A Russian hacker just admitted his role in the largest known data breach the US ever prosecuted

Advertisement

computer hacking, surveillance, spying

REUTERS/Kevin Lamarque

U.S. Department of Homeland Security employees work during a guided media tour inside the National Cybersecurity and Communications Integration Center in Arlington, Virginia June 26, 2014. Picture taken June 26, 2014.

The Department of Justice announced on Tuesday that a Russian national admitted his role in the largest known data breach conspiracy prosecuted within the US.

Advertisement

According to prosecutors, 34-year-old Vladimir Drinkman admitted to participating in a "worldwide hacking and data breach scheme that targeted major corporate networks, compromised more than 160 million credit card numbers" that "resulted in hundreds of millions of dollars in losses."

Drinkman was charged in February with helping mastermind the plot. He pleaded guilty to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. He could not immediately be reached for comment.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Authorities said Drinkman and four co-defendants allegedly "hacked into the networks of corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information that the conspirators could exploit for profit."

This allegedly included the networks of major corporations like NASDAQ, 7-Eleven, JetBlue, Dow Jones, Euronet, and others.

Advertisement

An assistant attorney general, Leslie Caldwell, said in a statement that the hacking ring "caused serious harm and more than $300 million in losses to people and businesses in the United States."

"Defendants like Vladimir Drinkman, who have the skills to break into our computer networks and the inclination to do so, pose a cutting edge threat to our economic well-being, our privacy and our national security," added Paul Fishman, New Jersey's US attorney. "The crimes to which he admitted his guilt have a real, practical cost to our privacy and our pocketbooks."

Here's the US government's description of the plot:

The Attacks

According to documents filed in this case and statements made in court, the five defendants penetrated the computer networks of several of the corporate victims and stole user names and passwords, means of identification, credit and debit card numbers and other corresponding personal identification information of cardholders. The conspirators allegedly acquired more than 160 million card numbers through hacking.

The initial entry was often gained using a "SQL injection attack." SQL, or Structured Query Language, is a type of programming language designed to manage data held in particular types of databases; the hackers allegedly identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants allegedly placed malicious code (malware) in the system. This malware created a "back door," leaving the system vulnerable and helping the defendants maintain access to the network. In some cases, the defendants lost access to the system due to companies' security efforts, but were allegedly able to regain access through persistent attacks.

Instant message chats obtained by law enforcement revealed that the defendants allegedly targeted the victim companies for many months, waiting patiently as their efforts to bypass security were underway, sometimes leaving malware implanted in multiple companies' servers for more than a year.

The defendants allegedly used their access to the networks to install "sniffers," which were programs designed to identify, collect and steal data from the victims' computer networks. The defendants then allegedly used an array of computers located around the world to store the stolen data and ultimately sell it to others.

Selling the Data

According to documents filed in this case and statements made in court, after acquiring the card numbers and associated data - which they referred to as "dumps" - the conspirators sold it to resellers around the world. The buyers then sold the dumps through online forums or directly to individuals and organizations. Smilianets was allegedly in charge of sales, selling the data only to trusted identity theft wholesalers. He allegedly charged approximately $10 for each stolen American credit card number and associated data, approximately $50 for each European credit card number and associated data and approximately $15 for each Canadian credit card number and associated data - offering discounted pricing to bulk and repeat customers. Ultimately, the end users encoded each dump onto the magnetic strip of a blank plastic card and cashed out the value of the dump by withdrawing money from ATMs or making purchases with the cards.

Advertisement

Covering Their Tracks

According to documents filed in this case and statements made in court, the defendants allegedly used a number of methods to conceal the scheme. Unlike traditional Internet service providers, Rytikov allegedly allowed his clients to hack with the knowledge he would never keep records of their online activities or share information with law enforcement.

Over the course of the conspiracy, the defendants allegedly communicated through private and encrypted communications channels to avoid detection. Fearing law enforcement would intercept even those communications, some of the conspirators allegedly attempted to meet in person.

To protect against detection by the victim companies, the defendants allegedly altered the settings on victim company networks to disable security mechanisms from logging their actions. The defendants also allegedly worked to evade existing protections by security software.

As a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions of dollars in losses - including more than $300 million in losses reported by just three of the corporate victims - and immeasurable losses to the identity theft victims in costs associated with stolen identities and false charges.

The charges and allegations contained in indictments are merely accusations and the defendants are presumed innocent unless and until proven guilty.

NOW WATCH: People were baffled by 50 sharks circling in shallow waters off the English coast