(Bloomberg) -- Hackers linked to the Iranian government launchedcyber-attacks on some four dozen U.S. financial institutions and aflood-control dam above of New York City in forays meant toundermine U.S. markets and national security, according to federalprosecutors.

Beginning in 2011, Iran-based hackers targeted the New YorkStock Exchange, Nasdaq, Bank of America Corp., JPMorgan Chase &Co. and AT&T Inc., among others, according to an indictmentunsealed Thursday in Manhattan federal court. One of themgained unauthorized remote access to a computer controlling theBowman Avenue Dam in Rye, New York, for about three weeks beginningin 2013, according to the indictment.

The hackers were working on behalf of the Iranian government andthe Islamic Revolutionary Guard Corps, a hard-line force in Iran,Attorney General Loretta Lynch told reporters in Washington. Thehacking of the dam could have caused great damage if the facilityhadn’t been shut down for maintenance, she said.

The security breach at the dam represented “a frightening newfrontier” for cyberattacks, Preet Bharara, the U.S. Attorney forthe Southern District of New York, told reporters.

From December 2011 to May 2013, financial firms’ computersystems were hacked in an effort that involved Iran-based privatecomputer security companies linked with the Revolutionary GuardCorps, the U.S. alleged.

The incursions on the financial firms were initially sporadic,according to the government, and then increased to a near-weeklybasis, usually from Tuesdays to Thursdays during normal U.S.business hours. The hacking conspiracy — involving sevenIran-based hackers with nicknames including Turk Server, PLus andNitr0jen26 — ultimately affected about 46 major financialinstitutions and other companies in the industry over a total of176 days, the government said.

Access denied

On some days, the hacking prevented hundreds of thousands ofbanking customers from accessing their accounts, according to theindictment, costing the banks tens of millions in remediationefforts. Other victims included American Express Co., BB&TCorp., Citigroup Inc., Fifth Third Bancorp, HSBC Holdings Plc,ING Groep NV, KeyCorp, PNC Financial Services Group Inc., U.S.Bancorp and Wells Fargo & Co., according to the indictment.

The conspiracy hinged on finding computers running software thathadn’t been updated to address security flaws, the U.S. said. Thosecomputers were infiltrated and turned into "bots" that could beused to attack the financial institutions, according to theindictment. The hackers then used the bots to carry out distributeddenial of services, or DDoS, attacks in which a victim’s computeris overwhelmed with electronic communications, the U.S. said.

Related: Here come the accountants — the codificationof cyber risk

"These attacks were relentless, they were systematic and theywere widespread," Lynch said at a news conference announcingcharges. "We believe they were conducted with the sole purpose ofundermining the American free market." Drez Jennings, a spokeswomanfor KeyCorp, said the bank is cooperating with authoritiesinvestigating the matter. “It’s important to emphasize, just as itstated in the indictment, that no client information wascompromised” by the attacks, which she added slowed the bank’ssystems for a short time.

Representatives of Nasdaq Inc. and NYSE Group Inc. declined tocomment, as did representatives from ING, US Bancorp and Citigroup.Others identified in the indictment as targets as the hacks didn’timmediately respond to a request for comment.

The people charged in the indictment are Ahmad Fathi, HamidFiroozi, Amin Shokohi, Sadegh Ahmadzadegan, Omid Ghaffarinia, SinaKeissar and Nader Saedi. They couldn’t immediately be located forcomment.

Dam controls

Firoozi repeatedly obtained unauthorized remote access in 2013 to acomputer that controlled the supervisory control and dataacquisition of the Bomwan Avenue Dam, a 1940s flood-controlfacility about 20 miles (32 kilometers) north of New York City,according to the indictment.

From Aug. 28 to Sept. 18 of that year, he repeatedly obtainedinformation about the dam’s status and operation, including waterlevels and temperature and the status of the gate that controlsflow rates.

Although access to the system would have typically permitted aremote user to operate and manipulate the sluice gate, “unbenownstto Firoozi, the sluice gate control had been manually disconnected”earlier for maintenance, the government said.

Officials have begun pointing to the attack on the dam as awarning that U.S. infrastructure is vulnerable.

‘Across the bow’

New York Senator Charles Schumer called the attack a "shot acrossthe bow" of the U.S. and said tougher sanctions should be imposed.He urged for the U.S. to begin a probe to determine if criticalinfrastructure is vulnerable to cyberattacks and said state andlocal governments as well as private companies needed to beef upcomputer security.

"Hackers can come in, as these Iranian hackers did, and hurt ourcritical infrastructure," Schumer said at a March 11 newsconference. "What if they open the sluice gates of a dam with awhole lot of people behind it? What if they shut off the power fora large part of the area?"

Related: More businesses are using insurance to manage theircyber risk

The indictment of Iran-based hackers comes just months after theU.S. sealed a historic nuclear pact with Tehran that led to thelifting of economic sanctions against the country. It’s the latestexample of the U.S. pursuit of hackers it says are operatingwithin, and at times with the help of, foreign powers.

In May 2014, the U.S. indicted five Chinese military officialsfor stealing trade secrets, casting the hacker attacks as a directeconomic threat. The indictment accused China and its government ofa vast effort to mine U.S. technology through cyber-espionage,stealing jobs and innovation. The charges alleged the officersconspired to steal trade secrets and other information from U.S.companies including Westinghouse Electric Co. and AlleghenyTechnologies Inc.

Trading allegations

Foreign governments have responded to U.S. hacking allegations bydenying wrongdoing and accusing the U.S. of its own incursions.Intelligence experts have said the U.S. and Israel may have beenbehind a cyberstrike that used the so-called Stuxnet virus todisable operations at an Iranian nuclear enrichment plant.

In the China case, as with the latest allegations, the indictedhackers remained abroad and likely out of the reach of U.S.prosecutors. FBI Director James Comey, responding to those whopoint out the difficulty of bringing those accused in such cases tojustice, added Thursday: "The world is small, and our memories arelong."

The case is U.S. v. Fathi, U.S. District Court,Southern District of New York.

--With assistance from Annie Massa and Jenny Surane.

Have you given us a Like on Facebook?

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.