Skip to content
Naked Security Naked Security

Washington DC’s surveillance cameras hacked… to send spam

Everything and everybody is hackable - and that includes Big Brother

Everything and everybody is hackable – and that includes Big Brother.

That’s one takeaway from a criminal complaint filed last week against two Romanians in the US District Court of Washington DC for allegedly hacking into nearly two thirds of the outdoor surveillance cameras operated by the city’s police department.

According to an 11 December affidavit from US Secret Service Special Agent James Graham, Mihai Alexandru Isvanca and Eveline Cismaru took control of 123 of the 187 cameras used by the Metropolitan Police Department of the District of Columbia (MPDC) for four days, from 9-12 January 2017.

The scheme apparently wasn’t intended to commandeer cameras to spy on the city, however. According to Graham, the two sought to use the internet-connected computers behind the cameras to send “ransomware-laden spam emails.”

And while they made some efforts to cover their tracks, Graham said that email accounts they used…

…reflect not just the ransomware scheme, but in various ways (and through related accounts and activity) ultimately identify ISVANCA and CISMARU as the participants in the conspiracy, including by leading back to email and other online accounts in their own names.

The attack was halted on 12 January after the MPDC’s IT network administrator discovered that multiple cameras had been disabled.

Graham said the administrator used a Remote Desktop Protocol (RDP) to show another Secret Service agent that one of the victim computers was running software not installed by the department, and showing multiple windows that had been opened by the attackers. They included:

  • A window displaying a tracking number for the European shipping company known as “Hermes”.
  • A web browser open at an email delivery website
  • A Google search page with search results for “email verifier online”.
  • Notepad, showing code for various executable and text files.
  • The splash screen for a variant of ransomware known as “cerber.”

A forensic investigation also showed another ransomware variant on the compromised computers known as dharma (for which, as Naked Security reported in May, decryption keys were released in March), plus a text file that contained 179,616 email addresses.

Graham’s affidavit doesn’t say how successful the ransomware campaign was, but said he and other agents contacted a number of people or companies whose IP addresses had been mentioned in correspondence between the hackers. One of them, “Company M”

…indicated they had experienced an unauthorized network intrusion. COMPANY M provided screenshots reflecting a cerber splashscreen from the period of unauthorized access, as well as multiple other indicators of network intrusion.

Another apparent target, a healthcare company in the UK, told investigators it had, “confirmed evidence of unauthorized access to its computer server…”

The US does have an extradition treaty with Romania that was amended and renewed in 2009, but the court did not post the actual complaint, nor did it respond to a question about whether it will seek to have the defendants brought to the US to face trial.

Also no word from the MPDC about what steps they may be taking to make their outdoor surveillance systems more secure.

The complaint came around the same time that, as Naked Security reported Thursday, Romanian police raided seven locations and arrested five suspects for alleged spreading CTB Locker and Cerber ransomware that they had rented on the Dark Web.


187 cameras in ALL OF DC? What a luxury! In England you might as well assume there are that many cameras between here and the corner shop – we are truly in love with surveillance. If our cameras ever get pwned for spam we’ll all drown in it… though that might ironically end up creating the right sort of attention, hehe.


No, not in all of DC. As the post says, there are 187 cameras “used by the MPDC.” I’m sure there are hundreds more in the seat of the US government …


Is “the seat of the government” itself part of DC or is it some “meta-region” that is distinct again, a special Federal Zone of its own? (Not really a security question, just interested.)


“Also no word from the MPDC about what steps they may be taking to make their outdoor surveillance systems more secure.”…not the way DC is configured.

This was widely reported on in Jan 2017.


Indeed (the date the criminal activity happened is noted in the article), but the story has entered a new chapter now that criminal charges have been filed. It’s moved from the “what” to the “how” and the “whom” (allegedly, of course).


Does anybody knows what types of cameras were hacked? who is the manufacturer?


As far as we know, the hack wasn’t down to the make or vendor of the cameras – the crooks were in the network and were able to take over the cameras as insiders. (Fortunately, this modification seems to have tipped off the sysadmins.)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!