Law Enforcement's Winning Week In Cybercrime

Russian hackers cop to Heartland breach and two men are arrested in connection with a major ransomware scheme -- but meanwhile, the hacking beat goes on.

Dark Reading logo in a gray background | Dark Reading

It was a rare good week for law enforcement in the ongoing battle against cybercrime as officials broke open two high-profile cases:  first, two Russian nationals pleaded guilty to their role in the historic data breach in 2008 of Heartland Payment Systems and other companies, and then a pair of Dutch nationals were arrested for their alleged role in a massive ransomware attack campaign.

High-profile prosecutions and arrests of cybercriminals remain few and far between compared with the volume of cybercrime activity worldwide today. While the cases send much-needed signals to the bad guys that cybercrime doesn't always pay, security and law enforcement experts acknowledge that despite the wins, cybercrime remains very much alive and well.

The US Department of Justice announced this week that two Russian nationals who had been arrested in The Netherlands in June of 2012 in connection with the infamous hacking case of payment processor Heartland Payment Systems, NASDAQ -- as well as other processors and retail firms including 7 Eleven, JC Penny, JetBlue -- each separately pleaded guilty to their role in the attacks. The attacks resulted in the theft of some 160 million credit card numbers and over $300 million in losses.

Vladamir Drinkman, 34, of Syktyvkar, Russia, and Moscow, on Tuesday copped to his role in the massive breach campaign, pleading guilty to one count of conspiracy to commit unauthorized access to protected computers, and one count of conspiracy to commit wire fraud.

Assistant Attorney General Leslie R. Caldwell of DoJ's Criminal Division, credited international cooperation as key to Drinkman's ultimate conviction. "As demonstrated by today’s conviction, our close cooperation with our international partners makes it more likely every day that we will find and bring to justice cybercriminals who attack America – wherever in the world they may be," Caldwell said. "As law enforcement around the world responds to the cyber threat that affects us all, I am confident that this type of international cooperation that led to this result will be the new normal."

Yesterday, Dmitriy Smilianets, 32, of Moscow, pleaded guilty to conspiracy to commit wire fraud in a manner affecting a financial institution. Drinkman and alleged cohort Alexandr Kalinin, 28, of St. Petersburg, Russia -- who remains at large -- did the hacking, and Smilianets sold the stolen financial information on behalf of the hacking ring. Smilianets allegedly charged $10 apiece for American credit card number and associated data; $50 for each European credit card number and associated data; and $15 for each Canadian credit card number and associated data. He also offered bulk discounts.

Roman Kotov, 34, of Moscow, who allegedly cased the victim networks for valuable data, and Mikhail Rytikov, 28, of Odessa, Ukraine, who provided anonymous Web hosting services to the attacks, also both remain at large.

[Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches. Read Heartland CEO On Why Retailers Keep Getting Breached.]

In the newest hacking case, Dutch police arrested two men from Amersfoot, The Netherlands, for their alleged roles in the CoinVault ransomware attacks that have infected some 1,500 Windows users worldwide. The Dutch Police's National High-Tech Crime Unit used research from Kaspersky Lab and Panda Security to help identify and locate the alleged hackers, ages 18 and 22, behind the attacks. They did not name the suspects publicly.

CoinVault, which attempted to infect tens of thousands of machines mostly in The Netherlands, Germany, France, the UK, and the US, locks victims out of their machines and demands payment in Bitcoins for the decryption of the files. According to Kaspersky's research, the attackers began their campaign back in May of 2014.

The arrests of the alleged ransomware hackers is "a start," says Tony Porras, a cyber security and compliance attorney, who has worked with clients victimized by ransomware infections. "It's good to see some movement" law enforcement-wise against ransomware, he says.

"So far, it's mostly been throwing your hands up in the air and saying 'you'd better have a good backup,'" Porras says.

Kaspersky Lab security researcher Santiago Pontiroli, who has been studying and researching CoinVault since it was first spotted in the wild, says he and his team haven't seen any additional activity since the bust. The CoinVault gang traditionally has been wise to researchers and others investigating them, however: "After the initial report we did" in November of 2014, the gang basically laid low and went into hiding, even removing traces of the Dutch language from their tracks, Pontiroli says. "They didn't release any more samples until April of 2015. It's like they knew someone was watching them."

The good news is that if indeed the CoinVault busts kill the ransomware, at least that one family will be history, according to Pontiroli. "But CoinVault isn't the only ransomware out there," he says. "Ransomware is a rising problem. This is not the end of it, but it shows" cooperation among private industry and law enforcement can help, he says.

It also sends a message to cybercriminals, he says: "This is a crime and you will be prosecuted," he says.

SQL Injection

The first hacker to go down in connection with the Heartland breach was the now-infamous Albert Gonzalez, of Miami, who is serving a 20-year sentence for his role in the breaches of Heartland and four other companies.

The hackers associated with the case -- considered the largest data breach case ever indicted -- hit NASDAQ, 7-Eleven, Carrefour, JC Penny, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore, and Ingeniecard. After infiltrating the victim networks, the attackers sole usernames and passwords, credit and debit card numbers, and other personal information. They disabled victims' security systems from logging their activity to cover their tracks.

Their most frequent first attack vector was a SQL injection attack and then planting backdoor malware. They also employed sniffers to capture data, and ultimately sold the card information to online forums or other individuals.

Jeremiah Grossman, founder of WhiteHat Security, says the hacking ring wasn't particularly innovative in their tactics, with SQL injection, for example, among their favorite hack. "Imagine how much infosec budget dollars in defense they bypassed using well-known techniques," he says.

Both the Heartland and CoinVault case breaks are good news, though, he says. "Less bad guys on the street, so to speak," Grossman says. "But I have to think this is a drop in the bucket, and if not, other groups will take their place rather quickly."

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights