The hacktivist who gained access to the systems of the cloud-based enterprise security camera platform provider Verkada in March 2021 has been indicted on criminal hacking charges and faces up to 27 years in jail.
A federal grand jury charged Till Kottmann, 21, for a string of computer intrusion and identity and data theft activities that started in 2019 and continued until the hacking of Verkada in March. Kottmann, who goes by the name Tillie and the monikers ‘tillie crimew’ and ‘deletescape’ is a member of a group of hackers named APT 69420 / Arson Cats. The group is known for hacking the systems of corporate and government entities, stealing confidential and proprietary information, and releasing the stolen data online.
Kottmann, who is based in Lucerne, Switzerland, hacked into networks to expose security weaknesses and highlight the failures of companies to implement appropriate security; however, in contrast to most security researchers, Kottmann and other Arson Cats hackers did not adhere to the principles of responsible disclosure. While the attacks were allegedly conducted to uncover security flaws before more malicious actors could do so, the intrusions and the security flaws that were exploited were not reported directly to the hacked companies. Instead, the group published data stolen in the attack online where it could be downloaded by anyone.
In the most recent attack on Verkada, Kottmann was able to gain access to more than 150,000 Verkada security cameras between March 7 and 9, 2021 via a Jenkins build server that was exposed to the Internet. Super admin credentials were obtained that gave Arson Cats access to live feeds and archived footage from a wide range of the company’s customers, including K12 schools, penitentiaries, hospitals, and companies including Cloudflare, Tesla, Okta. Screenshots and videos were released publicly.
Kottmann often engaged with the media and spoke about the actions of the group, including the Verkada hack. While the hackers may view their actions as noble, law enforcement takes a dim view of hackers who steal and publicly release sensitive data.
“Taking certifications and information and distributing source code and restrictive and touchy data on the web isn’t ensured discourse — it is burglary and misrepresentation,” said Acting U.S. Lawyer Tessa M. Gorman. “These activities can build weaknesses for everybody from enormous partnerships to singular shoppers. Enclosing oneself by a supposedly charitable intention doesn’t eliminate the criminal smell from such interruption, robbery, and extortion.”
The most common method of attacking companies was through misconfigured gits and servers, which were identified using the search engine Shodan. Most security researchers identify vulnerable servers and report them to the companies concerned. They do not tend to take the hacks a step further and access exposed servers and steal and release sensitive data.
Kottmann often shared stolen data from hacks on the Git.rip domain, including data stolen in hacks of companies such as Nissan, Intel, Nintendo, Qualcomm, Motorola, Disney, Microsoft, and others. The domain was recently seized by the Justice Department. Kottmann also had a Telegram channel called “ExConfidential” on which links to stolen data were shared, including links to data stolen by other non-Arson Cats hackers.
Law enforcement officers in Switzerland executed a warrant and searched Kottmann’s residence and removed computer equipment on March 12, 2021, with the investigation led by the FBI’s Cyber Task Force in Seattle.
Kottmann has been indicted on one count of conspiracy to commit computer fraud and abuse, which has a maximum jail term of 5 years; one count of conspiracy to commit wire fraud and 5 counts of wire fraud, which have a maximum jail term of 20 years; plus one count of aggravated identity theft, which has a 2-year jail term which runs consecutively to any other sentences.