A federal indictment unsealed on Thursday alleges that five Russian and Ukraine nationals conspired in a worldwide hacking and data breach dating back to 2007 that targeted major corporate networks, including U.S. banks and retailers, and led to the capture of more than 160 million credit card numbers.
The U.S. Department of Justice said the theft caused “hundreds of millions of dollars” in losses, making it the largest such scheme ever prosecuted in the U.S. The defendants stole user names and passwords, means of identification, credit and debit card numbers and other personal information.
The U.S. Attorney’s Office for the Southern District of New York also made public two additional indictments against one of the suspects, Alexandr Kalinin, 26, of St. Petersburg, Russia, for targeting the systems of U.S. financial institutions and certain computer services used by Nasdaq (NDAQ).
In the broader scheme, the defendants allegedly targeted corporate victims engaged in financial transactions, including the NASDAQ, 7-Eleven, Visa (V), Discovery Financial Services (DFS), Carrefour, J.C. Penney (JCP), Wet Seal, JetBlue (JBLU) and Dow Jones, among several others.
“The defendants charged today were allegedly responsible for spearheading a world-wide hacking conspiracy that victimized a wide array of consumers and entities, causing hundreds of millions of dollars in losses,” Acting Assistant Attorney General Raman said in a statement.
U.S. Attorney Fishman said the five suspects and other hackers with similar expertise “threaten our economic well-being, our privacy, and our national security.”
Vladimir Drinkman, 32, of Moscow, Russia and Kalinin were allegedly responsible for penetrating network security and gaining access to the corporate victims’ systems. Roman Kotov, 32, of Moscow, specialized in mining the networks, the DOJ said, while the hackers allegedly hid their activity through anonymous web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow, allegedly sold the stolen information.
Two of the defendants, Kalinin and Drinkman, were previously charged in New Jersey in a 2009 indictment charging Albert Gonzalez, 32, of Miami in connection with five corporate data breaches, including the breach of Heartland Payment Systems (HPY), previously the largest-ever reported. Gonzalez is currently serving 20 years in federal prison.
Drinkman and Smilianets were arrested while traveling in the Netherlands on June 28, 2012. Smilianets was extradited Sept. 7 and remains in federal custody. The remaining subjects, including Kalinin, remain at large.
The additional charges against Kalinin allege he hacked certain computer services used by Nasdaq and conducted an international scheme to steal bank account information by hacking U.S.-based financial institutions.
Accessing Corporate Systems
The initial entry for these hackers was gained using “SQL injection attack,” or Structured Query Language, which is a type of programming designed to manage data held in particular databases.
The DOJ says the suspects infiltrated computer networks by identifying vulnerabilities in SQL databases. Once inside, they would allegedly place malicious code, or malware, on the system, allowing them to continue accessing the system for a lengthy period of time. If kicked out due to a company’s security systems, they would regain access using advanced persistent attacks, often targeting each company for many months. The defendants reportedly had malware implanted in multiple companies’ servers for more than a year.
The stolen data was then sold through online forums or directly to individuals and organizations. Smilianets reportedly charged $10 for each stolen American credit card number and associated data and about $50 for each European credit card number and data. Canadian data was sold for $15. Discount rates were applied when data was bought in bulk, according to the DOJ.
As a result, financial institutions, credit card companies and consumers suffered hundreds of millions of dollars in loses, including more than $300 million from just three unnamed corporate victims alone.
The maximum penalty for one count of conspiracy to gain unauthorized access to computers, which all five are being charged with, is five years in prison with a $250,000 fine, or twice the gain or loss from the offense. The second count of conspiracy to commit wire fraud, which also impacts all five suspects, carries a penalty of 30 years in prison or a $1 million or twice the gain or loss from the offense. The four Russian nationals are also being charged with unauthorized access to computers and wire fraud.