DOJ Arrests Hackers Who Took Over DC Surveillance Cameras

The United States Department of Justice (DOJ) announced that, in coordination with the Romanian National Police and other EU and U.S. law enforcement agencies, it arrested two Romanians who hacked into 123 surveillance cameras belonging to the Metropolitan Police Department (MPD) in Washington DC. According to the DOJ, the hacking was done as part of a ransomware scheme.

The two Romanians, Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, of Romania, were caught on the Otopeni airport in Bucharest, Romania, on December 15, as they were trying to leave the country. Isvanca has remained in custody with the local police, while Cismaru is on house arrest pending further legal proceedings.

According to the DOJ, the U.S. Secret Service was first alerted about the hack on January 12, this year, a few days before President Trump’s inauguration ceremony. The agents from the Washington Field Office started an investigation and discovered that the cameras were compromised only three days earlier, on January 9, and that the two hackers were also spreading “Cerber” and “Dharma” ransomware variants on MPD’s computers.

The agents also learned of a scheme to distribute the ransomware to 179,000 email addresses. They were also able to identify some of the victims of the hackers’ ransomware attacks, but the DOJ noted that the hack on the surveillance cameras didn’t impact anyone’s physical safety. The Secret Service and the MPD were able to quickly secure the affected cameras before the Presidential Inauguration.

The DOJ said that the maximum sentence for conspiracy to commit wire fraud in the U.S. is 20 years, but that for now the defendants are presumed innocent until the trial concludes. The DOJ also seems to imply that the trial will occur in the U.S. and that the Romanian government will extradite two, similarly to how it extradited Guccifer in 2016.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • bit_user
    Well, it's good that they were caught, but embarrassing to the camera vendor and the MPD that the cameras and computers were hacked.

    Some of these cameras have operational lives of like 10 years, meaning even if perfectly secure firmware were released today, the cameras in the wild which haven't received updates would remain a vulnerable part of the infrastructure for quite some time.

    BTW, they're basically little computers - like Raspberry Pi's - so compromised cameras can actually be used in bot nets and as stepping stones to attack or swamp other elements of physical security infrastructure.
  • Wisecracker
    Two Romanians. With Moose. And, Squirrel .

    Reboot. 127 times.
    (problem marked solved)
  • velocityg4
    I wonder how the law works for this. While the maximum sentence is 20 years. Is it 20 years per count? Does each camera constitute a separate attempt to collude in wire fraud?

    If they are guilty. It seems this would no be the first time. If they did this. There are likely many more crimes they could be nailed for. Depending on what gets found on their computers.
  • cin19
    @Wisecracker Sorry, I accidently pressed the down-vote button.

    <That's OK, I fixed it for ya. --- Ex Bub>