Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/2/2018
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Hackers Who Disabled Police Cameras Prior to Trump Inauguration Left Trail of Clues

Romanian police last month arrested Mihai Isvanca, and Eveline Cismaru for allegedly breaking into 123 computers controlling surveillance cameras at DC's police department in 2017.

Two Romanian nationals who were arrested recently for allegedly breaking into computers controlling police surveillance cameras in Washington, DC just ahead of President Trump's inauguration last year appear to have left a trail of evidence that led authorities directly to them.

Romanian police last month arrested Mihai Isvanca, 25 and Eveline Cismaru, 28 at Bucharest's Otopeni airport apparently as the pair was about to leave the country. They are currently waiting to be extradited to the US on wire fraud and other computer crime-related charges. Isvanca and Cismaru face up to 20 years in federal prison if convicted on all counts.

Documents related to their arrest released last week describe the pair as breaking into 123 computers associated with surveillance cameras used by DC's Metropolitan Police Department (MPD) and using the compromised systems to distribute ransomware.

The intrusions occurred sometime between January 9 and January 12, 2017. It resulted in several critical police surveillance cameras becoming disabled just prior to Trump's inauguration. The incident triggered the highest priority response by US law enforcement because of its potential impact on security plans for the event.

An affidavit in support of the criminal compliant against Isvanca and Cismaru shows that the MPD called in the US Secret Service to investigate the break-in on January 12, 2017. Secret Service agents from the Washington Field Office discovered that 123 of the MPDs 187 outdoor surveillance cameras had been illegally accessed and were being used to distribute spam emails containing the Cerber and Dharma ransomware samples. One of the infected systems contained a text file with over 179,600 email addresses belonging to targets of the ransomware scheme.

Somewhat curiously considering their choice of target, Isvanca and Cismaru did not appear to have been particularly careful about concealing their tracks. A forensic analysis of three of the MPD's infected computers yielded a lot of information on the identity of the alleged perpetrators and their direct involvement in the malicious activity.

One of the infected devices showed that the attackers had accessed multiple fraudulently established email accounts while the computer was under their control. The email accounts were used to share IP addresses, usernames, passwords, and other details on the compromised surveillance camera computers. They were also used to download ransomware samples on the compromised MPD systems and to send and receive thousands of stolen credit card numbers.

Investigators were able to link at least two of the email addresses directly to Isvanca and Cismaru. Google records, for instance, showed that both Isvanca and Cismaru had used their actual Gmail address as recovery email addresses for some of the accounts associated with the malicious activity. Investigators also discovered that the IP addresses from which the malicious email accounts were established belonged separately to Isvanca and Cismaru.

Other evidence showed that the file containing the over 179,600, target email addresses for the ransomware campaign had been downloaded to the MPD computer directly from Cismaru's system. Numerous, barely concealed email exchanges also showed the two had collaborated on the plot.

The arrests of Cismaru and Isvanca follow the detainment of two other individuals—a British man and Swedish woman—in London last year for the attacks on the MPD computers. However, the affidavit released last week shows that the two individuals were not connected to the attack. They were detained based on information pertaining to a tracking number for Hermes, a European packing shipping company that was found on one of the hacked computers. 

Investigation of the tracking number showed it to be associated with a delivery address in London belonging to the two individuals who were detained. But a forensic analysis of computers seized from their residence showed them to have no link to the MPD attack. Instead, the tracking number was associated with a purchase the two individuals had made through Amazon from a company that was registered in Cismaru's name.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mipcctvi660
100%
0%
Mipcctvi660,
User Rank: Apprentice
12/17/2018 | 3:53:27 PM
Re: informative
Thanks for sharing 

I dont know what hackers exactly do but as a technical person, i think they attack to the operation system of the DVR s.
دوربین مداربسته 
kiasati
100%
0%
kiasati,
User Rank: Apprentice
5/28/2018 | 11:39:33 AM
informative
intresting.. thanks for sharing.. 

anyway, cctv cameras could be helpful in such stuations. but if they're not gonna be hacked.

دوربین مداربسته 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .