Surveillance cameras
Washington, D.C. surveillance cameras. Photo Mix/Pexels

A Romanian man and woman were arrested last week on accusations they hacked into cameras and other outdoor surveillance systems deployed by police in Washington, D.C. in order to spread ransomware.

The two suspects, Mihai Alexandru Isvanca and Eveline Cismaru, were arrested by Romanian authorities as part of a larger law enforcement operation that resulted in the arrest of five people who are believed to have spread Cerber and Dharma ransomware attacks.

According to an affidavit filed by the United States Secret Service, the Romanian nationals allegedly hacked into 123 of the 197 security cameras operated by the Metropolitan Police Department of the District of Columbia (MPDC) that are used to monitor public spaces around the city.

The cameras are each controlled by a dedicated computer, which the suspects then compromised after hacking the cameras. The two logged into the machines uses a remote desktop protocol and used the computers to send spam emails.

Once logged into the computers accompanying the cameras, the attackers used SendGrid—a bulk emailing service—to distribute email laced with ransomware to as many as 179,616 email addresses. The emails contained a compromised PDF file that obscured strains of Cerber and Dharma ransomware that would install on a victim’s machine when the PDF was opened.

The scheme to send the ransomware attack from police computers began on Jan. 9 and ran uninterrupted until MPDC identified the intrusion on Jan. 12, after it was discovered that some of the cameras had been disabled. The Washington, D.C. police were able to shut down the system for four days until they were able to properly secure the network on Jan. 15.

At the time, the shutdown of the cameras caught the attention of the media, as it occurred just weeks before the inauguration ceremony of President Donald Trump. There was speculation at the time that the attack may have been the result of nation-state actors, though investigators quickly ruled out that possibility.

While the novel method of spreading ransomware may have worked briefly, the attackers did not take much care to cover their tracks. The U.S Secret Service were quickly able to identify an email address associated with the SendGrid account used to send the spam messages. The attackers also left a text document with the full list of email addresses targeted in the campaign on the compromised computers.

Investigators were able to get a warrant to two email addresses—david.andrews2005@gmail.com, which was linked to the SendGrid account and anonimano027@gmail.com, which was logged into on the police computers—and discovered communications between the accounts and a third account, vand.suflete@gmail.com.

The vand.suflete@gmail.com account sent a list of IP addresses, usernames and passwords to one of the other email addresses. The many of the IP addresses were associated with the MPDC surveillance cameras.

Investigators used the lead to get a warrant for the vand.suflete@gmail.com account, in which they found emails containing the ransomware-laced PDF files and control panels to manage the attack.

Law enforcement was able to link the three email accounts to Isvanca and Cismaru after it was discovered that Isvanca used his real name and contact information as the recovery information for one of the email accounts. Cismaru likewise used an account with her real information to communicate with Isvanca.