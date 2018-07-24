When hackers took over two-thirds of the D.C. police department’s surveillance cameras days before the 2017 presidential inauguration, it appeared the cyberattack was limited to elicit a single ransom payment.

But court documents show the alleged scheme that January was far more ambitious.

Federal authorities say two Romanians accused in the hacking planned to use the police department computers to email ransomware to more than 179,000 accounts. That would have allowed then them to extort those users as well — and use D.C. government computers to hide their digital tracks. Prosecutors said the alleged hackers had also stolen banking credentials and account passwords, and, using the police computers, could have committed “fraud schemes with anonymity.”

In addition, authorities said they uncovered a separate scheme run by the same people — an allegedly fraudulent business that tricked Amazon’s offices in Great Britain into sending money to the Romanians. (Amazon’s chief executive, Jeffrey P. Bezos, owns The Washington Post.)

The intrusion in the District occurred from Jan. 9 through Jan. 12, 2017, and caused 123 of the police department’s 187 surveillance cameras to go dark eight days before Donald Trump was sworn in as president, sparking national security concerns. It appears the timing was a coincidence; prosecutors said the suspects most likely did not know the computers they allegedly hacked were used by police.

Federal court documents show Eveline Cismaru, 28, of Romania, has been charged with committing fraud and computer crimes in the hacking of D.C. police cameras. (U.S. District Court for the District of Columbia)

While D.C. police say the incident did not impact safety or harm any investigations, cybersecurity experts said it highlights the digital threat faced by governments and businesses and raises questions about the city’s ability to quickly identify hacking.

“The question we should be asking of police is what controls were lacking and why were they unable to detect such an obvious intrusion,” said Alex Rice, the chief technology officer and co-founder of HackerOne, a California firm that works with companies and the U.S. Department of Defense to test computer security.

District officials said they are working hard to protect the city against a constant stream of cyberattacks. They did not answer questions specifically about the police cameras, citing the ongoing criminal investigation.

Kevin Donahue, the deputy mayor for public safety, said in a statement that the District’s cybersecurity program “is critical to our public safety, health care, and public education agencies.”

His statement added that “each year, we see more than one billion malicious intrusion attempts, including ransomware, denial of service, and phishing attacks. We are continuously working to improve our cybersecurity defenses to ensure they protect our IT systems from the constantly evolving methods of cyber attacks.”



Mihai Alexandru Isvanca, 25, of Romania, has been charged with committing fraud and computer crimes in the hacking of D.C. police cameras. (U.S. District Court for the District of Columbia)

The U.S. attorney’s office for the District is seeking to extradite Mihai Alexandru Isvanca, 25, from Romania. His alleged accomplice, Eveline Cismaru, 28, has been extradited, and made her initial appearance Friday in U.S. District Court in Washington.

Prosecutors said Cismaru lacks ties to the U.S. and fled Romania while appealing a court order to extradite her from there to the U.S. Authorities tracked her to London, where she was arrested, prosecutors said in court documents filed Friday.

Isvanca and Cismaru have each been charged with fraud and computer crimes and face 20 years in prison if convicted. An attorney for Isvanca did not return calls seeking comment.

Cary Citronberg, who is representing Cismaru, said in a statement that his client has a 2-year-old son in Europe. “We believe Ms. Cismaru belongs back with her son and we are hopeful she will be able to put this ordeal behind her quickly so she can be reunited with her family,” he said.

A hearing in federal court is scheduled for Aug. 16. Cismaru is being detained.

Police say the alleged hackers were detected only when they shut the system down.

D.C. police said the hack that locked up the system was noticed aftera city employee tried to sign on to the computer system that runs the outdoor cameras and saw what is called a “splashscreen.” A notice highlighted in bright red announced a “cerber ransomware” and warned that “your documents, photos, databases and other important files have been encrypted!”

It said the system could be unlocked with a bitcoin payment that would amount to more than $60,000. Cerber, along with “dharma,” are two types of ransomware programs. Both had been downloaded onto the police computer system that runs the cameras. Authorities said the hackers routed emails through the police servers, including some sent to vand.suflete on Gmail. The term in Romanian means “selling souls.”

D.C. officials quickly took the closed-circuit TV system offline, removed the software and restarted the cameras. They ignored the ransom demand.

Authorities said they later learned some of the emails routed through the police computers referenced IP addresses (a computer’s unique address) that did not include systems owned by D.C. police. Authorities said one was a health-care company in London. One browser downloaded onto the police computer had a user name listed as “David Andrew” with a Gmail account of “david.andrews2005.”

In one affidavit filed in the case by the U.S. Secret Service, prosecutors say Isvanca and Cismaru also set up a fake company called “Lake L.” and linked it to Amazon.com.uk. Authorities said investigators found some of the same emails used by the fake company as used by the hackers on the police computers.

When people placed orders with Amazon, the affidavit says the suspects used stolen credit cards to buy the requested items at another website. Once those items were shipped from the other website, the affidavit says the suspects provided those postal tracking numbers to Amazon, which then released the money paid by the purchasers to the suspects.

Police in Romania and in the United States were able to track various computer IP addresses and email accounts to the suspects, according to the affidavit. One tip came from an online takeout order from a restaurant in Bucharest, Andy’s Pizza.

The person placed an order on Jan. 9, 2017 — the same day the D.C. computers were hacked — using the david.andrews2005 account and gave the clerk the name, “Mihai Alexandru,” according to an invoice pulled by police and referenced in the affidavit filed in federal court.

Later, during an interview with investigators, the affidavit says Isvanca told them that Cismaru lived in a fifth-floor apartment on Strada Bucur, near downtown and where the takeout order had originated. That, police said, helped them link the email address to the suspects.

Rice said that police in cyber investigations like to collect what they call “hard evidence,” such as a paper receipt, to make it more difficult for a defendant to argue that someone else had used or hacked the computer. The receipt from Andy’s Pizza, Rice said, appears to be that type of evidence.

Rice said it appears that U.S. and foreign law enforcement agencies worked well together, but he warned “that we can’t rely on law enforcement as a deterrent” to cybercrimes. “We have got to hold companies and organizations responsible for implementing basic security practices that make it difficult for criminals. They are tempted by this low-level fruit.”