Infosec Watchtower Logo

Unraveling the Mystery: The 2012 South Carolina Data Breach Linked to Russian Cybercriminals

Charles M. Walls | April 16, 2024 | Views: 187

A dark and mysterious cybercrime scene depicting a hacker in a shadowy room filled with computer screens displaying code and maps.

For over a decade, the mystery of who hacked into South Carolina's Department of Revenue in 2012, compromising the personal data of 3.6 million individuals, has puzzled citizens and officials alike. This cyber mystery might finally be unraveling. Investigations by KrebsOnSecurity suggest that the breach, which included theft of tax and banking information, was orchestrated by the same Russian cybercriminal group linked to later high-profile attacks on major retailers such as Home Depot and Target.

This revelation surfaced during a recent confirmation hearing for Mark Keel, nominated for a third term as head of the state's law enforcement division. Appointed by Governor Nikki Haley in 2011, Keel hinted at knowing the perpetrators behind the hack but withheld specific identities from the public eye. "The minimal fallout from the breach speaks volumes about the diligence applied during the investigation," Keel remarked at the hearing.

Scrutiny intensified when, a decade after the hack, only sparse details had surfaced about the perpetrator. However, KrebsOnSecurity's scrutiny of cybercrime forums from around that time unearthed a post by a notorious hacker known as "Rescator," advertising the sale of a comprehensive state tax department database just days before South Carolina officials were alerted to the breach by federal authorities.

Further intrigue followed when, on October 26, 2012, state officials publicly acknowledged the cyberattack. Collaborations with the U.S. Secret Service and Mandiant, a digital forensics firm, were underway, trying to mitigate the damage and investigate the breach’s origins. This announcement came after Rescator boasted on multiple forums about possessing a massive cache of U.S. state tax information, ready for sale.

The breach, which ended up costing South Carolina $12 million for credit monitoring services to protect affected residents, was one of the largest of its time but has since been overshadowed by even larger breaches affecting companies like Equifax and Yahoo.

Interestingly, the connection between the South Carolina breach and Rescator, whose real name was later revealed to be Mikhail Borisovich Shefel, links back to similar methods used in the breaches at Target and Home Depot. These attacks resulted in the theft of millions of payment card details, sold across the dark web, highlighting the reach and impact of this cybercriminal syndicate.

Despite the significant evidence, Shefel has never been publicly charged with the South Carolina breach. Speculations suggest possible sealed indictments, with authorities possibly waiting for Shefel to leave his stronghold in Russia to facilitate an arrest.

Source of Inspiration