Russian hackers infiltrated the corporate networks of some of the largest US corporations over a seven-year period, stealing more than 160 million credit-card numbers and hundreds of millions of dollars, the largest such scheme ever prosecuted in the United States, said federal authorities unveiling the indictments Thursday.
Targeting corporations that were specifically engaged in financial transactions, the hackers stole data that allowed them to reproduce fake cards they were able to sell or later use to withdraw money from ATMs worldwide.
Among the 15 businesses allegedly hit by the four Russian and one Ukrainian hacker from August 2005 to July 2012: 7-Eleven, JCPenney, JetBlue, and Dow Jones. One of the Russians was also charged separately with hacking into the business-operation servers of the NASDAQ stock exchange from 2008-10 and manipulating data. But that hack did not reach the exchange’s trading platform where stocks are bought and sold, authorities said.
Law enforcement officials touted the case as a significant step forward in demonstrating their ability to crack a difficult cybercrime operation involving crooks who took extensive steps – including using encrypted communications – to keep their identities and operations secret.
“This type of crime is the cutting edge,” said Paul Fishman, US Attorney for New Jersey, announcing the indictments. “Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security.”
Losses hit $300 million for companies in the US in Europe, not including losses incurred by identity-theft victims, authorities said.
Two of the hackers, Russians Vladimir Drinkman and Dmitriy Smilianets, were arrested by Dutch police at the request of the US while they were traveling in the Netherlands in 2012. Mr. Smilianets was extradited to the US. Mr. Drinkman is in custody in the Netherlands pending extradition hearing. The remaining three, Russians Roman Kotov and Alexandr Kalinin and Ukrainian Mikhail Rytikov, remain at large.
After downloading card numbers and related data, the conspirators resold the data to theft wholesalers worldwide. Smilianets charged roughly $10 for each stolen American credit-card number and its data, $50 for each European credit-card number and data, and $15 for each Canadian credit-card number and its associated data. Discount pricing was given to bulk and repeat customers.
The buyers of the stolen data then encoded individual card data onto the magnetic strip of a blank plastic card and then withdrew money from ATMs or made purchases with the cards.
Separately, Mr. Kalinin is also charged with hacking into the NASDAQ stock exchange’s business servers. From November 2008 through October 2010, he is alleged to have installed malicious software, or malware, that enabled him and others to secretly access the infected NASDAQ servers and execute commands “including commands to delete, change or steal data.”
It’s unclear from the indictment just what Kalinin was doing on the NASDAQ server. But such direct attacks on financial exchanges are part of a growing trend, the World Federation of Exchanges reported this month. Some 53 percent of group’s member exchanges reported that they had endured a cyberattack in the past year. In a few cases, denial-of-service cyberattacks – which flood the systems with fake requests in order to overload servers – forced trading to halt briefly, although trading platforms have not been directly breached, the WFE report said.
Cybersecurity experts worry that the trend could become a far worse threat than credit-card thefts.
“The worst cyber threats that the financial sector will soon be facing may not be thefts of money,” wrote Scott Borg, director and chief economist of the US Cyber Consequences Unit, a think tank advising government, in a recent report.
Future cyberattacks could target the information that financial service corporations and their clients use “to create and capture value and to maintain market integrity,” he wrote. “Some of the new cyber attacks will simply aim to steal this information. Others will attempt to alter or manipulate it to create business and market effects.”
Law enforcement authorities echoed that view Thursday.
“As today’s allegations make clear, cyber criminals are determined to prey not only on individual bank accounts, but on the financial system itself,” said Manhattan US Attorney Preet Bharara in a statement.
The depth of that threat was laid out in the 2010 book “Cyber War” by Richard Clarke, former counterterrorism chief under two presidents.
A Wall Street chief executive officer told him: “It is confidence in the data, not the gold bullion in the basement of the New York Fed, that makes the world financial markets work.”