Five Eastern European men were indicted Thursday for committing the largest financial hack ever. The five-man hacker crew -- four from Russia and one from Ukraine -- broke into more than a dozen corporations around the world and stole 160 million credit card numbers, usernames, passwords and more personal information over the course of seven years, resulting in the loss of hundreds of millions of dollars.
From 2005 to 2012, the hackers accessed private networks belonging to the Nasdaq stock exchange, Citibank, PNC Bank, Heartland Payment Systems, 7-Eleven, JCPenney, Hannaford Brothers and many more. They were eventually detected by a firm in New Jersey, and U.S. attorneys brought the case to the Department of Justice.
The hackers gained entry to networks through Structured Query Language injection attack. SQL is a language that manages data in a database, and the hackers identified vulnerabilities that gave them access and allowed to create permanent backdoors to the network. They also installed "sniffers" which identified, collected and stole sensitive data automatically. One attack on Global Payment Systems began in 2011 and resulted in more 950,000 credit cards stolen and $93 million lost.
The hackers sold the information at rates of $50 for European information and $15 for Canadian information. Apparently U.S. credit cards aren’t worth as much, as the hackers only sold it for $10.
The men have been identified as Vladimir Drinkman, Aleksander Kalinin, Roman Kotov, Dmitriy Smilianets and Mikhail Rytikov. They have been charged with conspiracy to gain unauthorized access to computers, conspiracy to commit wire fraud, wire fraud and unauthorized access to computers. Drinkman and Smilianets were arrested in June 2012 while the other three remain at large.
“NASDAQ is owned,” Kalinin, a 26-year-old resident of St. Petersburg, Russia, said in a January 2008 text message, according to Arstechnica. Kalinin was sending details of his hacks to Albert Gonzalez, a convicted hacker who previously held the record for largest financial hack when he accessed information from 90 million credit cards. Gonzalez is currently serving a 20-year prison sentence, and was named an unindicted co-conspirator in this case.
“30 SQL servers, and we can run whatever on them, already cracked admin PWS [passwords] but the network not viewable yet,” Kalinin wrote in another text message. “Those dbs [databases] are hell big [sic.] and I think most of infor is trading histories.”
If convicted on all charges, the hackers each face as many as 70 years in prison.