US capital's surveillance cam network allegedly hijacked by Romanian ransomware suspects

Charges filed against pair coincide with arrests abroad

Two of the five unnamed individuals cuffed this month in Romania on suspicion of spreading ransomware face US computer crime charges – for their alleged role in taking over 123 out of 187 networked computers that control Washington DC's CCTV cameras earlier this year.

According to Europol, which led the arrests, this week, two of those arrested are suspected of attacking American computer systems using the Cerber ransomware. The Euro plod noted that the US Secret Service is also investigating those malware infections.

In an affidavit obtained by CNN – unsealed by mistake and then resealed – Secret Service agent James Graham laid out the basis for the US Department of Justice's computer fraud case against two Romanian nationals, Mihai Alexandru Isvanca and Eveline Cismaru.

In an email to The Register, a justice department spokesperson confirmed the linkage of the arrests and the US court filing. "These are separate but related investigations and the people you name are among those arrested by Europol," the spokesperson said. "Any court documents are not publicly available."

In other words, the Isvanca and Cismaru nabbed in Romania by police as suspected Cerber ransomware extortionists are the Isvanca and Cismaru accused in the US of attacking the American capital's CCTV camera system.

Traffic cameras

Graham described how around January 9, 2017, and January 12, 2017, the pair, as part of an alleged ransomware scheme, took control of the networked Windows computers used by the Washington DC Metropolitan Police to run their traffic cameras.

On January 12, having recognized that some of the cameras were offline, DC police IT staff and a Secret Service agent used Remote Desktop Protocol (RDP) software to connect to one of the servers controlling the cameras.

They observed the device with a number of open desktop windows running unexpected software. The windows displayed: a tracking number for a European shipping company, Hermes; a browser window with a Sendgrid account with activity for multiple email addresses; a browser window with Google search results for "email verifier online"; a browser window for; a desktop window with a notepad program showing programming code and text files; and a window showing the splash screen for Cerber ransomware.

The IT administrator subsequently blocked network access for the compromised device, which was subsequently removed, along with two other computers, for forensic analysis.

Investigators determined that two ransomware variants, Cerber and Dharma, had been installed on the computers. They also found a text file, USA.txt, that contained 179,616 email addresses, used to spam intended ransomware victims. A text file with the same checksum was subsequently found in an email account associated with one of the defendants.

Among the various email addresses used in the scheme, analysts identified as being of particular interest. According to Graham, the Romanian phrase "vand suflete" translates to "selling souls" in English.

Remote control

Graham explained that records for that Gmail address obtained from Google included a message with a link to what is believed to be a Cerber control panel. Allegedly, Isvanca and Cismaru were renting access to Cerber in order to infect victims, scramble their files, and extort money from them to restore the data.

"In my training and experience, within the Cerber business model, the owner and creator of the Cerber malware leases out Cerber resources to affiliates (essentially, customers)," he explained in the court filing. "A Cerber control panel is a website that allows a Cerber affiliate to control the Cerber framework without having access to the source code, thereby allowing the owner and creator to retain for themselves the intellectual property of the malware and thus to generate additional income from other affiliates."

The Europol release calls this "crime-as-a-service."

Tracing the connections across the various email accounts led to Isvanca and Cismaru.

Investigators contacted some of the people and organizations mentioned in the email account to determine whether their systems had been compromised. An unnamed company, confirming that it had been hacked, responded with screenshots of the Cerber splash page on its systems.

The Hermes shipment tracking number seen on one of the compromised DC computers was traced to an address in London, UK, but an inquiry by the UK National Crime Agency found no evidence the recipients were involved in the ransomware scheme.

UK healthcare biz hacked

The IP address used to create the order, found on a DC computer, was traced to a UK healthcare company. That IP address was also found in an email in the account.

The company, which confirmed to investigators that a user account on its eXpressApp Framework (XAF) system had been compromised, is left unnamed in the affidavit. A quick lookup of the IP address indicates that it is associated with the Newcastle office of healthcare firm WellWork Ltd, a name that's also spelled out in what appears to be an RDP connection string in the court filing.

The various email accounts and IP addresses, cross-references with fraud databases, provided enough details to ask Romanian officials for further digital data linked to the defendants.

Facebook and YouTube posts helped too. Graham said that in his experience, people often make slight alterations to their social media accounts to disguise their identities. Those alterations proved insufficient to hide from investigators. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021