Card Not Present Fraud , Fraud Management & Cybercrime , Incident & Breach Response

Second Russian Pleads Guilty in Massive Hacker Attack

Three Other Alleged Conspirators Yet to Be Arrested in Payment Card Scheme
Second Russian Pleads Guilty in Massive Hacker Attack

A second Russian has pleaded guilty in connection with the largest U.S. hacking scheme, which resulted in the theft of more than 160 million payment card numbers.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

Dmitriy Smilianets, 32, of Moscow, entered his plea Sept. 16, just one day after Vladimir Drinkman, 34, also pleaded guilty, according to the U.S. Department of Justice. Both will be sentenced in January. Smilianets faces up to 30 years in prison, plus a fine, after pleading guilty to a charge of conspiracy to commit wire fraud. Drinkman faces prison terms totaling up to 35 years for two charges.

The scheme, which resulted in hundreds of millions of dollars in losses, affected payments processors Global Payments and Heartland Payment Systems as well as grocery chain Hannaford Brothers and about a dozen other organizations, according to the federal authorities.

Drinkman specialized in penetrating network security and gaining access to the corporate victims' systems, as well as mining networks to steal valuable data, prosecutors allege. Smilianets sold the information stolen by co-conspirators and distributed the proceeds of the scheme to the participants, according to court documents. Two other Russians and a Ukrainian charged in the case have not yet been arrested.

Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands in June 2012. Smilianets was extradited in September 2012, but Drinkman was not extradited until this past February (see: Alleged Russian Mega-Hacker Extradicted). Both had originally entered not guilty pleas.

Drinkman was previously charged in a 2009 indictment charging Albert Gonzalez, 34, of Miami, in connection with five corporate data breaches, including the breach of Heartland Payment Systems, which at the time was the largest ever reported. Gonzalez is serving 20 years in federal prison for those offenses.

Significant Developments

The arrest and conviction of the two Russians was the result of effective international law enforcement collaboration, says Mac McMillan co-founder and CEO of the information security consultancy CynergisTek Inc. "Without the cooperation and help of other countries, our law enforcement agencies would have a very difficult time bringing international criminals to trial," he says.

McMillan remains hopeful that similar arrests and convictions will be made in the aftermath of other mega-breaches. "These breaches hurt everyone and undermine commerce, so you would think [international] cooperation would be the order of the day," he says. "The problem is, you also have to factor in the geopolitical affect, and, let's face it, we don't have good relations with everyone."

But without a ramping up of breach-related arrests, cyber-attacks are likely to continue to multiply, McMillan argues. "Unless the criminal element believes there is a real risk of apprehension and accountability, there is not much to motivate them to stop."

The length of the prison sentences eventually imposed on the two Russians will depend, in part, on how much information they provided authorities. "I'm sure there was more than just a guilty plea bargained for here," McMillan says. "More important to know is how they did it, who else was involved, where they can be found, etc."

The Conspiracy Allegations

Drinkman allegedly ran a group that included three other Russians and one Ukrainian who were indicted in 2013 for their alleged involvement in the massive payment card fraud scheme.

Between 2005 and 2012, according to court documents, the gang allegedly launched attacks against NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

The cybercrime group allegedly penetrated the computer networks of several of the corporate victims and stole user names and passwords, credit and debit card numbers and other personal ID information of cardholders, according to the Department of Justice.

The initial entry was often gained using a "SQL injection attack," prosecutors say. The hackers identified vulnerabilities in SQL databases and used those vulnerabilities to infiltrate a computer network. Once the network was infiltrated, the defendants placed malware in the system, creating a "back door" that left the system vulnerable and helped the defendants maintain access to the network. In some cases, the defendants lost access to the system due to companies' security efforts, but they were eventually able to regain access through persistent attacks, federal authorities say.

The alleged conspirators used their access to the networks to install "sniffers," programs designed to identify, collect and steal data from the victims' computer networks, according to court documents. They then used computers worldwide to store the stolen data and sell it to resellers around the world. The buyers sold the data through online forums or directly to individuals and organizations.

Smilianets was in charge of sales, selling the data only to trusted identity theft wholesalers, prosecutors say. He charged approximately $10 for each stolen American payment card number and associated data, approximately $50 for each European card and approximately $15 for each Canadian card, offering discounted pricing to bulk and repeat customers. Ultimately, the end users encoded the data onto the magnetic strip of a blank plastic card and then used it to withdraw money from ATMs or make purchases.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.