Attacks/Breaches

1/2/2018
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Hackers Who Disabled Police Cameras Prior to Trump Inauguration Left Trail of Clues

Romanian police last month arrested Mihai Isvanca, and Eveline Cismaru for allegedly breaking into 123 computers controlling surveillance cameras at DC's police department in 2017.

Two Romanian nationals who were arrested recently for allegedly breaking into computers controlling police surveillance cameras in Washington, DC just ahead of President Trump's inauguration last year appear to have left a trail of evidence that led authorities directly to them.

Romanian police last month arrested Mihai Isvanca, 25 and Eveline Cismaru, 28 at Bucharest's Otopeni airport apparently as the pair was about to leave the country. They are currently waiting to be extradited to the US on wire fraud and other computer crime-related charges. Isvanca and Cismaru face up to 20 years in federal prison if convicted on all counts.

Documents related to their arrest released last week describe the pair as breaking into 123 computers associated with surveillance cameras used by DC's Metropolitan Police Department (MPD) and using the compromised systems to distribute ransomware.

The intrusions occurred sometime between January 9 and January 12, 2017. It resulted in several critical police surveillance cameras becoming disabled just prior to Trump's inauguration. The incident triggered the highest priority response by US law enforcement because of its potential impact on security plans for the event.

An affidavit in support of the criminal compliant against Isvanca and Cismaru shows that the MPD called in the US Secret Service to investigate the break-in on January 12, 2017. Secret Service agents from the Washington Field Office discovered that 123 of the MPDs 187 outdoor surveillance cameras had been illegally accessed and were being used to distribute spam emails containing the Cerber and Dharma ransomware samples. One of the infected systems contained a text file with over 179,600 email addresses belonging to targets of the ransomware scheme.

Somewhat curiously considering their choice of target, Isvanca and Cismaru did not appear to have been particularly careful about concealing their tracks. A forensic analysis of three of the MPD's infected computers yielded a lot of information on the identity of the alleged perpetrators and their direct involvement in the malicious activity.

One of the infected devices showed that the attackers had accessed multiple fraudulently established email accounts while the computer was under their control. The email accounts were used to share IP addresses, usernames, passwords, and other details on the compromised surveillance camera computers. They were also used to download ransomware samples on the compromised MPD systems and to send and receive thousands of stolen credit card numbers.

Investigators were able to link at least two of the email addresses directly to Isvanca and Cismaru. Google records, for instance, showed that both Isvanca and Cismaru had used their actual Gmail address as recovery email addresses for some of the accounts associated with the malicious activity. Investigators also discovered that the IP addresses from which the malicious email accounts were established belonged separately to Isvanca and Cismaru.

Other evidence showed that the file containing the over 179,600, target email addresses for the ransomware campaign had been downloaded to the MPD computer directly from Cismaru's system. Numerous, barely concealed email exchanges also showed the two had collaborated on the plot.

The arrests of Cismaru and Isvanca follow the detainment of two other individuals—a British man and Swedish woman—in London last year for the attacks on the MPD computers. However, the affidavit released last week shows that the two individuals were not connected to the attack. They were detained based on information pertaining to a tracking number for Hermes, a European packing shipping company that was found on one of the hacked computers. 

Investigation of the tracking number showed it to be associated with a delivery address in London belonging to the two individuals who were detained. But a forensic analysis of computers seized from their residence showed them to have no link to the MPD attack. Instead, the tracking number was associated with a purchase the two individuals had made through Amazon from a company that was registered in Cismaru's name.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
Researchers Offer a 'VirusTotal for ICS'
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/16/2018
Which CISO 'Tribe' Do You Belong To?
Kelly Sheridan, Associate Editor, Dark Reading,  1/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.