The January 2017 ransomware attack that corrupted the Washington, D.C. police department’s surveillance cameras just days before the presidential inauguration was part of a much larger attempt to target thousands of potential victims, federal prosecutors argued last week.
In a motion filed Friday, prosecutors wrote that the two Romanian defendants accused of carrying out the camera hack also plotted to use police computers to send ransomware to more than 179,000 email addresses. Court documents, which were first reported over the weekend by the Washington Post , also claim the defendants ran a phony business on Amazon’s British website.
The case stems from Jan. 12, 2017, when 123 of the D.C. Metropolitan Police Department’s 187 surveillance cameras went dark. Upon investigating, police, assisted by the U.S. Secret Service, found that four storage devices containing footage from the cameras had been infected with a ransomware virus demanding a payment of about $60,000 worth of bitcoin. The cameras were turned back on by Jan. 15, five days before Donald Trump was sworn in, with city officials saying they were able to regain access to the surveillance system without paying the ransom.
Federal prosecutors last December charged two Romanian citizens — Mihai Alexandru Isvanca and Eveline Cismaru — with carrying out the ransomware attack. The pair was charged after investigators linked email accounts that had been accessed by the affected police computers to Isvanca and Cismaru.
Among the files found on the hacked devices was a document titled “USA.txt,” which contained 179,616 email addresses. Investigators also found a tracking number from the European shipping company Hermes, evidence of an account with the bulk email service Sendgrid, and two varieties of ransomware known as “cerber” and “dharma.”
Google records reviewed by investigators found that a Gmail account containing Cismaru’s name sent a file called “USA.txt” to “firstname.lastname@example.org” on January 10, two days before the D.C. police cameras went down, prosecutors wrote in the motion. Investigators found the file received by the david.andrews2005 account was identical the one found on the police system.
The vast trove of email addresses was likely purchased from other hackers who had stolen the data through phishing efforts or other cyberattacks, the motion states. Other information retrieved from Google in the investigation found information pertaining to nearly 3,800 credit card accounts in email accounts linked to the defendants, prosecutors said.
To convert the stolen credit card numbers into cash, the scheme involved the creation of an Amazon store called “Lake L.” Court records show the D.C. Police hackers took an order for a food smoker from a customer known as “R.T.” After taking the order, one of the stolen credit card numbers was used to buy the smoker from a British kitchenware store called Lakeland, and ship it to “R.T.” Upon receipt of the tracking number, Amazon would credit the operators of the store.
Isvanca and Cismaru were both arrested by Romanian police last December, around the time authorities there swept up a larger group of individuals suspected of being behind the “cerber” ransomware.
Cismaru was released on the condition she appear for an extradition hearing, but instead fled Romania for London, where she was arrested March 23. A British court held her without bail until her extradition to the United States. Cismaru, 28, made her first appearance in federal court in D.C. last Friday, when she was ordered to remain in behind bars pending trial.
Isvanca, who admitted his role in the ransomware attack while being questioned by U.S. and Romanian authorities last December, is still in Romanian custody.
Cismaru’s next court appearance is Aug. 16.