Two Romanian nationals who were arrested recently for allegedly breaking into computers controlling police surveillance cameras in Washington, DC just ahead of President Trump's inauguration last year appear to have left a trail of evidence that led authorities directly to them.
Romanian police last month arrested Mihai Isvanca, 25 and Eveline Cismaru, 28 at Bucharest's Otopeni airport apparently as the pair was about to leave the country. They are currently waiting to be extradited to the US on wire fraud and other computer crime-related charges. Isvanca and Cismaru face up to 20 years in federal prison if convicted on all counts.
Documents related to their arrest released last week describe the pair as breaking into 123 computers associated with surveillance cameras used by DC's Metropolitan Police Department (MPD) and using the compromised systems to distribute ransomware.
The intrusions occurred sometime between January 9 and January 12, 2017. It resulted in several critical police surveillance cameras becoming disabled just prior to Trump's inauguration. The incident triggered the highest priority response by US law enforcement because of its potential impact on security plans for the event.
An affidavit in support of the criminal compliant against Isvanca and Cismaru shows that the MPD called in the US Secret Service to investigate the break-in on January 12, 2017. Secret Service agents from the Washington Field Office discovered that 123 of the MPDs 187 outdoor surveillance cameras had been illegally accessed and were being used to distribute spam emails containing the Cerber and Dharma ransomware samples. One of the infected systems contained a text file with over 179,600 email addresses belonging to targets of the ransomware scheme.
Somewhat curiously considering their choice of target, Isvanca and Cismaru did not appear to have been particularly careful about concealing their tracks. A forensic analysis of three of the MPD's infected computers yielded a lot of information on the identity of the alleged perpetrators and their direct involvement in the malicious activity.
One of the infected devices showed that the attackers had accessed multiple fraudulently established email accounts while the computer was under their control. The email accounts were used to share IP addresses, usernames, passwords, and other details on the compromised surveillance camera computers. They were also used to download ransomware samples on the compromised MPD systems and to send and receive thousands of stolen credit card numbers.
Investigators were able to link at least two of the email addresses directly to Isvanca and Cismaru. Google records, for instance, showed that both Isvanca and Cismaru had used their actual Gmail address as recovery email addresses for some of the accounts associated with the malicious activity. Investigators also discovered that the IP addresses from which the malicious email accounts were established belonged separately to Isvanca and Cismaru.
Other evidence showed that the file containing the over 179,600, target email addresses for the ransomware campaign had been downloaded to the MPD computer directly from Cismaru's system. Numerous, barely concealed email exchanges also showed the two had collaborated on the plot.
The arrests of Cismaru and Isvanca follow the detainment of two other individuals—a British man and Swedish woman—in London last year for the attacks on the MPD computers. However, the affidavit released last week shows that the two individuals were not connected to the attack. They were detained based on information pertaining to a tracking number for Hermes, a European packing shipping company that was found on one of the hacked computers.
Investigation of the tracking number showed it to be associated with a delivery address in London belonging to the two individuals who were detained. But a forensic analysis of computers seized from their residence showed them to have no link to the MPD attack. Instead, the tracking number was associated with a purchase the two individuals had made through Amazon from a company that was registered in Cismaru's name.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio