Nearly two-thirds of the surveillance camera network in Washington, DC, was hijacked by Romanian ransomware suspects
According to foreign media reports on December 22, two out of five hackers have been accused of using ransomware software to control 123 (nearly two-thirds) surveillance cameras in Washington. It is reported that the incident took place on the eve of the inauguration ceremony of U.S. President Trump, which triggered a riot in the U.S. media. In addition to Europol, the U.S. Secret Service is currently investigating this malware. Agent James Graham provided the U.S. Department of Justice with evidence of cybercrime against the two Isvanca and Cismaru Romanian hackers.
The two suspects were accused of intruding on January 9 with a total of 123 security cameras (187 total) deployed in the monitoring system of the Washington DC Metropolitan Police Department (MPDC), which is used by Washington police to monitor public facilities in Washington DC Space situation
In order to investigate the attacks, Washington Police IT staff and secret service agents used Remote Desktop Protocol (RDP) software to connect to a camera-controlling server after confirming that some cameras were offline on January 12, The server device was later found to run many uncommon software, including two ransomware variants Cerber and Dharma, as well as a text file USA.txt. It is reported that the text file contains 179,616 e-mail addresses, is used to send spam to the target user. During the forensics process, the police found the same text file in vand.suflete@gmail.com, which was associated with two hackers.
The surveyed analysts were particularly interested in the mail account, from which they got information linked to the Cerber control panel, concluding that two hackers have long used the ransomware Cerber to infect users for extorting money. It is also because of this email that the investigators successfully tracked the hackers Isvanca and Cismaru.
In addition, investigators contacted some of the people and organizations mentioned in the vand.suflete [at] gmail.com email account to determine if their system had been compromised. Relevant sources revealed that individual target IPs found in infected devices were traced back to healthcare companies in the United Kingdom and the company confirmed to investigators that user accounts for its eXpressApp Framework (XAF) system have been compromised.
Source: TheRegister
