“NASDAQ is owned.” Five men charged in largest financial hack ever

Five Eastern European men have been charged with operating a global hacking operation that infiltrated some of the world's biggest financial institutions, pilfered data for more than 160 million credit cards, and created hundreds of millions of dollars in losses.

The case, brought by US attorneys in Manhattan and New Jersey, is the largest hacking scheme ever prosecuted in the US, Department of Justice officials said. From 2005 to 2012, the four Russian nationals and a Ukrainian penetrated the private networks of the Nasdaq stock exchange, Citibank, PNC Bank, Heartland Payment Systems, 7-Eleven, JCPenney, Hannaford Brothers, and others, prosecutors alleged in indictments unsealed Thursday morning. The hacking gang traded text strings that exploited SQL-injection vulnerabilities in the victim companies' websites to obtain login credentials and other sensitive data, then installed malware that gave them persistent backdoor access to the networks.

"NASDAQ is owned," Aleksandr Kalinin, a 26-year-old resident of St. Petersburg, Russia, allegedly reported in a January 2008 instant message after finally obtaining administrative access to the stock exchange's network. Like a rock climber slowly scaling a craggy cliff, he spent months methodically escalating his access into the highly sensitive system. In an instant message he sent six months earlier, after initially gaining less-privileged access, he said, "30 SQL servers, and we can run whatever on them, already cracked admin PWS but the network not viewable yet. those dbs are hell big and I think most of info is trading histories." "PWS" and "dbs" are presumed to be shorthand for passwords and databases respectively.

The person on the receiving end of those dispatches was none other than Albert Gonzalez, the convicted hacker of the TJX and other retailers. He previously held the record for compromising 90 million credit cards. The case unveiled Thursday grew out of the investigation into those earlier breaches. Gonzalez, who is named as an unindicted co-conspirator in the current prosecution, is now serving a 20-year prison sentence.

According to prosecutors, Kalinin and accomplice Vladimir Drinkman, 32, specialized in penetrating networks. They were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment against Gonzalez. The pair allegedly worked with three other men, one with skill in harvesting data from the hacked networks, another who provided anonymous Web-hosting services used in the intrusions, and the third who helped sell the credit card data. According to one indictment, European credit card numbers sold for as much as $50, while US ones fetched about $10. Buyers then used the data to create clone cards that, along with stolen PINs, were used to withdraw millions of dollars from ATMs around the world.

The indictments give a birds' eye view of the patience and meticulousness hackers employ when penetrating some of the world's most well-fortified networks. On May 19, 2007, Kalinin allegedly identified a vulnerability in a password-reminder page of the Nasdaq website. Five days later, prosecutors said, he fashioned a text string that injected SQL programming code that allowed him to obtain cryptographically hashed login credentials from the page. He then shared the string with Gonzalez.

The allegations that the defendants were able to pierce company defenses using SQL injection exploits isn't surprising. Despite being one of the oldest type of website attacks, the vulnerabilities that make them possible are common. Retailer sites are on the receiving end of about twice as many such attacks as sites in other industries, according to a recently issued report by security firm Imperva. Researchers observed one unnamed website receiving 4,057 SQL injection attack requests in one day. SQL injections place vulnerabilities in a website's database and allow an attacker to extract or manipulate its contents. Sites are susceptible when user input is either incorrectly filtered for characters used in database commands or when the input "is not strongly typed, and thereby unexpectedly executed," the Imperva report stated.

The defendants—who also include Roman Kotov, 32, of Moscow; Mikhail Rytikov, 26, of Odessa, Ukraine; and Dmitriy Smilianets, 29, of Moscow—were charged with multiple counts, including conspiracy to gain unauthorized access to computers, conspiracy to commit wire fraud, wire fraud, and unauthorized access to computers. Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands in June 2012. Smilianets was extradited in September and remains in federal custody. Kalinin, Kotov and Rytikov remain at large.

All five face decades in prison if convicted on all the charges.

Story updated to include details in second-to-last paragraph about defendants' whereabouts.