Nasdaq computers the target of Russian hackers, say US prosecutors
Hackers from Russia and the Ukraine stole 160 million credit card numbers, as well as gained access to main servers in stock exchange
A prolific gang of hackers stole and sold 160 million credit card numbers from more than a dozen firms, causing hundreds of millions of dollars in losses, US federal prosecutors charged.
But one company they hacked had nothing to do with credit cards or bank accounts: Nasdaq.
While they penetrated the main servers supporting Nasdaq's trading operations, it appears they caused limited damage. However, the attack raised the prospect that hackers could be getting closer to the infrastructure that supports billions of dollars of trades each hour.
The credit card scheme was run by four Russian nationals and a Ukrainian, said Paul Fishman, the US attorney for the District of New Jersey.
The victims in the scheme, which prosecutors said ran from 2005 until last year, included J.C. Penney, 7-Eleven, Heartland Payment Systems - a credit and debit processing company - and French retailer Carrefour.
The defendants were identified as Vladimir Drinkman, Alexander Kalinin, Roman Kotov and Dmitry Smilianets of Russia and Mikhail Rytikov of Ukraine. Smilianets and Drinkman were arrested in the Netherlands last year. Smilianets has been extradited to the US, where he is expected to make his first court appearance next week. The other three are at large.
Separate indictments involving some of the same men, accusing them of computer attacks on Citibank, PNC Bank and the Nasdaq stock exchange, were filed by federal prosecutors in New York.
The attackers had a sophisticated division of labour, according to the indictment. One hosted an anonymous web server. Others broke into the targeted sites. Another went inside and fetched the items of interest.
The defendants were able to sell US credit card numbers for US$10 and European numbers for US$50 because of the poorer security safeguards on US cards, Fishman said.
He said Heartland Payment Systems had suffered the biggest losses identified so far, about US$200 million.
Kalinin and another Russian, Nikolai Nasenkov, who is also at large, are accused of conducting a scheme to steal bank account information and use it to withdraw millions of dollars from the victims' bank accounts.
Kalinin was also charged with having gained access for two years to the servers of the Nasdaq stock exchange.
"As today's allegations make clear, cybercriminals are determined to prey not only on individual bank accounts, but on the financial system itself," Preet Bharara, the top federal prosecutor in Manhattan, New York, said in announcing the case.
Kalinin had access to the Nasdaq servers, intermittently, until October 2010. Nasdaq discovered the breach itself and alerted the authorities.
Paul Tiao, a former senior adviser on cybersecurity at the FBI, said the Nasdaq breach was worrying because the servers the defendants attacked could have eventually provided an entry point to the more closely guarded trading systems.