Incident: Hackers Target D.C. Police Surveillance Cameras with Ransomware

Published Date: 2017-12-29

Postmortem Analysis
Timeline 1. The software failure incident involving the hacking of D.C. police surveillance cameras occurred in January 2017 as reported in [Article 73651]. 2. The incident was specifically mentioned to have occurred on Jan. 9-12, 2017, as per the same article.
System 1. D.C. police surveillance cameras system [73651, 66216] 2. Police department computers used for surveillance cameras [73651] 3. Cerber and Dharma ransomware programs [73651, 66216]
Responsible Organization 1. Hackers from Romania were responsible for causing the software failure incident involving the D.C. police surveillance cameras [73651, 66216].
Impacted Organization 1. D.C. police department's surveillance cameras [73651, 66216] 2. Amazon's offices in Great Britain [73651]
Software Causes 1. Ransomware attack using Cerber and Dharma malware on the police department's computers, causing the surveillance cameras to go dark [73651, 66216] 2. Hackers gaining unauthorized access to police computers to send ransomware to over 179,000 email accounts [73651] 3. Use of police department computers to commit fraud schemes and hide digital tracks [73651] 4. Theft of banking credentials and account passwords by the hackers [73651]
Non-software Causes 1. Lack of controls and detection mechanisms to identify the intrusion promptly [73651] 2. Failure to protect against a constant stream of cyberattacks [73651] 3. Alleged fraudulent business scheme targeting Amazon's offices in Great Britain [73651] 4. Use of stolen credit cards to buy items and manipulate Amazon orders [73651]
Impacts 1. The software failure incident involving the hacking of D.C. police surveillance cameras caused 123 out of 187 cameras to go dark just eight days before Donald Trump's presidential inauguration, raising national security concerns [73651]. 2. The hackers intended to use the police department's computers to email ransomware to over 179,000 accounts, potentially extorting money from those users and using city government computers to hide their tracks [73651]. 3. The incident highlighted the digital threat faced by governments and businesses, emphasizing the need for robust cybersecurity measures to quickly detect and prevent such intrusions [73651]. 4. The ransomware attack led to the shutdown of the closed-circuit TV system, requiring the removal of the malicious software and a restart of the cameras, with the ransom demand ignored by officials [73651]. 5. The hackers also engaged in a separate fraudulent scheme involving tricking Amazon's offices in Great Britain into sending money to them, showcasing the extent of their criminal activities beyond the initial ransomware attack [73651]. 6. The perpetrators faced charges of fraud and computer crimes, with a potential prison sentence of 20 years if convicted, demonstrating the serious legal consequences of such cybercrimes [73651]. 7. The incident also involved the creation of a fake company linked to Amazon.com.uk, through which stolen credit cards were used to purchase items and receive money from Amazon, showcasing the complexity and scale of the fraudulent activities [73651]. 8. The successful extradition and legal proceedings against the accused hackers demonstrated international cooperation in cybercrime investigations and the importance of holding individuals accountable for such malicious activities [73651].
Preventions 1. Implementing robust cybersecurity measures and controls to detect and prevent unauthorized access to critical systems, such as surveillance cameras, could have prevented the software failure incident [73651]. 2. Regularly updating and patching software systems to address known vulnerabilities and prevent exploitation by hackers could have helped prevent the ransomware attack on the police department's computers [73651]. 3. Conducting thorough security audits and assessments to identify and address weaknesses in the IT infrastructure could have potentially prevented the hackers from gaining access to the surveillance camera system [73651]. 4. Providing cybersecurity training and awareness programs for employees to recognize and report suspicious activities, such as phishing attempts, could have helped in preventing the initial intrusion by the hackers [66216]. 5. Collaborating with international law enforcement agencies and sharing threat intelligence to track and apprehend cybercriminals across borders could have deterred the hackers and prevented similar incidents in the future [66216].
Fixes 1. Implementing stronger cybersecurity measures to prevent unauthorized access and hacking attempts [73651, 66216] 2. Regularly updating and patching software systems to address vulnerabilities that could be exploited by hackers [73651] 3. Enhancing monitoring and detection capabilities to quickly identify and respond to security breaches [73651] 4. Educating employees on cybersecurity best practices to prevent social engineering attacks and phishing attempts [73651] 5. Collaborating with law enforcement agencies and international partners to track and apprehend cybercriminals responsible for such incidents [73651, 66216]
References 1. Court documents [Article 73651] 2. Federal authorities [Article 73651] 3. Prosecutors [Article 73651] 4. D.C. police [Article 73651] 5. Cybersecurity experts [Article 73651] 6. Alex Rice, the chief technology officer and co-founder of HackerOne [Article 73651] 7. Kevin Donahue, the deputy mayor for public safety [Article 73651] 8. U.S. attorney’s office for the District [Article 73651] 9. Cary Citronberg, attorney representing Cismaru [Article 73651] 10. Secret Service [Article 73651] 11. Investigators [Article 73651] 12. Online sources [Article 73651] 13. Europol [Article 66216] 14. UK's National Crime Agency [Article 66216] 15. Romanian police [Article 66216] 16. Dutch High Tech Crime Unit [Article 66216]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the hacking of Washington DC police computers linked to surveillance cameras happened again within the same organization. The incident occurred in January 2017 when hackers compromised the police department's surveillance cameras just days before President Trump's inauguration. Two Romanians were charged with hacking into the system and attempting a ransomware scheme [73651]. (b) Additionally, similar incidents involving ransomware attacks have occurred at other organizations. Three other suspects were arrested in Romania in a linked investigation into ransomware, where they were suspected of infecting computers with CTB-Locker malware. This investigation involved the UK's National Crime Agency and Europol, indicating a broader issue of ransomware attacks affecting multiple organizations [66216].
Phase (Design/Operation) design, operation (a) The software failure incident in Article 73651 was primarily due to design factors introduced by the system development and operation. The incident involved hackers taking over D.C. police surveillance cameras through a cyberattack, which was a result of vulnerabilities in the system design that allowed the hackers to access the cameras and deploy ransomware [73651]. (b) The software failure incident in Article 73651 was also influenced by operation factors introduced by the misuse of the system. The hackers were able to exploit the system by sending ransomware to over 179,000 accounts using the police department computers, indicating a failure in the operation and security measures of the system [73651].
Boundary (Internal/External) within_system (a) within_system: The software failure incident involving the hacking of D.C. police surveillance cameras was primarily a within-system failure. The incident was caused by the hackers gaining unauthorized access to the police department's computers and installing ransomware on them, leading to the cameras going dark. The hackers also used the police computers to carry out fraudulent schemes and hide their digital tracks [73651, 66216]. The failure originated from within the system itself, as the hackers exploited vulnerabilities in the police department's computer network to execute their malicious activities.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in Article 73651 was primarily due to non-human actions. Hackers took over two-thirds of D.C. police's surveillance cameras by deploying ransomware on the police department's computers, causing the cameras to go dark just days before the presidential inauguration [73651]. The ransomware locked down the files and demanded payment in exchange for unlocking them, indicating a non-human action leading to the software failure incident. (b) However, human actions were also involved in the incident. The two Romanians accused of the hacking planned to use the police department computers to email ransomware to over 179,000 accounts, showing deliberate human actions to carry out the cyberattack [73651]. Additionally, the suspects set up a fake company to trick Amazon's offices into sending money to them, demonstrating human involvement in the fraudulent activities [73651].
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The software failure incident involving the D.C. police surveillance cameras was primarily caused by a hack orchestrated by two Romanians who accessed the camera computers and installed ransomware on them [73651, 66216]. - The hackers targeted the police department computers to email ransomware to over 179,000 accounts, intending to extort money from the victims [73651]. - The hackers managed to access 123 outdoor surveillance cameras through the compromised police computers, causing them to go dark just days before President Trump's inauguration [66216]. - The hackers used two variants of malicious computer code, known as "cerber" and "dharma," to carry out the ransomware attack on the police computers [66216]. (b) The software failure incident occurring due to software: - The software failure incident was primarily caused by the installation of ransomware on the police department computers, which originated from a cyberattack orchestrated by the hackers [73651, 66216]. - The ransomware locked down the files on the police computers, demanding payment in exchange for unlocking them [73651]. - The hackers used the police computers to route emails, including some sent to specific Gmail accounts, as part of their fraudulent schemes [73651]. - The incident highlighted the digital threat faced by governments and businesses, emphasizing the importance of cybersecurity defenses against evolving cyber attacks [73651].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious. The incident involved hackers taking over two-thirds of D.C. police's surveillance cameras through a cyberattack with the intent to extort money from users by sending ransomware to more than 179,000 accounts [73651, 66216]. The hackers also engaged in fraudulent activities, such as tricking Amazon's offices in Great Britain into sending money to them [73651]. (b) The incident was not non-malicious as it was a deliberate cyberattack orchestrated by the hackers to gain financial benefits and hide their digital tracks using city government computers [73651, 66216].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident was primarily driven by poor decisions made by the hackers involved in the cyberattack on the D.C. police's surveillance cameras. The hackers, two Romanians, planned to use the police department computers to email ransomware to more than 179,000 accounts in order to extort money from the users and hide their digital tracks [73651]. They also engaged in a separate fraudulent scheme to trick Amazon's offices in Great Britain into sending money to them [73651]. The hackers were detected only when they shut down the system after locking it up with ransomware, indicating their intent to extort money [73651]. (b) The software failure incident could also be attributed to accidental decisions or unintended consequences. The hackers may not have been aware that the computers they targeted were used by the police, as the intrusion occurred days before Donald Trump's presidential inauguration and caused national security concerns [73651]. Additionally, the timing of the cyberattack was described as a coincidence, suggesting that the hackers may not have intentionally targeted the police department's surveillance cameras for malicious purposes [73651].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in Article 73651 was not due to development incompetence but rather a deliberate cyberattack by hackers who accessed D.C. police computers and surveillance cameras [73651]. (b) The software failure incident in Article 73651 was accidental in the sense that the D.C. police computers were hacked by the Romanian individuals, leading to the surveillance cameras going dark, and the ransomware attack was not intentionally caused by the police or the development organization [73651].
Duration temporary (a) The software failure incident in the D.C. police surveillance cameras due to the hack by the Romanian hackers was temporary. The intrusion occurred from January 9-12, 2017, causing 123 out of 187 surveillance cameras to go dark just days before Donald Trump's presidential inauguration [73651]. The hackers used ransomware to lock down the system and demanded a bitcoin payment to unlock it. However, D.C. officials quickly took the closed-circuit TV system offline, removed the software, and restarted the cameras, ignoring the ransom demand [73651]. (b) The software failure incident in the D.C. police surveillance cameras was also temporary as it was caused by specific circumstances introduced by the hackers. The hackers accessed the surveillance cameras as part of a suspected ransomware scheme, intending to send ransomware to over 179,600 email addresses and extort money from victims [66216]. The perpetrators placed two variants of malicious computer code on three police computers, known as "cerber" and "dharma," which are types of ransomware programs [66216].
Behaviour crash, omission, value, other (a) crash: The software failure incident in Article 73651 resulted in a crash as it caused 123 of the police department's 187 surveillance cameras to go dark, leading to a loss of functionality and performance [73651]. (b) omission: The software failure incident in Article 73651 can also be categorized as an omission failure as the hack resulted in the surveillance cameras omitting to perform their intended functions of monitoring and recording due to being locked up by ransomware [73651]. (c) timing: The timing of the software failure incident in Article 73651 is notable as it occurred eight days before Donald Trump was sworn in as president, raising national security concerns. The incident was considered coincidental as prosecutors believed the hackers probably did not know that the computers were used by the police [73651]. (d) value: The software failure incident in Article 73651 can be classified as a value failure as the system was performing its intended functions incorrectly after being infected with ransomware, leading to the encryption of files and a demand for payment in exchange for unlocking the computers [73651]. (e) byzantine: The software failure incident in Article 73651 does not exhibit characteristics of a byzantine failure. (f) other: The software failure incident in Article 73651 also involved fraudulent activities beyond the ransomware attack, such as tricking Amazon's offices in Great Britain into sending money to the hackers, showcasing a multifaceted nature of the incident beyond a typical software failure [73651].

IoT System Layer

Layer Option Rationale
Perception processing_unit, network_communication, embedded_software (a) sensor: The software failure incident related to the hacking of D.C. police surveillance cameras was not directly attributed to a sensor error. The failure was due to hackers gaining unauthorized access to the police department's computers and using ransomware to lock down the system, rather than a sensor malfunction [73651, 66216]. (b) actuator: The incident did not involve a failure related to an actuator error. The focus was on the hackers gaining control of the surveillance cameras through the police department's computers, rather than any actuator malfunction [73651, 66216]. (c) processing_unit: The software failure incident was primarily related to a failure in the processing unit of the cyber physical system. The hackers accessed the police department's computers and deployed ransomware on the system, causing the surveillance cameras to go dark [73651, 66216]. (d) network_communication: The failure was also related to network communication errors. The hackers used the police department's computers to send ransomware to over 179,000 accounts, indicating a breach in network communication security [73651, 66216]. (e) embedded_software: The incident involved a failure related to embedded software error. The hackers downloaded ransomware programs onto the police system that runs the surveillance cameras, causing the cameras to be locked down and displaying ransom demands [73651, 66216].
Communication connectivity_level [73651, 66216] The software failure incident reported in the articles was related to the connectivity level of the cyber physical system. The failure involved a cyberattack where hackers compromised Washington DC police computers linked to surveillance cameras by accessing 123 outdoor surveillance cameras as part of a suspected ransomware scheme. The perpetrators intended to use the camera computers to send ransomware to more than 179,600 email addresses and extort money from victims [66216]. The hackers were able to access the police computers and install ransomware, causing the surveillance cameras to go dark and displaying a ransom demand on the system, indicating a failure at the network or transport layer of the cyber physical system [73651].
Application TRUE The software failure incident described in the articles was related to the application layer of the cyber physical system. The failure was caused by a hack where ransomware was installed on the police department's computers, specifically on the system that runs the outdoor surveillance cameras. The ransomware locked down the files and demanded payment in exchange for unlocking them, indicating a failure introduced by bugs or malicious software [73651, 66216].

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the hacking of D.C. police's surveillance cameras by two Romanians had significant consequences related to property. The hackers intended to use the police department computers to email ransomware to more than 179,000 accounts, potentially extorting money from those users. Additionally, the hackers had stolen banking credentials and account passwords, which could have been used for fraud schemes with anonymity. The ransomware attack also encrypted important files and demanded a bitcoin payment of over $60,000 to unlock the system, affecting the data and potentially financial resources of the victims [73651, 66216].
Domain information, government (a) The failed system was intended to support the information industry, specifically in the context of surveillance cameras used by the D.C. police department [73651, 66216]. (l) The failed system was also related to the government industry, as it involved a cyberattack on D.C. police surveillance cameras just days before the 2017 presidential inauguration, raising national security concerns [73651, 66216].

Sources

Back to List