Just a few days before the January 2017 inauguration of President Trump, the Metropolitan Police Department (MPD) in Washington, DC noticed that several surveillance cameras weren’t working.
It would transpire that they were being held hostage in a ransomware attack, with some of the systems being used to spread the attack further. In fact, when investigators disrupted the attack on 12 January 2017, they found that some of the computers had been turned into proxies to spread the malware and were in the process of targeting 179,616 other systems.
The cameras were yanked back into working mode within a few days, and the ensuing investigation set off an international hunt for the culprits. The trail led to Romania, and eventually to Eveline Cismaru: a 28-year-old woman who on Thursday pleaded guilty to federal charges stemming from the attack.
Fellow Romanian, Mihai Alexandru Isvanca, was arrested in December in Bucharest, Romania, and remains held there pending extradition to the US. Three other Romanian hackers are facing prosecution in Europe.
Cismaru had initially skipped town, fleeing Romania weeks after her arrest. She was tracked down and apprehended in the UK in March 2018, and extradited to the US on 26 July 2018.
As the Washington Post reported last February, two people were arrested in London as part of the same investigation: a 50-year-old British man and a 50-year-old Swedish woman.
They would turn out to be innocent.
Investigators had found a tracking number for a package that was displayed on one of the hacked police computers that led them to a London address, but a forensic analysis of the London couple’s devices revealed no connection to the crime. Rather, it would turn out that a British healthcare company’s IP address was used to create an online order… a company that had earlier reported being hacked.
According to court filings, the Secret Service found that the closed-circuit cameras had been hijacked by “non-police” users: users who were sending spam messages laced with ransomware to a long list of email addresses. According to court papers, the computers accessing those targeted email addresses led authorities to Isvanca and Cismaru.
Secret Service agent Brian Kaiser found that 126 of the MPD’s 187 outdoor surveillance cameras were locked from an unspecified ransomware variant. A few of those had been converted into proxies and used to spread additional ransomware and malware attacks.
As the Washington Post reported at the time, investigators managed to wrestle the cameras free over the course of two days by taking the devices offline, removing all software, and restarting the system at each site – all without paying a dime of ransom. The total cost demanded by the attackers was estimated to be $60,800.
Nobody’s physical security was threatened or harmed due to the disruption of the MPD surveillance cameras, the DOJ says.
Cismaru is due to be sentenced on 3 December.
At the time of the Romanian hackers’ arrests, it wasn’t known whether the defendants knew exactly which cameras they were targeting. Bill Miller, a spokesman for US Attorney Jessie K. Liu, said at the time that given the nature of the surveillance, this case was a top priority:
This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration.