Washington DC’s surveillance cameras hacked… to send spam

Everything and everybody is hackable – and that includes Big Brother.

That’s one takeaway from a criminal complaint filed last week against two Romanians in the US District Court of Washington DC for allegedly hacking into nearly two thirds of the outdoor surveillance cameras operated by the city’s police department.

According to an 11 December affidavit from US Secret Service Special Agent James Graham, Mihai Alexandru Isvanca and Eveline Cismaru took control of 123 of the 187 cameras used by the Metropolitan Police Department of the District of Columbia (MPDC) for four days, from 9-12 January 2017.

The scheme apparently wasn’t intended to commandeer cameras to spy on the city, however. According to Graham, the two sought to use the internet-connected computers behind the cameras to send “ransomware-laden spam emails.”

And while they made some efforts to cover their tracks, Graham said that email accounts they used…

…reflect not just the ransomware scheme, but in various ways (and through related accounts and activity) ultimately identify ISVANCA and CISMARU as the participants in the conspiracy, including by leading back to email and other online accounts in their own names.

The attack was halted on 12 January after the MPDC’s IT network administrator discovered that multiple cameras had been disabled.

Graham said the administrator used a Remote Desktop Protocol (RDP) to show another Secret Service agent that one of the victim computers was running software not installed by the department, and showing multiple windows that had been opened by the attackers. They included:

  • A window displaying a tracking number for the European shipping company known as “Hermes”.
  • A web browser open at an email delivery website
  • A Google search page with search results for “email verifier online”.
  • Notepad, showing code for various executable and text files.
  • The splash screen for a variant of ransomware known as “cerber.”

A forensic investigation also showed another ransomware variant on the compromised computers known as dharma (for which, as Naked Security reported in May, decryption keys were released in March), plus a text file that contained 179,616 email addresses.

Graham’s affidavit doesn’t say how successful the ransomware campaign was, but said he and other agents contacted a number of people or companies whose IP addresses had been mentioned in correspondence between the hackers. One of them, “Company M”

…indicated they had experienced an unauthorized network intrusion. COMPANY M provided screenshots reflecting a cerber splashscreen from the period of unauthorized access, as well as multiple other indicators of network intrusion.

Another apparent target, a healthcare company in the UK, told investigators it had, “confirmed evidence of unauthorized access to its computer server…”

The US does have an extradition treaty with Romania that was amended and renewed in 2009, but the court did not post the actual complaint, nor did it respond to a question about whether it will seek to have the defendants brought to the US to face trial.

Also no word from the MPDC about what steps they may be taking to make their outdoor surveillance systems more secure.

The complaint came around the same time that, as Naked Security reported Thursday, Romanian police raided seven locations and arrested five suspects for alleged spreading CTB Locker and Cerber ransomware that they had rented on the Dark Web.