The U.S. Department of Justice unsealed indictments against seven Iranians Thursday in a long-running cyber attack against U.S. financial firms and the computer system controlling a dam in Rye, New York.
The intrusions, the government says, were conducted from 2011 to 2013 and caused millions of dollars in damages to banks that were forced to take additional steps to protect their systems, as well as inconvenience for customers who were unable to access their account information online.
An indictment is a rare step for the U.S. government to take against foreign government-affiliated officials who are unlikely to be within reach of U.S. law enforcement any time soon. It mirrors an earlier effort that indicted five Chinese military officials for hacking in 2014.
The indictments come against a backdrop of warming relations between the United States and Iran , which includes a recently signed deal to stop that country's nuclear program.
Attributing cyber attacks to specific individuals is one of the most difficult challenges in cybersecurity, and the fact that the United States is willing to go to court with actual names of Iranian attackers indicates a high degree of confidence by U.S. law enforcement that it can trace the attacks all the way back to their source. It may be an indication of more to come: This week, the Department of Justice announced enforcement actions against the Syrian Electronic Army, and an alleged Chinese hacker named Su Bin.
The indictment says the Iranians charged worked for two private companies that in turn worked for the Iranian government and the Islamic Revolutionary Guard Corps. The companies were ITSec Team and Mersad Co. According to the indictment, Ahmad Fathi, Hamid Firoozi and Amin Shokohi were experienced computer hackers who worked for the ITSec Team, and Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina Keissar and Nader Saedi worked for Mersad.
The indictment says the hackers conducted a so-called distributed denial of service attack against the financial institutions. That's a cyber attack designed to overwhelm a website with inbound traffic, effectively shutting down access for legitimate website users. The government said the attacks affected 46 "major financial institutions" over about 176 days, which at some points meant that hundreds of thousands of bank customers lost online access to their accounts.
Retired Army Col. Jack Jacobs said the Obama administration is likely to tread lightly as it continues to court the Iranian middle class in the wake of recent elections that gave "genuine moderates" increased control of Iran's parliament.
"I think the United States is not going to impose any new sanctions, and if they do impose new sanctions, I think it's going to be on maybe specific individuals somewhere near the top of the food chain," he told CNBC's "Squawk on the Street."
"I don't think they want to scotch what looks like an opportunity to make the middle class very excited about a new burgeoning relationship with the United States."
Jacobs added that the United States currently lacks sufficient defenses to prevent cyberattacks.
Ted Kattouf, president of the non-profit AMIDEAST and former ambassador to Syria, agreed that additional sanctions against Iran are unlikely because U.S. allies, including those in Europe, have no stomach for them. The public indictments against Iranian and Chinese hackers and government officials should be viewed as an effort to dissuade future attacks, he added.
"We know very well that [China is] going to spy on our military, just as we spy on theirs, but [the indictment] was meant to have a deterrent effect and let them know that we're losing patience," he told "Squawk on the Street."
— CNBC's Tom DiChristopher contributed to this story.