Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Law Enforcement's Winning Week In Cybercrime

Russian hackers cop to Heartland breach and two men are arrested in connection with a major ransomware scheme -- but meanwhile, the hacking beat goes on.

It was a rare good week for law enforcement in the ongoing battle against cybercrime as officials broke open two high-profile cases:  first, two Russian nationals pleaded guilty to their role in the historic data breach in 2008 of Heartland Payment Systems and other companies, and then a pair of Dutch nationals were arrested for their alleged role in a massive ransomware attack campaign.

High-profile prosecutions and arrests of cybercriminals remain few and far between compared with the volume of cybercrime activity worldwide today. While the cases send much-needed signals to the bad guys that cybercrime doesn't always pay, security and law enforcement experts acknowledge that despite the wins, cybercrime remains very much alive and well.

The US Department of Justice announced this week that two Russian nationals who had been arrested in The Netherlands in June of 2012 in connection with the infamous hacking case of payment processor Heartland Payment Systems, NASDAQ -- as well as other processors and retail firms including 7 Eleven, JC Penny, JetBlue -- each separately pleaded guilty to their role in the attacks. The attacks resulted in the theft of some 160 million credit card numbers and over $300 million in losses.

Vladamir Drinkman, 34, of Syktyvkar, Russia, and Moscow, on Tuesday copped to his role in the massive breach campaign, pleading guilty to one count of conspiracy to commit unauthorized access to protected computers, and one count of conspiracy to commit wire fraud.

Assistant Attorney General Leslie R. Caldwell of DoJ's Criminal Division, credited international cooperation as key to Drinkman's ultimate conviction. "As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cybercriminals who attack America – wherever in the world they may be," Caldwell said. "As law enforcement around the world responds to the cyber threat that affects us all, I am confident that this type of international cooperation that led to this result will be the new normal."

Yesterday, Dmitriy Smilianets, 32, of Moscow, pleaded guilty to conspiracy to commit wire fraud in a manner affecting a financial institution. Drinkman and alleged cohort Alexandr Kalinin, 28, of St. Petersburg, Russia -- who remains at large -- did the hacking, and Smilianets sold the stolen financial information on behalf of the hacking ring. Smilianets allegedly charged $10 apiece for American credit card number and associated data; $50 for each European credit card number and associated data; and $15 for each Canadian credit card number and associated data. He also offered bulk discounts.

Roman Kotov, 34, of Moscow, who allegedly cased the victim networks for valuable data, and Mikhail Rytikov, 28, of Odessa, Ukraine, who provided anonymous Web hosting services to the attacks, also both remain at large.

[Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches. Read Heartland CEO On Why Retailers Keep Getting Breached.]

In the newest hacking case, Dutch police arrested two men from Amersfoot, The Netherlands, for their alleged roles in the CoinVault ransomware attacks that have infected some 1,500 Windows users worldwide. The Dutch Police's National High-Tech Crime Unit used research from Kaspersky Lab and Panda Security to help identify and locate the alleged hackers, ages 18 and 22, behind the attacks. They did not name the suspects publicly.

CoinVault, which attempted to infect tens of thousands of machines mostly in The Netherlands, Germany, France, the UK, and the US, locks victims out of their machines and demands payment in Bitcoins for the decryption of the files. According to Kaspersky's research, the attackers began their campaign back in May of 2014.

The arrests of the alleged ransomware hackers is "a start," says Tony Porras, a cyber security and compliance attorney, who has worked with clients victimized by ransomware infections. "It's good to see some movement" law enforcement-wise against ransomware, he says.

"So far, it's mostly been throwing your hands up in the air and saying 'you'd better have a good backup,'" Porras says.

Kaspersky Lab security researcher Santiago Pontiroli, who has been studying and researching CoinVault since it was first spotted in the wild, says he and his team haven't seen any additional activity since the bust. The CoinVault gang traditionally has been wise to researchers and others investigating them, however: "After the initial report we did" in November of 2014, the gang basically laid low and went into hiding, even removing traces of the Dutch language from their tracks, Pontiroli says. "They didn't release any more samples until April of 2015. It's like they knew someone was watching them."

The good news is that if indeed the CoinVault busts kill the ransomware, at least that one family will be history, according to Pontiroli. "But CoinVault isn't the only ransomware out there," he says. "Ransomware is a rising problem. This is not the end of it, but it shows" cooperation among private industry and law enforcement can help, he says.

It also sends a message to cybercriminals, he says: "This is a crime and you will be prosecuted," he says.

SQL Injection

The first hacker to go down in connection with the Heartland breach was the now-infamous Albert Gonzalez, of Miami, who is serving a 20-year sentence for his role in the breaches of Heartland and four other companies.

The hackers associated with the case -- considered the largest data breach case ever indicted -- hit NASDAQ, 7-Eleven, Carrefour, JC Penny, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore, and Ingeniecard. After infiltrating the victim networks, the attackers sole usernames and passwords, credit and debit card numbers, and other personal information. They disabled victims' security systems from logging their activity to cover their tracks.

Their most frequent first attack vector was a SQL injection attack and then planting backdoor malware. They also employed sniffers to capture data, and ultimately sold the card information to online forums or other individuals.

Jeremiah Grossman, founder of WhiteHat Security, says the hacking ring wasn't particularly innovative in their tactics, with SQL injection, for example, among their favorite hack. "Imagine how much infosec budget dollars in defense they bypassed using well-known techniques," he says.

Both the Heartland and CoinVault case breaks are good news, though, he says. "Less bad guys on the street, so to speak," Grossman says. "But I have to think this is a drop in the bucket, and if not, other groups will take their place rather quickly."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.