisis, investigative reporting or keeping lawmakers accountable. This reporting depends on support from readers like you.

More from The Colorado Sun