London-Based Romanians Busted in Bucharest Accused of Cerber Ransomware Attacks
Two Romanians recently arrested in Bucharest as part of a roundup of alleged ransomware attackers have been named as suspects in a U.S. indictment (see Police Bust Five Ransomware Suspects in Romania).
London-based Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, both Romanian nationals, have been charged with wire fraud, conspiracy, computer crime and extortion, according to a Dec. 11 affidavit obtained by CNN. The affidavit was apparently unsealed by mistake before being resealed.
The affidavit, written by James Graham, a U.S. Secret Service special agent, supports a criminal complaint against Romanian nationals Isvanca and Cismaru. They have been accused of distributing ransomware via spam emails. Between Jan. 9 and Jan. 12, the affidavit alleges, the pair participated “in an intrusion into and taking control of approximately 123 internet-connected computers used by the Metropolitan Police Department (MPDC) of the District of Columbia to operate surveillance cameras in public, outdoor areas in the District of Columbia.”
The 123 hacked surveillance cameras accounted for two-thirds of the 187 internet-connected surveillance cameras operated by the MPDC.
The affidavit doesn’t accuse the Romanian pair of having seized the CCTVs to shut them down. Rather, it says the hacked computers attached to the internet-connected cameras served as launch pads for Cerber ransomware attacks against others.
In the past week, as part of Operation Bakovia, authorities in Romania arrested five individuals on suspicion of launching ransomware attacks. Three have been charged with launching CTB Locker ransomware attacks.
Two others from the same alleged gang were arrested in the Romanian capital of Bucharest on suspicion of infecting U.S. systems with Cerber ransomware. “After the U.S. authorities issued an international arrest warrant for the two suspects, they were arrested the day after in Bucharest while trying to leave the country,” Europol, the EU’s law enforcement intelligence agency, said earlier this week.
The U.S. Secret Service was running its own investigation into the Cerber attacks and has now merged it with the CTB Locker investigation, Europol says.
The Justice Department did not immediately respond to a request for comment. But a spokeswoman confirmed to the Register that Isvanca and Cismaru were arrested this past week as part of Operation Bakovia.
“These are separate but related investigations and the people you name are among those arrested by Europol,” the Justice Department told the Register. “Any court documents are not publicly available.”
DC Surveillance Cameras Hacked
The U.S. Secret Service affidavit says agents pieced together the identities of the two Cerber suspects by tracing a number of email addresses that were recovered from hacked systems.
The U.S. Secret Service first learned around Jan. 12 that some of the MPDC public surveillance cameras in Washington had been disabled, apparently because they had been crypto-locked by Cerber. “Each disabled camera was controlled by a dedicated computer installed immediately adjacent to the camera and connected to a larger network and one or more servers operated by MPDC,” Graham writes, adding that the systems were all designed to be remotely accessed.
Working with a U.S. Secret Service agent, an MPDC IT administrator remotely logged into one of the disabled surveillance camera computers using remote desktop protocol and found evidence that the system had been hacked. “The opened desktop windows on Victim Device A included (a) a window displaying a tracking number for the European shipping company known as “Hermes”; (b) a web browser window open to https://app.sendgrid.com showing an activity feed for multiple email addresses; (c) a Google search page with search results for “email verifier online”; (d) a browser window open to emailx.discoveryvip.com; (e) another window for a notepad program showing code for various executable files and text files; and (f) a window showing the splash screen for a variant of ransomware known as ‘cerber,'” Graham writes.
The U.S. Secret Service says it subjected three of the hacked computers to digital forensic analysis and found that they had been infected by both Cerber ransomware as well as Dharma, a variant of older ransomware called CriSiS. The systems also included a text file called USA.txt that contained 179,616 email addresses, apparently to be used to send spam with attached ransomware to victims via the legitimate app.sendgrid.com bulk email service (see Ransomware Onslaught Continues: Old Foes, New Defenses).
Operational Security Fail
Graham’s affidavit says that investigators found that two webmail addresses had been accessed by whoever had remotely logged into the hacked computers: email@example.com and firstname.lastname@example.org. The latter account had received two welcome messages confirming that a new account with the username “tommy tommy” had been activated on the cybercrime forum IFUD.WS, he writes. A Jan. 11 post to the forum from that account included the subject line “Cerber one of the best ways to make money in 2017,” written in English, while the body of the post read: “Looking for and rdp suppliers who wants to work for cerber virus on a good % Add me for more details tommy.tommy@jabber,” according to the affidavit (see Hackers Exploit Weak Remote Desktop Protocol Credentials).
Investigators also found that 94 of the hacked MPDC cameras’ IP addresses, usernames and passwords had been sent from email@example.com – “vand suflete” is Romanian for “selling souls” – to the firstname.lastname@example.org, according to the affidavit. The latter account also “included multiple email exchanges with email@example.com.”
On Jan. 10, firstname.lastname@example.org sent the USA.txt file to email@example.com, and the MD5 checksum of the file matched the one that had been uploaded to the hacked MPDC computer, according to the affidavit.
Those emails and others tied to the accounts had also been used to send or receive information pertaining to more than 3,800 payment cards, the affidavit states.
Feds: Email Address Ties to Pizza Delivery
On Jan. 9, the firstname.lastname@example.org email account received an invoice from a pizza restaurant, reflecting a delivery to ‘mihai alexandru’ at an address in Bucharest, the affidavit notes. “Additional USSS research on the address revealed that the individual residing at the address since 2013 was Ovidiu Alexandru Dan,” who was “arrested in 2016 by Bucharest law enforcement for skimming-related crimes.” (See ATM Hackers Double Down on Remote Malware Attacks)
The U.S. Secret Service affidavit also says that the U.K.’s National Crime agency reported that a fraud database query on email@example.com reported that the email address was associated with Mihai Alexandru Isvanca’s name and had been flagged as suspicious because billing and shipping addresses submitted for online transactions hadn’t matched.
Meanwhile, the affidavit says that firstname.lastname@example.org had received “airline booking receipts and tickets, emails regarding potential housing, and an application for a driver’s license in the United Kingdom” as well as Airbnb communications, all in the name of Eveline Cismaru.