Back in January, police acknowledged that a mysterious hack had injected ransomware into Washington DC’s CCTV surveillance system. Now authorities have identified two Romanian suspects they say were responsible for hacking 123 of DC’s 187 surveillance cameras, as part of broader extortion plan.
A criminal complaint against the two individuals was filed in court last week. An affidavit from Special Agent James Graham of the Secret Service explains how law enforcement traced the ransomware to Mihai Alexandru Isvanca and Eveline Cismaru. It claims the two hackers have been under suspicion for cybercrimes and fraud in Romania and the UK for quite some time. According to Bleeping Computer, both suspects were arrested by Romanian police last week in a crackdown on purveyors of ransomware spam known as Operation Bakovia.
The affidavit claims the hackers gained access to the security cameras and their adjacent dedicated computers on January 9th. After shutting down the system for four days, Secret Service agents took three of the infected computers away for analysis. They found the hackers were able take control of the computers remotely after discovering several windows had been left open by the intruders. One of these windows was a browser logged into SendGrid and it showed an activity feed for several email addresses.
Agents found that the email address used to register the SendGrid account was being used to spam ransomware to 179,616 email addresses. They also discovered that the computer was used to access a separate email address, and after obtaining a warrant they found a list of IP addresses, usernames, and passwords that was sent to the account from yet another email address. Rooting through the third account, they came across a link to the control panel of a Cerber ransomware operation, as well PDFs that had been weaponized with ransomware.
This is where things get stupid. The second email account used Isvanca’s primary personal email as a recovery address. The first email was also used to order a pizza to the Bucharest apartment of Ovidiu Alexandru Dan, a man arrested for credit card skimming in 2016. All of the emails were registered from a single IP address in Bucharest that was also implicated in an earlier breach in the UK. The Romanian ISP gave US authorities the info they needed to track down Isvanca.
Authorities were able to identify Cismaru as co-conspirator because she also had used her personal email to send a list of IP addresses to one Isvanca’s emails. Since her inbox was full of personal details linked to airlines, credit cards, and other identifying accounts, tracking her down wasn’t difficult.
So the saga of the DC surveillance hack comes down to a couple of people just trying to spread some ransomware, rather than any sort of international espionage, or attempt at tracking the DC elite. But pizza was involved in the manhunt, so that’s pretty great.