In Feb 2017, two people were arrested in the United Kingdom for hacking security cameras in Washington DC. Now, D.C. police have revealed their identity and said that two suspects of Romanian origin were arrested for hacking into security cameras and outdoor surveillance systems deployed by the law enforcement. According to the police, the primary objective behind this feat was to distribute ransomware.
The suspects namely Mihai Alexandru Isvanca and Eveline Cismaru were actually arrested with the cooperation of Romanian authorities during a wide-spectrum operation in which so far five individuals have been arrested. The accused are blamed for distributing Dharma and Cerber ransomware attacks.
The United States Secret Service filed an affidavit [Pdf] accusing the Romanian citizens Alexandru Isvanca and Cismaru for hacking into 123 out of the total 197 security cameras that were being operated by the Metropolitan Police Dept of District of Columbia. These cameras were installed to monitor public areas through the city and every camera was controlled by a separate computer.
According to the findings of the Police, the suspects managed to compromise the computer after hacking the security cameras and using a remote desktop protocol the two logged into the computer. The machines were then manipulated to send spam emails using the bulk emailing service SendGrid. Embedded in these emails were ransomware in the form of a PDF file and these spam emails were sent to a whopping 179,616 unique email IDs. The PDF file had strains of Dharma and Cerber ransomware. When the attachment was clicked on by the victim, the ransomware got installed on the machine instantly.
The exploitation of computers owned by the Metropolitan Police started on January 9 whereas the department noticed the intrusion on January 12 when it was identified that some security cameras were disabled. The system was then shut down for four days up until January 15th by the police and during this time the systems’ security was restored. All this happened a few days before the official inauguration ceremony of President Donald Trump. The attack was speculated to be the work of nation-state actors at the time but then investigators negated this assumption.
The reason why the hackers were tracked so soon was that they did not take necessary measures to prevent detection, which is why the Secret Service was able to identify an email ID linked to SendGrid account. This was the same account from which the spam emails were being sent. Moreover, the attackers left a text document containing the list of all email ID targeted in this campaign.
Afterwards, the investigators acquired a warrant for two email IDs. One of these two IDs email@example.com was associated with the SendGrid account while the second one firstname.lastname@example.org was used to log into the computers connected to the security cameras. When direct communication between these accounts and another account email@example.com was identified by the Police, it became easier to join the dots.
From the third account, a list of IP addresses, usernames and passwords was sent to one of the abovementioned email IDs and most of these IP addresses were linked with the Metropolitan Police Dept. security cameras. A warrant was acquired for firstname.lastname@example.org where emails containing PDF files with obfuscated ransomware and attack management control panels were found.
Further probe revealed that Isvanca used his real name and contact information in the account recovery information of one of his email accounts while Cismaru used an account using her real identification information for communicating with Isvanca.