Washington DC Surveillance Hackers Arrested

By Brian Karas, Published Dec 29, 2017, 08:56am EST

The US Department of Justice has announced that "Two Romanian Suspects Charged With Hacking of Metropolitan Police Department Surveillance Cameras in Connection with Ransomware Scheme" that occurred in January 2017.

IPVM initially covered the technical details in March 2017 examining Washington DC MPD's Surveillance Equipment.

In this note, we examine the criminal complaint affidavit, new information provided and the role the vendors involved, including Avrio and Genetec, had on this hack. 

Recorders **** *** ********** *******

** ********* ********* *********, *** ****** ******* claimed *** *** ******** used ****** ********* ** launch ** ***** **** campaign ** ********** **********. The ********** ******* **** launched **** *** *********** machines ** ** ******* by *** ******* ** disguise ***** ****** ******** and **** ** ****** to ** ****** ** authorities.

Hackers *** ********** ** ************ *** *******

***** ** ** ******** that ****** ** *** hackers ************ ********* ************ equipment, ** *******, *** *** they **** *** ******** in *** **** ** recorded ***** ** *** recorders. ** ** ****** the ******* **** ******* the ******* **** ***** and ******** ** *** MPD *** **** *** city ************, ** *** they **** ***** ** this, **** ***** **** likely ****** ** *** machines **** ***** ** less ****** ** ***** an ************* ********.

Equipment ****

** ********* ** ********** ** ***'* ************ Equipment, *** ******* ********** of *** ****** ****:

Integrator *****

*****, *** **********/*** **** built *** ******* **** by *** *** *********** ** ******* ** 2014. *********** *********, ***** ********** ********** as "the ******'* ******* ******** of **-************ ********* **** wireless ********", *** "********** results": 

****** ***********, **************, *** similar **********-******** ********* **** Avrio's ****** ******** ****.

Remote ******* ****** ********* *******

*** (****** ******* ********) was **** ** *** hackers *** ****** ******* of *** ****** *********. Having *** ********* ** the *******, *** *** blocked ** * ******** was ****** *** ******'* primary ********** ** ********* these *******. ** ***** frequented ** *****-*********, *** Secret ******* ***** *** following **** ** *** of *** *******, ******* for "*********" ** ******** with *** *******:

Low **** ******* **** ** ***** *******

********** *** ******* **** caught ** ***** ******** found ** **** ** the ****** *********, *** tracing ***** ******** **** by **** *******. *** Secret ******* *** **** to link ***** ***** ******** to ***** ********, *** access ** ******* **** Google *** ***** *********, ***** ultimately *** **** ** the ******* ****** ********** and *********. ***** ** the *********** ** *** Secret ******* ******, *** hackers **** ********, *** not *********, ***** ** conceal ***** ********** *** location, *** **** ******** primarily ******* ***** *******, and *** *** ****** of *** **** ** high **** ******** *******.

************, ******* ******** ** logs *** *********** **** on *** *********, *** Secret ******* *** **** to ******** **** ******* of *** *******, *** contacted ***** ******* ** retrieve ********** ******* **** helped ** ******** *** hackers:

Responsibility ** ******* *** ***********

***** **** ********* * fundamental ****** ********:

  • ******* ******* *** *** ********** with ******* ******** *** accounts ** *** ******* OS, ******** *** ******* to **** ****. ******* *** since ******* ******** **** ******* settings *** *** ********** the **** *** ********* to ****** ********* *************** for ***** ******* [**** no ****** *********].
  • *** ******* **** **** publicly ********** *** *** not *** * ***, a ******* ********* ** the*********** ******* ****. *** *** ****** video ************ ******, *** certainly *** ** *******, exposing *** ******* ** public ****** *** * major *******. *****'* ***** led ********* ** ******* that **** **** ********** best-in-class *** *******-***** ********* optimized *** **** ******** applications, **** ** **** they ******** ******* **** multiple *************** ******* *** unchanged ******* ******** *** lack ** ****** ************.

Comments (8)

Undisclosed #1

IPVMU Certified | 12/29/17 06:24pm

There is no evidence that points to the hackers specifically targeting surveillance equipment, or Genetec, nor did they have any interest in the live or recorded video on the recorders.

Yes, just targeting Windows.

Undisclosed Integrator #2

In reply to Undisclosed #1 | 12/29/17 07:48pm

I would say it was targeting stupidity, or laziness, more than Windows. How long would you guess it has been since those Server have been updated? 

Undisclosed Integrator #3

01/01/18 07:14am

This will probably be enough to get my boss to listen to me.  Thanks for sharing.  

Avatar

John Day

01/02/18 03:42pm

I'm floored that the customer didn't require the contractor to use a VPN and that the hackers used rdp to get in - that's almost as low tech as using default passwords!

At what point do we actually use the word "negligent"? What I'd love to know is whether there was anything in the specification requiring any baseline of network security or whether this was purely the integrator leaving the system open.

Unfortunately whoever is at fault would probably claim (correctly) that this is an accepted practice in the security business.

Undisclosed #1

IPVMU Certified | In reply to John Day | 01/02/18 04:04pm

Do you think an exposed rdp port is more or less vulnerable than a cameras exposed http port?

Avatar

Scott Napier

In reply to Undisclosed #1 | 01/02/18 04:15pm

I would say they are close to no different, but RDP is probably scanned for more frequently which means is it probably more of a vulnerability if my assumption is correct.  

Undisclosed Integrator #3

In reply to John Day | 01/02/18 04:17pm

I would argue that depending on a contractor to secure your critical networks is a bad idea from the start.  You should have competent professionals on staff to not only enforce standards on these contractors, but also to test what they install and verify it meets all appropriate protective measures.  

Avatar

John Day

01/02/18 04:56pm

Both are an issue - if the bad guy knows rdp vulnerabilities then he can probably get everything he needs to know off a service like Shodan. A hack using rdp would likely give the bad guy full control of the system in question - a hack of a camera would usually only give you access to the device.

Which is more vulnerable? Based on a quick Shodan search, cameras are certainly more plentiful... a rdp hack would be more destructive.

The issue with this is that anything (like RDP) that isn't essential to the operation of the system should be blocked by the firewall. 

 

Read this IPVM report for free.

This article is part of IPVM's 6,803 reports, 913 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports