GUEST ESSAY: Surveillance cam hack shows potential for ransomware collateral damage

By David Smith

The recent charges, and subsequent arrest, of two Romanians alleged to be responsible for a widespread hack of surveillance cameras in our nation’s capitol raises a number of intriguing questions.

Why hack surveillance cameras? What nefarious activity might escape law enforcement’s notice while these particular cameras went dark?

Related articles: Surveillance cams are trivial to hack

The U.S. Secret Service had every right to be alarmed with the sudden compromise of so many cameras around Washington D.C.  According to an affidavit from the case, the hackers “participated in an intrusion into and taking control of approximately 123 internet-connected computers used by the Metropolitan Police Department of the District of Columbia (“MPDC”) to operate surveillance cameras … which computers could then be used to send the ransomware-laden spam emails.”

Based on this assertion, it appears the computers controlling the cameras were the hackers’ target objective — not the cameras themselves. This is an important distinction.  It would seem that the Romanian hackers were not ideologues seeking to make a political point. In fact, it appears they had no interest, at all, in the basic functions served by the hacked cams.

It is likely that they simply found vulnerable systems, which happened to be cameras, and then swiftly infected them with ransomware. In that scenario, they hoped for a quick ransom payment by the owners of the underlying computers. And while the attackers controlled these computers, the systems could also be redirected to help spread ransomware to other systems and devices.

Material harm

Sen. Mark Warner, D-Virg., hit the nail on the head when he observed: “These reports highlight just how vulnerable our systems are to fast-proliferating ransomware threats.” In this situation, the affected devices just happened to be surveillance cameras. Aside from the time and effort necessary to remove the ransomware and bring the systems back online, no other reported harm came from the cameras going dark for a period of time.


But what if this strain of ransomware had made its way into a major hospital? Or what if these cyber extortionists had taken aim at the computers controlling a power grid, or a flight control tower, or some other critical infrastructure? Whether or not the hackers intended any harm beyond causing enough of disruption to get somebody to pay them, the outcome could have been much worse. By crippling a critical system, they might have caused material harm, possibly even catastrophic harm.

What’s at stake, and what we have to come to grips with, is the fact that it is unwise for any organization to view a ransomware attack as a nuisance disruption —  just another cost of doing business in the digital age. Given the complexity of connected devices and services, a successful ransomware outbreak has the potential to escalate and indiscriminately disable a critical system, thus causing significant collateral damage.

The aforementioned affidavit includes statements from Special Agent Graham of the U.S. Secret Service, attesting to his education and experience in, amongst other subjects, conducting online investigations and network intrusion forensics. Special Agent Graham’s training – including completing the Network Intrusion Response Program and Hack It and Track It – is a great case study for the kind of expertise that law enforcement agencies across all jurisdictions should possess.

In this particular case, U.S. Secret Service agents successfully leveraged forensics tools and methodologies to track down the perpetrators, shed light on their attacks and shut down their operations before anything like that could happen. However, ransomware campaigns show every sign of persisting. It’s up to the rest of us in the cybersecurity community to make the highest use of this shared intelligence. Together we must continue to make it much more difficult, expensive and risky for ransomware gangs to continue thriving.

About the author: David Smith is the Chief Information Security Officer for Nuix.  He recently retired as an Assistant Special Agent in Charge for the U.S. Secret Service, where he spent more than 24 years specializing in computer forensics, information security management, and cyber-crime training and investigations.

(Editor’s note: Last Watchdog has supplied content consulting services to Nuix.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone