According to a federal indictment made public yesterday in a Department of Justice Press Release, five foreign nationals are charged with conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks, stole more than 160 million credit card numbers and resulted in hundreds of millions of dollars in losses to businesses and the victims of identity theft. This is the largest identity theft scheme ever prosecuted in the United States.
The DOJ press release says, “The defendants allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit. The defendants are charged with attacks on NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.”
The defendants charged yesterday, “were allegedly responsible for spearheading a worldwide hacking conspiracy that victimized a wide array of consumers and entities, causing hundreds of millions of dollars in losses,” said Acting Assistant Attorney General Raman.
Two of the men “were previously charged as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches – including the breach of Heartland Payment Systems Inc., which at the time was the largest breach ever reported. Gonzalez is currently serving 20 years in federal prison for those offenses.”
According to the press release and court documents, “the five defendants allegedly conspired with others to penetrate the computer networks of several of the largest payment processing companies, retailers and financial institutions in the world, stealing the personal identifying information of individuals. They allegedly took user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders. The conspirators are alleged to have unlawfully acquired more than 160 million card numbers through hacking.”
“Court documents allege that the initial entry was often gained using a “SQL injection attack.” SQL, or Structured Query Language, is a type of programing language designed to manage data held in particular types of databases; the hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants allegedly placed malicious code, or malware, on the system. This malware created a “back door,” leaving the system vulnerable and helping the defendants maintain access to the network. In some cases, the defendants lost access to the system due to companies’ security efforts, but they were able to regain access through persistent attacks.”
“Communications obtained by law enforcement reveal the defendants often targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway. The defendants allegedly had malware implanted in multiple companies’ servers for more than a year.”
“The defendants are alleged to have used their access to the networks to install “sniffers,” which were programs designed to identify, collect and steal data from the victims’ computer networks. The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.”
After acquiring the card numbers and associated data the conspirators allegedly sold it to resellers around the world. One of the defendants was allegedly in charge of sales, vending the data only to trusted identity theft wholesalers.
According to the press release and court documents, they “charged approximately $10 for each stolen American credit card number and associated data, approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data – offering discounted pricing to bulk and repeat customers.”
“Court documents allege that as a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including more than $300 million in losses reported by just three of the corporate victims and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.”
The men charged include, “Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov, 32, of Moscow, allegedly specialized in mining the networks Drinkman and Kalinin compromised to steal valuable data. Court documents allege that the defendants hid their activities using anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow, allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.”
“This type of crime is the cutting edge,” said U.S. Attorney Paul J. Fishman. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows, there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful.”
According to the DOJ Press Release, “Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012. Smilianets was extradited on Sept. 7, 2012, and remains in federal custody. Kalinin, Kotov and Rytikov remain at large.”
“If convicted, the maximum penalties for the charged counts are: five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud.”
“The charges and allegations contained in the indictment are merely accusations, and the defendants are considered innocent unless and until proven guilty.”