Attacks/Breaches

1/2/2018
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Hackers Who Disabled Police Cameras Prior to Trump Inauguration Left Trail of Clues

Romanian police last month arrested Mihai Isvanca, and Eveline Cismaru for allegedly breaking into 123 computers controlling surveillance cameras at DC's police department in 2017.

Two Romanian nationals who were arrested recently for allegedly breaking into computers controlling police surveillance cameras in Washington, DC just ahead of President Trump's inauguration last year appear to have left a trail of evidence that led authorities directly to them.

Romanian police last month arrested Mihai Isvanca, 25 and Eveline Cismaru, 28 at Bucharest's Otopeni airport apparently as the pair was about to leave the country. They are currently waiting to be extradited to the US on wire fraud and other computer crime-related charges. Isvanca and Cismaru face up to 20 years in federal prison if convicted on all counts.

Documents related to their arrest released last week describe the pair as breaking into 123 computers associated with surveillance cameras used by DC's Metropolitan Police Department (MPD) and using the compromised systems to distribute ransomware.

The intrusions occurred sometime between January 9 and January 12, 2017. It resulted in several critical police surveillance cameras becoming disabled just prior to Trump's inauguration. The incident triggered the highest priority response by US law enforcement because of its potential impact on security plans for the event.

An affidavit in support of the criminal compliant against Isvanca and Cismaru shows that the MPD called in the US Secret Service to investigate the break-in on January 12, 2017. Secret Service agents from the Washington Field Office discovered that 123 of the MPDs 187 outdoor surveillance cameras had been illegally accessed and were being used to distribute spam emails containing the Cerber and Dharma ransomware samples. One of the infected systems contained a text file with over 179,600 email addresses belonging to targets of the ransomware scheme.

Somewhat curiously considering their choice of target, Isvanca and Cismaru did not appear to have been particularly careful about concealing their tracks. A forensic analysis of three of the MPD's infected computers yielded a lot of information on the identity of the alleged perpetrators and their direct involvement in the malicious activity.

One of the infected devices showed that the attackers had accessed multiple fraudulently established email accounts while the computer was under their control. The email accounts were used to share IP addresses, usernames, passwords, and other details on the compromised surveillance camera computers. They were also used to download ransomware samples on the compromised MPD systems and to send and receive thousands of stolen credit card numbers.

Investigators were able to link at least two of the email addresses directly to Isvanca and Cismaru. Google records, for instance, showed that both Isvanca and Cismaru had used their actual Gmail address as recovery email addresses for some of the accounts associated with the malicious activity. Investigators also discovered that the IP addresses from which the malicious email accounts were established belonged separately to Isvanca and Cismaru.

Other evidence showed that the file containing the over 179,600, target email addresses for the ransomware campaign had been downloaded to the MPD computer directly from Cismaru's system. Numerous, barely concealed email exchanges also showed the two had collaborated on the plot.

The arrests of Cismaru and Isvanca follow the detainment of two other individuals—a British man and Swedish woman—in London last year for the attacks on the MPD computers. However, the affidavit released last week shows that the two individuals were not connected to the attack. They were detained based on information pertaining to a tracking number for Hermes, a European packing shipping company that was found on one of the hacked computers. 

Investigation of the tracking number showed it to be associated with a delivery address in London belonging to the two individuals who were detained. But a forensic analysis of computers seized from their residence showed them to have no link to the MPD attack. Instead, the tracking number was associated with a purchase the two individuals had made through Amazon from a company that was registered in Cismaru's name.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kiasati
100%
0%
kiasati,
User Rank: Apprentice
5/28/2018 | 11:39:33 AM
informative
intresting.. thanks for sharing.. 

anyway, cctv cameras could be helpful in such stuations. but if they're not gonna be hacked.

دوربین مداربسته 
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
Election Websites, Backend Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10510
PUBLISHED: 2018-08-15
A Directory Traversal Remote Code Execution vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to execute arbitrary code on vulnerable installations.
CVE-2018-10511
PUBLISHED: 2018-08-15
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to conduct a server-side request forgery (SSRF) attack on vulnerable installations.
CVE-2018-10512
PUBLISHED: 2018-08-15
A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to manipulate a reverse proxy .dll on vulnerable installations, which may lead to a denial of server (DoS).
CVE-2018-8753
PUBLISHED: 2018-08-15
The IKEv1 implementation in Clavister cOS Core before 11.00.11, 11.20.xx before 11.20.06, and 12.00.xx before 12.00.09 allows remote attackers to decrypt RSA-encrypted nonces by leveraging a Bleichenbacher attack.
CVE-2018-9129
PUBLISHED: 2018-08-15
ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections.