Man who hacked jail systems to free associate sent behind bars

An attempt to change an inmate's release date has cost the 27-year-old hacker dearly.

screen-shot-2018-04-30-at-11-30-11.jpg
File Photo

A man who compromised jail systems in an attempt to change the release dates of an associate will now be joining them behind bars.

Konrads Voits of Ypsilanti, Michigan, has been jailed for seven years and three months, alongside up to three years of supervised release, after breaking into a county jail's systems.

As reported by Bleeping Computer, Voits was attempting to tamper with prisoner records in order to have an associate released early.

The 27-year-old must also pay $235,488 in costs to Washtenaw County. This amount is reported to be the full cost of investigating and addressing the security breach.

According to Voits' guilty plea, made through a plea agreement in December 2017, from January to March in the same year, the man engaged in a campaign to break out an inmate.

Voits first turned to social engineering and attempted to lure prison staff into visiting the domain ewashtenavv.org, swapping out the "w" in the true ewashtenaw.org prison website domain in an attempt to appear legitimate.

This malicious domain was a full copy of the real prison website, but also contained malware. Voits called prison staff, masquerading as "Daniel Greene" and requesting help with "court records," which required them to visit the fraudulent website.

The spear-phishing campaign, designed to lure staff to visit the malicious domain and both download and execute malware on prison PCs, failed.

Viots was not discouraged, however. The man then proceeded to call and email the prison, pretending to be county IT staff in the midst of upgrading the prison's systems. During emails and calls, Voits asked prison employees to visit the malicious domain and to download executable "upgrade" files which contained malware.

Not only did some members of staff fall for the second scheme, but the 27-year-old was also able to gain remote access login details from one employee.

The hacker then installed malware on prison systems which was able to collect information including login credentials, emails, and personal information belonging to over 1600 employees.

Voits was also able to access the XJail system, an internal application which dealt with prisoner records.

In March, he accessed XJail and tampered with the records of at least one inmate.

However, the hacker underestimated the prison's staff. The tampering was detected almost immediately, the changed record was corrected, and the FBI -- alongside a cyberforensics firm -- were called upon to track down the intruder.

"Voit's intrusion compelled the county to hire an incident response company to determine the full extent of the breach, to reimage numerous hard drives, to verify the accuracy of the electronic records of nearly every then county jail inmate, and to attempt to reassure the 1600 county employees whose personal data had been compromised by purchasing an identity theft program for county employees," the agreement states.

See also: SunTrust Banks ex-employee may have stolen 1.5 million customer records

There is no evidence to suggest that Voits attempted to sell on access to these systems or to sell stolen employee data.

"Hopefully, upon release, Voits will be in a position where he can use his immense skills to make society a better place," prosecutors said.

Previous and related coverage