Feds Indict Five In Massive Credit-Card Data Breach Scheme

[UPDATE: The DOJ press release announcing the indictments named Visa Jordan as one of the victims -- the company is not part of Visa and is now known as Emerging Markets Payments. This article has been updated to reflect that correction to the announcement.]

More alleged cybercriminals behind the record-breaking data breach of Heartland Payment Systems and other companies were named today in newly unsealed federal indictments that reveal more breached organizations. In what federal officials are calling the largest-ever data breach scheme prosecuted in the U.S., five men from Russia and the Ukraine have been indicted for hacking into computers at NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Emerging Markets Payments, Global Payment, Diners Singapore, and Ingenicard.

Most of the breaches began with SQL injection attacks on the victim organizations' databases; once inside, the attackers planted backdoor malware to retain a foothold in the networks, from which they pilfered some 160 million credit card accounts, amounting to hundreds of millions of dollars in financial losses, according to the U.S. Attorney's Office in New Jersey. Three of the victim companies reported $300 million in losses.

"The defendants charged today were allegedly responsible for spearheading a world-wide hacking conspiracy that victimized a wide array of consumers and entities, causing hundreds of millions of dollars in losses," said Mythili Raman, Acting Assistant Attorney General for the Department of Justice's Criminal Division. "Despite substantial efforts by the defendants to conceal their alleged crimes, the Department and its law enforcement counterparts have cracked this extensive scheme and are seeking justice for its many victims."

Two of the defendants named in the indictments unsealed today had also previously been indicted in the Heartland case: Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, had been charged as "Hacker 1" and "Hacker 2" in the 2009 indictment against Albert Gonzalez for the breach of Heartland Payment Systems, Hannaford's, 7-Eleven, and two other unnamed retailers. Until now, the Heartland case had been the largest such breach ever reported, federal officials say.

[Albert Gonzalez is only part of the equation in the Heartland Payment Systems breach. See Hacker Ring Tied To Major Breaches Just Tip Of The Iceberg . ]

Drinkman and Kalinin, who allegedly were the experts behind breaking into the victims' networks and systems, are considered major players in the case. "They are extremely well-known in the universe of sophisticated cybercriminals. They are known quantities. If you were making a list of the worst of the worst, those two would be on it," says Jason M. Weinstein, partner with Steptoe & Johnson LLP.

Weinstein, who supervised the Gonzalez case while serving as deputy assistant attorney general of the U.S. Department of Justice's (DOJ) Criminal Division, says identifying such high-level cybercrime operatives as the five named in the latest indictment is huge. "They are not low-level people -- not carders, not cashers, not mules that transfer money after fraud is committed," he says. "People this instrumental to this many major attacks being indicated sends a powerful message."

Many of the hacks occurred as far back as 2007, and the case has taken several years to build: Gonzalez was indicted in 2009 for breaches into Heartland, Hannaford's, 7-11, and two other unnamed companies, and is currently serving a 20-year sentence in federal prison. Of the five newly indicted men, Drinkman and Dmitriy Smilianets, 29, of Moscow, were arrested in June 2012 while traveling in the Netherlands. Drinkman is in custody by Netherlands authorities pending an extradition hearing, and Smilianets, who allegedly sold the stolen data and handled the payment to the members of the scheme, is currently in federal custody in the U.S.

Roman Kotov, 32, of Moscow, was allegedly behind "mining the networks," while Drinkman and Kalinin stole the data, according to the U.S. Attorney's Office. Mikhail Rytikov, 26, of Odessa, Ukraine, provided the perpetrators with anonymous Web hosting services. Kalinin, Kotov, and Rytikov remain at large.

Kalinin also faces additional charges: one for allegedly hacking NASDAQ servers and, in another indictment, for allegedly stealing bank account information from U.S.-based financial institutions. Nikolay Nasenkov of Russia is also named in the financial institution hacking charges.

"Criminal hacking is increasingly capable of obtaining information from any publicly accessible resource, and the focus by organizations, especially those responsible for highly sensitive personal and financial information, must shift away from network and system security design toward information security if they wish to stay ahead of those criminals," says Kevin O'Brien, enterprise solution architect, CloudLock. "We continue to see the same categories of mistakes leading to data breaches: poorly secured databases subject to SQL-injection attacks, website design issues leading to cross-site scripting vulnerabilities, man-in-the-middle and other network-level attacks, and classic social engineering."

Inside The Operation
The alleged attackers named today had infiltrated "multiple" companies' servers for more than a year, according to the U.S. Attorney's Office, and often a victim organization would be targeted over a period of months. They stored the stolen data around computers spread around the globe before selling it off for profit via resellers.

Heading up the sales effort was Smilianets, who sold U.S. credit card numbers and related information for about $10 apiece, $50 for European ones, and $15 for Canadian ones.

The defendants also stole user names and passwords, identification, credit and debit card numbers, and other personal information of cardholders. They used encrypted channels to communicate with one another, and in some cases met one another in person in case law enforcement were able to trace their electronic communications. They remained under the radar within the victim organization networks by evading security software and disabling electronic logging of their activities.

"The hardest part is putting fingers at the keyboard -- identifying them," Weinstein says. And getting to alleged actors in regions infamous for cybercrime is huge, he says.

"One of the things DOJ has gotten very good at over the last few years is getting into U.S. custody the [alleged cybercriminals] who thought they were out of our reach," he says. "What's so incredible about [cybercrime] groups like this is that they are able to work seamlessly across borders and time zones and despite language barriers ... In some cases, they don't actually know [one another's] real names until they see their names in an indictment."

The new charges were announced today by New Jersey U.S. Attorney Paul J. Fishman, as well as Special Agent in Charge James Mottola of the U.S. Secret Service (USSS), Criminal Investigations, Newark Division and Acting Assistant Attorney General for the Department of Justice's Criminal Division Mythili Raman. The Secret Service was the lead in the investigation.

"This type of crime is the cutting-edge," Fishman said. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant, and we cannot be too careful."

The defendants could face anywhere from five to 30 years for a series of charges that include conspiracy to gain unauthorized access to computers, conspiracy to commit wire fraud, unauthorized access to computers, and wire fraud.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.