By Paul G. Nittoly, Ronald A. Sarachan, Andrew Egan, and Jessica D. Khan
On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ. The scheme is the largest of its kind ever prosecuted in the United States.
The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks. Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data.
Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations. The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.
The defendants allegedly used a number of methods to evade detection. They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement. The defendants also communicated through private and encrypted communication channels and tried to meet in person. They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.
Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343). All of the defendants are charged with conspiracy to commit these crimes.
Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing. The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large.
This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks. The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year. Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc. Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways. Damages are difficult to estimate with precision, but they total several hundred million dollars at least. Just three of the corporate victims suffered losses totaling more than $300 million.
This indictment provides another reminder of the increasing threat from cyber-attacks and the need to have systems in place to prevent and respond to such attacks.