Guilty: The Romanian ransomware mastermind who infected Trump inauguration CCTV cams

Mediocre malware operator 'fesses up to DC infection

A Romanian woman has admitted running a ransomware operation from infected Washington DC's CCTV systems just days before President Trump was sworn into office in the US capital.

Eveline Cismaru, 28, pled guilty this week to one count of conspiracy to commit wire fraud, and one count of conspiracy to commit computer fraud, after hacking into 123 of the 187 high-tech CCTV cameras dotted around the city. The hijacked devices, used by DC's Metropolitan Police Department, then spammed up to 180,000 email addresses with ransomware-laden messages.

Police figured out something was wrong after checking CCTV systems ahead of the swearing in of America’s 45th president in January 2017. Each of their CCTV units consists of a camera attached to a Microsoft Windows-powered computer, and the cops noticed that these machines weren’t acting as they should. When they probed one device, they could it was running multiple unexpected applications, and had browser tabs open.

According to district court documents [PDF] the computers were not just spreading ransomware via email, they were infected themselves with variants of the Cerber and Dharma file-scrambling nasties, which demanded $60,800 in Bitcoin to regain control of the 100+ camera network. The extortion notices appeared in the open browser windows.

hacker

No, the Mirai botnet masters aren't going to jail. Why? 'Cos they help Feds nab cyber-crims

READ MORE

The plod found on one diseased machine a list of 179,616 email addresses in the US that were being bombarded with spam containing the malware. The infection was cleaned up within five days – then the Secret Service decided to take an interest in the network intrusion.

“This case was of the highest priority due to its impact on the Secret Service’s protective mission and its potential effect on the security plan for the 2017 Presidential Inauguration,” the US Department of Justice said in a statement to The Register.

“Due to the rapid response by investigators and MPD’s Chief Technology Office, the overall security of the 2017 Inauguration was not impacted by this event. The Secret Service and MPD quickly ensured that the surveillance camera system was secure and operational prior to the Inauguration and continued to investigate the criminal offenses.”

Fortunately for the investigators, Cismaru and her accused accomplices weren’t the sharpest tools in the box. They used personal Gmail accounts to orchestrate their campaign, and had accessed them from one of the infected CCTV controller PCs. A forensic analysis of the device revealed these addresses. When the Feds, ahem, brought these to Google's attention, the web giant agreed to help, and handed over enough account information to lead investigators back to Cismaru and Mihai Alexandru Isvanca, 25.

Both were arrested on December 15 last year, and Cismaru was quickly extradited to the US from Romania. Her compadre is still in that nation for the moment. If convicted, she is looking at a maximum of 25 years behind bars. ®




Biting the hand that feeds IT © 1998–2018