Monday, January 20, 2014

Target Breach considered in light of Drinkman / Gonzalez data breach gang

Everyone is talking about the Target data breach these days, but unfortunately our collective memory is sometimes too short to connect the dots.

Back in August of 2008 this blogger, like so many others, was focused on Albert Gonzalez after the TJX Arrests were made. Attorney General Michael Mukasey said that the message from the arrests was that if you do Data Breaches We Will Arrest You, and We Will Send You To Jail!. We followed up that post with a deeper look at two sets of indictments issued at the same time, TJX Update: The Boston Indictments and TJX Update: The San Diego Indictments. (The San Diego ones included the famous hackers Aleksander Suvorov, AKA JonnyHell from Estonia, and Maksym Yastremskiy, AKA Maksik). Maksik and JonnyHell were part of the Dave & Busters Point-of-Sale terminal hacks indicted in May 2008.( 23 page Dave & Busters Indictment against Maksik and JonnyHell)

In the Gonzalez case, it was mentioned that his gang had targeted "at least nine major retail corporations: including the TJX Corporation, whose stores include Marshalls and TJ Maxx; BJ's Wholesale Club; Barnes and Noble; Sports Authority; Boston Market; Office Max; Dave & Buster's restaurants; DSW shoe stores; and Forever 21."

But what is perhaps most important is that when it comes to gangs stealing millions of credit cards, there are no one-man operations, or even ten-man operations. These type of breaches are pulled off by crews. We learned much more about Gonzalez's crew in the recently unsealed documents from the case against Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets. The order to Unseal the Drinkman et. al. case was only given on December 17, 2013. Several items on the docket remain sealed to this day, but one of special interest was the Second Superseding Indictment, which has been unsealed, although several points remain redacted.

Here's what we learn in the Drinkman indictment.

  • Drinkman resided in or near Syktyvkar and Moscow, Russia, and was "a sophisticated hacker, who specialized in penetrating and gaining access to the computer networks of multinational corporations, financial institutions, and payment processors; harvesting data, including, among other things, credit card, debit card, and other customer account information, from within the compromised networks; and exfiltrating that data out of the compromised networks.
  • Kobov resided in or near Moscow, Russia, and "specialized in harvesting data from within the computer networks that Drinkman and Kalinin had penetrated, and exfiltrating that data.
  • Co-conspirators named in the indictment include Albert Gonzalez (segvec), Damon Patrick Toey, and Vladislav Anatolievich Horohorin (BadB).
  • The hacking conspiracy is described as "a prolific hacking organization" "responsible for several of the largest known data breaches" and that it operated "from August 2005 through at least July 2012."
Data breaches that were described as being part of this case, include:

  • NASDAQ - (from at least May 2007 - SQL Injection lead to malware that extracted login credentials from databases)
  • 7-Eleven - (at least August 2007 - SQL Injection lead to malware that extracted card data from databases)
  • Carrefour S.A - (2 million credit cards - October 2007 - SQL injection lead to malware that extracted card data from databases)
  • JCPenney - (October 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Hannaford Brothers - (4.2 million credit cards - November 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Heartland Payment Systems (130 million card numbers, estimated losses of $200 Million - December 2007 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Wet Seal - (January 2008 - SQL Injection lead to malware placed on the network that extracted card data from databases)
  • Commidea Ltd. - (30 million Credit cards - March-November 2008 - malware was used to extract card data and exfiltrate the data)
  • Dexia Bank Belgium - ($1.7 Million loss - February 2008 to February 2009 - SQL Injection resulted in malware placed on the network that exfiltrated card data)
  • JetBlue Airways - (Jan 2008 - February 2011 - malware placed on network exfiltrated Personal Data of employees)
  • Dow Jones, Inc. - (2009 - at least 10,000 sets of Log-In Credentials stolen via malware placed on network)
  • "Bank A" - (Dec 2010 to March 2011 - malware placed on an unnamed bank HQ'ed in Abu Dhabi, United Arab Emirates used to facilitated theft of Card Numbers.)
  • Euronet - (2 million cards - July 2010 to October 2011 - SQL injection lead to malware that extracted login credentials from databases.)
  • Visa Jordan Card Services - (800,000 cards - Feb 2011 to March 2011 - SQL Injection lead to malware placed on network that exfiltrated card data.)
  • Global Payment Systems - (950,000 cards - $92.7 Million in losses - January 2011 to March 2012 - SQL Injection lead to malware placed on network that exfiltrated card data.)
  • Diners Club International, Singapore - (500,000 Diners Credit cards - $312,000 in losses - June 2011 - SQL Injection lead to malware placed on network that exfiltrated card data)
  • Ingenicard US, Inc. - ($9 million in 24 hours - March 2012 to December 2012 - SQL Injection resulted in malware placed on the network that was used to facilitate ATM withdrawals.)
Although it is true that several of the members named above are now in custody, it is also true that several are NOT in custody.

Given what is known about these previous attacks, might it be reasonable to consider that the Target breach may also be related?

Given the similarity in methods used in ALL of the cases above, what "Lessons Learned" might we hope other retailers and large network owners might be observing?

That's the focus of our latest Malcovery White Paper - "Target Hacker Tools Provide Breach Insight". I hope you'll take a chance to review it.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.