Computer hackers

Romanian hackers took over Washington’s surveillance system before Trump’s inauguration, prosecutors say

Two-thirds of the US capital’s police cameras were hijacked in the alleged extortion scheme

PUBLISHED : Friday, 29 December, 2017, 9:57am
UPDATED : Friday, 29 December, 2017, 10:12pm

Romanian hackers took over two-thirds of Washington’s outdoor surveillance cameras just before US President Donald Trump’s inauguration, according to a federal criminal complaint unsealed Thursday.

The January attack hijacked 123 of the police department’s 187 outdoor surveillance cameras, leaving them unable to record for several days. Two Romanians, who law enforcement officials describe as part of a bigger extortionist hacking group, are being charged in US federal court with fraud and computer crimes.

“This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration,” a spokesman for US Attorney Jessie K. Liu said in a statement.

This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration
US Attorney Jessie Liu

Alexandru Isvanca, 25, and Eveline Cismaru, 28, were arrested in Romania earlier this month, along with three other Romanian hackers who will face prosecution in Europe. The US charges, filed under seal on December 11, were first reported by CNN.

Prosecutors plan to seek extradition for Isvanca and Cismaru soon, according to court filings. They both face up to 20 years in prison if convicted.

Isvanca remains in custody in Romania and Cismaru is on house arrest there pending further legal proceedings, the Justice Department said.

On January 12, Washington police noticed that several surveillance cameras were not functioning properly. Secret Service Agent Brian Kaiser was given access to the computers that operate the cameras, according to the court filing, and saw that they had been taken over by non-police users. Those people were sending spam messages infected with ransomware to a long list of email addresses.

The city resolved the problem by taking the devices offline, removing all software and restarting the system at each site, a process that took about two days, according to police. From January 12 to January 15, less than a week before the January 20 inauguration, none of the cameras was able to record video. No ransom was paid.

Prosecutors allege the conspiracy began on January 9.

There is no evidence the disruption threatened or harmed anyone’s safety, according to the US Attorney’s Office.

It did, however, store two ransomware variants called “cerber” and “dharma” on police computers, the statement said.

The two Romanians also intended to email the ransomware to 179,000 email addresses, according to the statement. “The investigation also identified certain victims who had received the ransomware or whose servers had been accessed during the scheme,” it said.

The Secret Service and other agencies “quickly ensured that the surveillance camera system was secure and operational” and the investigation found no subsequent security threats as a result of the scheme.

Ransomware is generally spread in email links or attachments and encrypts files or otherwise locks users out of their computers until they pay to regain access.

It’s unclear whether the hackers knew they were infecting police computers. The Secret Service was able to see the computers accessing multiple email addresses, according to the court papers, and those addresses led authorities to Isvanca and Cismaru.

Two people were arrested in London as part of the same investigation in February.

A tracking number for a package that was displayed on one of the hacked police computers brought law enforcement to their address. But according to the affidavit, a forensic analysis of their devices revealed no connection to the crime. A British health care company’s IP address was used to create that online order; that company also reported being hacked.

Additional reporting by Reuters