When hackers took over two-thirds of D.C. police’s surveillance cameras days before the 2017 presidential inauguration, it appeared that the cyberattack was limited to elicit a single ransom payment.
But court documents show that the alleged scheme that January was far more ambitious.
Federal authorities say two Romanians accused in the hacking planned to use the police department computers to email ransomware to more than 179,000 accounts. That would have allowed them to extort those users as well — and use city government computers to hide their digital tracks. Prosecutors said the alleged hackers had also stolen banking credentials and account passwords, and, using the police computers, could have committed “fraud schemes with anonymity.”
In addition, authorities said they uncovered a separate scheme run by the same people — an allegedly fraudulent business that tricked Amazon’s offices in Great Britain into sending money to the Romanians. (Amazon’s chief executive, Jeffrey P. Bezos, owns The Washington Post.)
The intrusion in the District occurred Jan. 9-12, 2017, and caused 123 of the police department’s 187 surveillance cameras to go dark eight days before Donald Trump was sworn in as president, sparking national security concerns. It appears the timing was a coincidence; prosecutors said the hackers probably did not know that the computers were used by police.
D.C. police say the incident did not affect safety or harm any investigations, but cybersecurity experts said it highlights the digital threat faced by governments and businesses and raises questions about the city’s ability to quickly identify hacking.
“The question we should be asking of police is what controls were lacking and why were they unable to detect such an obvious intrusion,” said Alex Rice, the chief technology officer and co-founder of HackerOne, a California firm that works with companies and the Defense Department to test computer security.
District officials said they are working hard to protect the city against a constant stream of cyberattacks. They did not answer questions specifically about the police cameras, citing the ongoing criminal investigation.
Kevin Donahue, the deputy mayor for public safety, said in a statement that the District’s cybersecurity program “is critical to our public safety, health care, and public education agencies.”
His statement added that “each year, we see more than one billion malicious intrusion attempts, including ransomware, denial of service, and phishing attacks. We are continuously working to improve our cybersecurity defenses to ensure they protect our IT systems from the constantly evolving methods of cyber attacks.”
The U.S. attorney’s office for the District is seeking to extradite Mihai Alexandru Isvanca, 25, from Romania. His alleged accomplice, Eveline Cismaru, 28, has been extradited. She made her initial appearance on Friday in U.S. District Court in Washington.
Prosecutors said Cismaru lacks ties to the United States and fled Romania while appealing a court order to extradite her from there to the United States. Authorities tracked her to London, where she was arrested, prosecutors said in court documents filed Friday.
Isvanca and Cismaru have been charged with fraud and computer crimes and face 20 years in prison if convicted. An attorney for Isvanca did not return calls seeking comment.
Cary Citronberg, who is representing Cismaru, said in a statement that his client has a 2-year-old son in Europe. “We believe Ms. Cismaru belongs back with her son and we are hopeful she will be able to put this ordeal behind her quickly so she can be reunited with her family,” he said.
A hearing in federal court is scheduled for Aug. 16. Cismaru is being detained.
Police say the alleged hackers were detected only when they shut the system down.
D.C. police said the hack that locked up the system was noticed after a city employee tried to sign on to the computer system that runs the outdoor cameras and saw a “splashscreen.” A notice highlighted in red announced a “cerber ransomware” and warned that “your documents, photos, databases and other important files have been encrypted!”
It said the system could be unlocked with a bitcoin payment of more than $60,000. Cerber, along with “dharma,” are two types of ransomware programs. Both had been downloaded onto the police system that runs the cameras. Authorities said the hackers routed emails through the police servers, including some sent to “vand.suflete” on Gmail. The term in Romanian means “selling souls.”
D.C. officials quickly took the closed-circuit TV system offline, removed the software and restarted the cameras. They ignored the ransom demand.
Authorities said they later learned that some of the emails routed through the police computers referenced IP addresses (a computer’s unique address) that did not include systems owned by D.C. police. Authorities said one was a health-care company in London. One browser downloaded onto the police computer had a user name listed as “David Andrew” with a Gmail account of “david.andrews2005.”
In one affidavit filed in the case by the Secret Service, prosecutors say Isvanca and Cismaru also set up a fake company called Lake L. and linked it to Amazon.com.uk. Authorities said investigators found some of the same emails used by the fake company as used by the hackers on the police computers.
When people placed orders with Amazon, the affidavit says, the suspects used stolen credit cards to buy the requested items at another website. Once those items were shipped from the other website, the affidavit says the suspects provided those postal tracking numbers to Amazon, which then released the money paid by the purchasers to the suspects.
Police in Romania and in the United States were able to track various computer IP addresses and email accounts to the suspects, according to the affidavit. One tip came from an online takeout order from Andy’s Pizza, a restaurant in Bucharest.
The person placed an order on Jan. 9, 2017 — the same day the D.C. computers were hacked — using the david.andrews2005 account and giving the clerk the name “Mihai Alexandru,” according to an invoice pulled by police and referenced in the affidavit filed in federal court.
Later, during an interview with investigators, the affidavit says Isvanca told them that Cismaru lived in a fifth-floor apartment on Strada Bucur, near downtown and where the takeout order had originated. That, police said, helped them link the email address to the suspects.
Rice said that police in cyber-investigations try to collect hard evidence such as a paper receipts to make it more difficult for a defendant to argue that someone else had used or hacked a computer. The receipt from Andy’s, Rice said, is probably that type of evidence.
Rice said it appears that U.S. and foreign law enforcement agencies worked well together, but he warned “that we can’t rely on law enforcement as a deterrent” to cybercrimes. “We have got to hold companies and organizations responsible for implementing basic security practices that make it difficult for criminals. They are tempted by this low-level fruit.”