Who stole 3.6 million tax records from South Carolina? ——Krebs on safety

For nearly a decade, state and federal investigators have kept South Carolina residents in the dark about who was responsible for hacking the state’s tax department in 2012 and stealing the tax and bank account information of 3.6 million people.The answer may no longer be a mystery: KrebsOnSecurity has uncovered compelling clues that this breach was carried out by the same Russian hacker group that took in large-scale retailers like The Home Depot and Target over the next few years.

Questions about who stole the tax and financial data of about three-quarters of South Carolina residents came into focus last week during South Carolina’s confirmation hearings. Mark Gerewas appointed in 2011 Governor Nikki Haley Leads law enforcement in the state. If approved, it would be Kiir’s third six-year term.

Associated Press Kiir reportedly was careful not to reveal many details about the breach during the hearing, telling lawmakers he knew who had done it but was not prepared to name anyone.

“I think the fact that we didn’t provide a lot of the personal information that was leaked is a testament to the work that people put into this case,” Kiel asserted.

A decade in review to be published in 2022 Postal and express delivery The city of Columbia, South Carolina, said investigators determined the breach began on Aug. 13, 2012, when a state IT contractor clicked on a malicious link in an email. State officials said they discovered the hack on Oct. 10, 2012, from federal law enforcement.

KrebsOnSecurity examined posts on dozens of cybercriminal forums at the time and found only one instance where someone sold a large amount of tax information in the year before or after the date of the leak.

On October 7, 2012, three days before South Carolina officials said they first learned of the intrusion, a notorious cybercriminal was behind the scenes “Rescuers” advertised the sale of “one of the state tax department’s databases.”

“Bank account information, SSN and all other information,” Rescator’s sales post on a Russian-language crime forum embargo read. “If you buy the entire library, I’ll give you access to it.”

A week later, Rescator posted a similar offer on an exclusive Russian forum simple, said he was selling information from U.S. state tax databases, but did not name the specific states. Rescart said the exposed data included employers, names, addresses, phone numbers, taxable income, tax refund amounts and bank account numbers.

“There is so much information that I am ready to sell the entire database and access to it,” Rescator told Mazafaka members. “There’s also information about corporate taxpayers.”

On October 26, 2012, the state publicly announced this violation.State officials said they are cooperating with investigators United States Secret Service and several forensic experts from Mandiant, who produced an incident report (PDF) that was later released by the South Carolina Department of Revenue. KrebsOnSecurity sought comment from the Secret Service, the South Carolina prosecutor and Mr. Kiel’s office. This story will be updated if any of them respond.

On November 18, 2012, Rescator told forum netizens Verified He is selling a 65,000-record database containing bank account information from several smaller regional financial institutions. Rescator’s sales post on Verified lists more than a dozen database fields, including account number, name, address, phone, tax ID number, date of birth, employer and occupation.

When asked to provide more context about the database for sale, Rescart told forum members that the database includes financial records related to U.S. state tax returns. The second database contains about 80,000 companies and includes Social Security numbers, names and addresses, but no financial information, Rescator added.

According to the Associated Press, South Carolina paid Experian $12 million to provide identity theft protection and credit monitoring services to its residents following the information breach.

“At the time, it was one of the worst data breaches in U.S. history, but it has since been greatly surpassed by hacks at Equifax, Yahoo, Home Depot, Target and PlayStation,” the Associated Press reported. Jeffrey Collins wrote.

In fact, Rescator’s criminal hacking team was directly responsible for the 2013 Target hack and the 2014 Home Depot hack. In the Target breach, Rescator’s cybercrime store sold approximately 40 million stolen payment cards, as well as 56 million cards belonging to Home Depot customers.

Who is Rescato? On December 14, 2023, KrebsOnSecurity released the results of a 10-year investigation into the identity of Rescator, also known as Mikhail Borisovich Shefir36 years old, lives in Moscow, recently changed his surname to Lenin.

Mr. Keel’s claim that efforts by South Carolina officials after the breach may have mitigated its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold publicly on cybercrime forums by one of the most aggressive and successful hacker groups in the Russian underground.

While there’s no indication from a review of forum posts that Rescator ever sold the data, his sales posts come at a time when tax refund fraud rates are skyrocketing.

Tax-related identity theft occurs when someone uses a stolen identity and Social Security number (SSN) to file a tax return in that person’s name and claim a fraudulent refund. Victims often learn of the crime only after they are refused a declaration by the scammer because the scammer beat them to it. Even those who are not required to file a return can fall victim to refund fraud, So can those who didn’t actually get a refund from IRS (IRS).

The IRS issued nearly $4 billion in false tax refunds in 2012 and more than $5.8 billion in 2013, according to a 2013 report from the Treasury Department’s Office of Inspector General. security number and other information.

It’s unclear why Scheifele was never formally implicated in the violations at Target, Home Depot or South Carolina.Probably Sheffield have were indicted, and those indictments remain sealed for some reason. Perhaps prosecutors hoped Schaefer would decide to leave Russia, at which point it would be easier to arrest him if he believed no one was looking for him.

But there are indications that Scheifele is deeply rooted in Russia and has no plans to leave. In January 2024, Australian, US and British authorities imposed financial sanctions on a 33-year-old Russian man Alexander Yermakov Suspected of stealing data from 10 million customers of Australian health insurance giant Medibank.

A week after these sanctions were imposed, KrebsOnSecurity published an in-depth study of Ermakov, discovering that he co-runs a Moscow-based IT security consultancy with Mikhail Shefel called Shtazi-IT.

Google Translate version of Shtazi dot ru. Image: Archive.org.