Five men from Russia and Ukraine have been indicted in New Jersey for charges they conspired with each other in a worldwide hacking scheme targeting major corporate networks that compromised more than 160 million credit card numbers, the U.S. Department of Justice announced.
The men allegedly attacked the networks of several companies, including Nasdaq, 7-Eleven, JCP, Dow Jones and Hannaford, the DOJ said. Companies reported $300 million in losses from the attacks, the DOJ said in a press release.
Charged in an indictment unsealed Thursday in U.S. District Court for the District of New Jersey were Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia; Alexandr Kalinin, 26, of St. Petersburg, Russia; Roman Kotov, 32, of Moscow; Mikhail Rytikov, 26, of Odessa, Ukraine; and Dmitriy Smilianets, 29, of Moscow.
Drinkman and Kalinin allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems, while Kotov allegedly specialized in mining the compromised networks to steal data, the DOJ said. The defendants hid their activities using anonymous Web-hosting services provided by Rytikov, while Smilianets allegedly sold the information stolen by the other conspirators and distributed the proceeds of the scheme to the participants.
The five compromised networks for nearly five years, between mid-2005 and mid-2012, according to court documents.
“This type of crime is the cutting edge,” Paul Fishman, U.S. attorney for the District of New Jersey, said in a statement. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security. And this case shows, there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day.”
Kalinin and Drinkman were previously charged in New Jersey as “Hacker 1” and “Hacker 2” in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches, including the breach of Heartland Payment Systems, which at the time was the largest breach ever reported. Gonzalez is currently serving 20 years in federal prison for those offenses.
The U.S. Attorney’s Office for the Southern District of New York on Thursday announced two additional indictments against Kalinin. One charges him in connection with hacking certain computer servers used by Nasdaq and a second indictment charged Kalinin and another alleged Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information by hacking U.S.-based financial institutions.
Rytikov was previously charged in the Eastern District of Virginia with an unrelated scheme. Kotov and Smilianets have not previously been charged publicly in the U.S.
Drinkman and Smilianets were arrested at the request of the DOJ while traveling in the Netherlands on June 28, 2012. Smilianets was extradited on Sept. 7, 2012, and remains in federal custody. Kalinin, Kotov and Rytikov remain at large.
The five defendants allegedly conspired with others to penetrate the computer networks of several of the largest payment-processing companies, retailers, and financial institutions, stealing the personal identifying information of individuals. They allegedly took user names and passwords, other means of identification, and credit and debit card numbers, the DOJ said.
How it worked according to the DOJ
The attackers often gained initial entry into a corporate network through an SQL injection attack, the DOJ alleged. The hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants allegedly placed malware on a network, creating a back door that allowed further access. In some cases, the defendants lost access to the system due to companies’ security efforts, but they were able to regain access through persistent attacks.
The defendants often targeted victim companies for many months, with the DOJ saying they waited “patiently” as their efforts to bypass security were under way.
After acquiring the card numbers and related data, the conspirators allegedly sold it to resellers around the world, the DOJ alleged. The buyers then allegedly sold the so-called dumps through online forums or directly to individuals and organizations.
Smilianets was allegedly in charge of sales charging approximately $10 for each stolen U.S. credit card number and associated data and approximately $50 for each European credit card number and approximately $15 for each Canadian credit card number.
If convicted, the maximum penalties for each of the counts are: five years in prison for conspiracy to gain unauthorized access to computers; 30 years in prison for conspiracy to commit wire fraud; five years in prison for unauthorized access to computers; and 30 years in prison for wire fraud.
This article was updated on July 26 to correct the number of credit cards hacked.