In a federal indictment in New Jersey, five men were charged with conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks, stole millions of credit card numbers and caused hundreds of millions of dollars in losses.
This is the largest data breach to be prosecuted in the U.S. to date, and the investigation to catch the hackers was led by the U.S. Secret Service.
Five defendants -- from Russia and the Ukraine -- allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data, and other institutions with information they could exploit for profit. The list includes: NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa, Jordon, Global Payment, Diners Singapore and Ingenicard.
"Those who have the expertise and inclination to break into our computer networks threaten our economic well-being, our privacy and national security," said U.S. Attorney Paul J. Fishman. "This case shows there's a real practical cost because these types of frauds increase the cost of doing business for every American consumer, every day."
The defendants are charged with spearheading a worldwide hacking conspiracy that victimized a wide array of consumers and entities, causing hundreds of millions of dollars in losses.
In a press statement, the U.S. States Attorney's Office revealed the conspirators "unlawfully acquired more than 160 million card numbers through hacking."
Initial entry was often gained via SQL injection exploits. Structured query language (SQL) is a programming language designed to manage data held in particular types of databases, and the hackers were able to find and exploit vulnerabilities to infiltrate computer networks.
Once they infiltrated the networks, the defendants placed malware on the system to create a "back door," providing access to the network. In some cases, the hackers lost access to the network due to security efforts, but were able to regain it through persistent attacks.
Instant messages revealed the hackers often targeted the victim companies for months, waiting patiently as their efforts to bypass security were underway. It turns out they had malware planted in several companies' servers for over a year, which allowed them to install "sniffers" to identify, collect and steal data from the networks over a long period of time.
Unmasking the hackers
The five defendants each served particular roles in the scheme, according to the indictment unsealed in Newark federal court and other court filings: Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each specialized in penetrating network security and gaining access to corporate victims' systems. Roman Kotov, 32, of Moscow, also a hacker, specialized in mining the networks Drinkman and Kalinin compromised to steal valuable data. The hackers hid their activities by using anonymous Web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow, is charged with selling the information stolen by the other conspirators and distributing the proceeds.
Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches -- including the breach of Heartland Payment Systems Inc., which at the time was the largest known data breach. Gonzalez is currently serving 20 years in federal prison.
The U.S. Attorney's Office for the Southern District of New York announced two more indictments against Kalinin: one charge in connection with hacking computer servers by NASDAQ, and a second one that charges Kalinin and another Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information by hacking U.S.-based financial institutions. Rytikov was previously charged in the Eastern District of Virginia for an unrelated scheme. Kotov and Smilianets haven't previously been charged publicly in the U.S.
Drinkman and Smilianets were arrested at the request of the U.S. while traveling in the Netherlands on June 28, 2012. Smilianets was extradited on Sept. 7, 2012, and remains in federal custody. He'll appear in District of New Jersey federal court to be arraigned on the superseding indictment on a date yet to be determined. Drinkman is in custody in the Netherlands, pending an extradition hearing. Kalinin, Kotov, and Rytikov remain at large. All of the defendants are Russian nationals, except Rytikov, who is a citizen of Ukraine.
Do the crime, do the time?
While all of the defendants are innocent until proven guilty, and the charges and allegations in the indictment are merely accusations at this stage, it's entirely possible they'll do some serious time in prison.
The maximum penalty for conspiracy to gain unauthorized access to computers is 5 years and a $250,000 fine, or twice the gain or loss from the offense. Conspiracy to commit wire fraud is steeper: 30 years with a $1 million fine or twice the gain or loss from the offense; unauthorized access to computers: 5 years and a $250,000 fine or twice the gain or loss from the offense; wire fraud: 30 years with a $1 million fine or twice the gain or loss from the offense.