Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:59 PM
Connect Directly

Feds Indict Five In Massive Credit-Card Data Breach Scheme

'Hacker 1' and 'Hacker 2' from the Heartland Payment Systems breach indictment were named today among the five defendants in latest breach charges that resulted in 160 million stolen credit card numbers and hundreds of millions of dollars in losses

[UPDATE: The DOJ press release announcing the indictments named Visa Jordan as one of the victims -- the company is not part of Visa and is now known as Emerging Markets Payments. This article has been updated to reflect that correction to the announcement.]

More alleged cybercriminals behind the record-breaking data breach of Heartland Payment Systems and other companies were named today in newly unsealed federal indictments that reveal more breached organizations. In what federal officials are calling the largest-ever data breach scheme prosecuted in the U.S., five men from Russia and the Ukraine have been indicted for hacking into computers at NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Emerging Markets Payments, Global Payment, Diners Singapore, and Ingenicard.

Most of the breaches began with SQL injection attacks on the victim organizations' databases; once inside, the attackers planted backdoor malware to retain a foothold in the networks, from which they pilfered some 160 million credit card accounts, amounting to hundreds of millions of dollars in financial losses, according to the U.S. Attorney's Office in New Jersey. Three of the victim companies reported $300 million in losses.

"The defendants charged today were allegedly responsible for spearheading a world-wide hacking conspiracy that victimized a wide array of consumers and entities, causing hundreds of millions of dollars in losses," said Mythili Raman, Acting Assistant Attorney General for the Department of Justice's Criminal Division. "Despite substantial efforts by the defendants to conceal their alleged crimes, the Department and its law enforcement counterparts have cracked this extensive scheme and are seeking justice for its many victims."

Two of the defendants named in the indictments unsealed today had also previously been indicted in the Heartland case: Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, had been charged as "Hacker 1" and "Hacker 2" in the 2009 indictment against Albert Gonzalez for the breach of Heartland Payment Systems, Hannaford's, 7-Eleven, and two other unnamed retailers. Until now, the Heartland case had been the largest such breach ever reported, federal officials say.

[Albert Gonzalez is only part of the equation in the Heartland Payment Systems breach. See Hacker Ring Tied To Major Breaches Just Tip Of The Iceberg . ]

Drinkman and Kalinin, who allegedly were the experts behind breaking into the victims' networks and systems, are considered major players in the case. "They are extremely well-known in the universe of sophisticated cybercriminals. They are known quantities. If you were making a list of the worst of the worst, those two would be on it," says Jason M. Weinstein, partner with Steptoe & Johnson LLP.

Weinstein, who supervised the Gonzalez case while serving as deputy assistant attorney general of the U.S. Department of Justice's (DOJ) Criminal Division, says identifying such high-level cybercrime operatives as the five named in the latest indictment is huge. "They are not low-level people -- not carders, not cashers, not mules that transfer money after fraud is committed," he says. "People this instrumental to this many major attacks being indicated sends a powerful message."

Many of the hacks occurred as far back as 2007, and the case has taken several years to build: Gonzalez was indicted in 2009 for breaches into Heartland, Hannaford's, 7-11, and two other unnamed companies, and is currently serving a 20-year sentence in federal prison. Of the five newly indicted men, Drinkman and Dmitriy Smilianets, 29, of Moscow, were arrested in June 2012 while traveling in the Netherlands. Drinkman is in custody by Netherlands authorities pending an extradition hearing, and Smilianets, who allegedly sold the stolen data and handled the payment to the members of the scheme, is currently in federal custody in the U.S.

Roman Kotov, 32, of Moscow, was allegedly behind "mining the networks," while Drinkman and Kalinin stole the data, according to the U.S. Attorney's Office. Mikhail Rytikov, 26, of Odessa, Ukraine, provided the perpetrators with anonymous Web hosting services. Kalinin, Kotov, and Rytikov remain at large.

Kalinin also faces additional charges: one for allegedly hacking NASDAQ servers and, in another indictment, for allegedly stealing bank account information from U.S.-based financial institutions. Nikolay Nasenkov of Russia is also named in the financial institution hacking charges.

"Criminal hacking is increasingly capable of obtaining information from any publicly accessible resource, and the focus by organizations, especially those responsible for highly sensitive personal and financial information, must shift away from network and system security design toward information security if they wish to stay ahead of those criminals," says Kevin O'Brien, enterprise solution architect, CloudLock. "We continue to see the same categories of mistakes leading to data breaches: poorly secured databases subject to SQL-injection attacks, website design issues leading to cross-site scripting vulnerabilities, man-in-the-middle and other network-level attacks, and classic social engineering."

Inside The Operation
The alleged attackers named today had infiltrated "multiple" companies' servers for more than a year, according to the U.S. Attorney's Office, and often a victim organization would be targeted over a period of months. They stored the stolen data around computers spread around the globe before selling it off for profit via resellers.

Heading up the sales effort was Smilianets, who sold U.S. credit card numbers and related information for about $10 apiece, $50 for European ones, and $15 for Canadian ones.

The defendants also stole user names and passwords, identification, credit and debit card numbers, and other personal information of cardholders. They used encrypted channels to communicate with one another, and in some cases met one another in person in case law enforcement were able to trace their electronic communications. They remained under the radar within the victim organization networks by evading security software and disabling electronic logging of their activities.

"The hardest part is putting fingers at the keyboard -- identifying them," Weinstein says. And getting to alleged actors in regions infamous for cybercrime is huge, he says.

"One of the things DOJ has gotten very good at over the last few years is getting into U.S. custody the [alleged cybercriminals] who thought they were out of our reach," he says. "What's so incredible about [cybercrime] groups like this is that they are able to work seamlessly across borders and time zones and despite language barriers ... In some cases, they don't actually know [one another's] real names until they see their names in an indictment."

The new charges were announced today by New Jersey U.S. Attorney Paul J. Fishman, as well as Special Agent in Charge James Mottola of the U.S. Secret Service (USSS), Criminal Investigations, Newark Division and Acting Assistant Attorney General for the Department of Justice's Criminal Division Mythili Raman. The Secret Service was the lead in the investigation.

"This type of crime is the cutting-edge," Fishman said. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant, and we cannot be too careful."

The defendants could face anywhere from five to 30 years for a series of charges that include conspiracy to gain unauthorized access to computers, conspiracy to commit wire fraud, unauthorized access to computers, and wire fraud.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/12/2013 | 12:14:31 PM
re: Feds Indict Five In Massive Credit-Card Data Breach Scheme
Syktyykar is correctly spelled Syktyvkar (Syck-Teev-Car).
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...