On November 10, 2015, Loretta E. Lynch, Attorney General of the United States and Preet Bharara, U.S. Attorney for the Southern District of New York, unsealed an indictment of three individuals on charges of computer hacking and conspiracy to commit computer hacking. Those charges followed an earlier indictment of the same three, in July 2015, for fraud, identity theft, and conspiracy. The indictments were the result of the investigative work of the FBI and the Secret Service. Two of the above defendants have been apprehended, although one, Joshua Aaron, remains at large.
The indictment relates to thefts of personal information discovered in August of 2014 from institutions including JP Morgan Chase & Co., Scottrade Financial Services Inc., and Dow Jones & Co. as identified by the media. The names and contact information of over 100 million customers of these and other banks, brokerages, and financial news publishers had been stolen: 80 million from one institution alone. The indictment alleges that the stolen information was used by the defendants to manipulate the price of penny stocks for their personal gain.
Beginning in 2012, the defendants are alleged to have overseen and directed network intrusions against a total of 9 separate financial institutions, financial services corporations, and financial news publishers. In each case, a defendant opened an account or registered as a customer using a false identity complete with social security number.
Using overseas networks and unknown agents, the defendants are alleged to have stolen the name and contact information of other customers by using the defendant’s own online login as a point of entry. They were also successful in installing malware which provided them with ongoing access to the computer network of the institution in some cases.
The indictments allege that in 2014, the defendants focused on large financial institutions: identified as Victims 1 to 3. They used a variety of methods, some of which were detected. For example, the defendants attempted to gain access to the secure servers of Victim 3 by attempting to remotely access an account belonging to one of the defendants from an Egyptian based server. The financial institution, however, blocked the remote access and locked the account on the basis that the attempted access was suspicious. Victim 2 was successfully targeted through the “Heartbleed” vulnerability. For a short period of time, the defendants obtained access to the company’s servers and customer lists.
The defendants’ greatest success allegedly came when they accessed the servers and computer systems of Victim 1 in June 2014, through one of the defendant’s accounts. That access allowed them to steal the records of over 83 million customers. Approximately 2 months later, Victim 1 discovered that its customer data had been stolen and cut off the defendants’ access.
The customers, whose data was stolen, were then targeted with stock tips sent via email from twenty or so seemingly unrelated stock promotion websites controlled by the defendants. The indictment alleges that the defendants took great pains to hide their controlling interest in these websites and lied to customers about where their information had been obtained.
The defendants encouraged investors to purchase certain penny stocks which they had “pumped”. Once the price and trading volume of these stocks increased, the defendants would dump their shares for sizeable profits.
The indictments describe a “sprawling criminal enterprise” which employed hundreds of individuals. As the U.S. Attorney for New York stated, “It is no longer hacking merely for a quick payout, but […] hacking as a business model”. As part of this, the defendants used online casinos and bit coin exchange as means of laundering their profits.
If proven, the indictment demonstrates not only the tremendous scope and impact of a cybersecurity breach, but also the extent to which criminals are able to organize themselves to exploit the information stolen, and the diverse uses to which it can be put.