Skip to content ↓ | Skip to navigation ↓

A U.S. district court has charged two Romanians with hacking 65 percent of the computers that control Washington DC’s surveillance camera network.

An affidavit (PDF) filed with the United States District Court for the District of Columbia on 11 December alleges that the two suspects, Mihai Alexandru Isvanca and Eveline Cismaru, did “knowingly and with intent to defraud, access protected computers without authorization and by means of such conduct to further their intended fraud and to obtain something of value.” It also accuses them of maintaining an “intent to extort from persons money and other things of value.”

Forensic evidence gather by the United States Secret Service (USSS) indicates that the two Romanians are most likely responsible for compromising the computers that help control 123 of the 187 surveillance cameras operated by the Metropolitan Police Department of the District of Columbia (MPDC) around 9 January 2017. USSS learned of the compromise from the MPDC and via Remote Desktop Protocol (RDP) connected to one of the compromised computers. On that unit, agents discovered opened desktop windows, including one window opened to SendGrid showing an activity feed for multiple email addresses, that the MPDC had not initiated.

Further investigation revealed that those responsible for compromising the surveillance camera computers were abusing those units in tandem with SendGrid to send out spam email laden with two types of crypto-ransomware: Cerber and Dharma. A txt file found on the compromised computer contained 179,616 email addresses of potential victims alone.

Ultimately, USSS analysts determined that multiple email accounts had accessed the compromised computer between 9 January and 12 January. They traced those accounts back to Gmail accounts operated by Isvanca and Cismaru. Both of those accounts had sent and/or received information pertaining to more than 1,500 credit cards.

This isn’t the first time that public cameras have been involved in a ransomware attack. In June 2017, 55 traffic and speed cameras in the state of Victoria, Australia, suffered an infection at the hands of  WannaCry ransomware. Redflex Traffic Systems, which operates the cameras, subsequently applied software patches on the vulnerable cameras.

As of this writing, it’s remains unclear what method those responsible for compromising the DC camera computers used to hack the systems.

U.S. authorities issued an international arrest warrant for Isvanca and Cismaru, who were arrested in Bucharest while trying to leave the country. They’re believed to be part of a Romanian computer criminal circle that launched a parallel ransomware campaign involving CTB-Locker. Three other members of that group have also been detained.