Hacking Ring Breaks Into US Telephony System

The US Department of Justice indicted three individuals June 15 who allegedly hacked into the telephone systems of large corporations and entities in the United States and abroad, selling information about the compromised telephone systems to Pakistani nationals residing in Italy.

Along with the U.S. indictments, Italian law enforcement raided approximately 10 locations in four regions of Italy and arrested the financiers of the hacking activity. The DOJ claims the financiers used the information from the hackers to transmit more than 12 million minutes of telephone calls valued at more than $55 million (£34m) over the hacked networks of victim in the United States alone.

“This was an extensive and well-organized criminal network that worked across continents,” acting U.S. Attorney Ralph J. Marra Jr. said in a statement. “The hackers we’ve charged enabled their conspirators in Italy and elsewhere to steal large amounts of telecommunications capacity, which could then be used to further or finance just about any sort of nefarious activity here or overseas.”

Charged in the New Jersey indictment are Mahmoud Nusier, 40, Paul Michael Kwan, 27, and Nancy Gomez, 24, all currently residing in the Philippines, with conspiracy to commit wire fraud and unauthorised access to computer systems and other counts. Nusier is a Jordanian national; Kwan and Gomez are Philippine nationals.

According to the DOJ, two of the ring’s financiers in Italy — dubbed M.Z and S.K — operated call center operations in Italy from which their customers would make calls throughout the world. To increase their profits, M.Z. and S.K. made efforts to incur as little costs as possible in routing their customers’ telephone calls to the intended call-recipient.

The DOJ claims M.Z. and S.K. recruited Nusier, Kwan, Gomez and others to hack into the telephone networks so that telephone calls from the call centres could be transmitted over the hacked networks. To accomplish their mission, the hackers gained an intimate familiarity with the programming of the public branch exchange (PBX) telephone systems.

As the hackers dialed into the victim systems, they were able to identify the type of PBX system by the prompts and were thereby able to begin a process — known as a brute force attack — by which they sought to attack vulnerable points of the PBX systems. Often, the DOJ said, the vulnerable points consisted of telephone extensions with default passwords still in place.

After using a couple of methods to exploit the information they gained regarding the hacked PBX systems, the hackers transmitted the information about the hacked system back to the financiers. The losses were borne by the victim corporations, and AT&T and other long distance carriers, which provided the long-distance telephone service for the victims.

The DOJ said AT&T was not hacked but was among the companies that carried the long distance calls.

In addition to the conspiracy count, each of the defendants is charged with two counts of unauthorised access to a computer system for purposes of committing fraud, and with the possession of unauthorised access devices, including pass codes to U.S. telephone systems.

The defendants face maximum prison sentences of five years on the conspiracy count, five years on each of the two respective unauthorised computer access counts, and 10 additional years on the access device count. In addition, each is subject to a maximum fine of $250,000 (£153,000) on each count for which they are named, or twice the gain resulting from the offense, whichever is greater.