Officials of the Inspector General of the State of Ohio published a 50-page investigative report (PDF, http://watchdog.ohio.gov/Portals/0/pdf/investigations/2015-CA00043.pdf) of the incident that took place back in 2015, but now came in public domain.
According to the reports, five prisoners from the Marion Correctional Institution (MCI) secretly got hold on two computers, then they hid the computers under the suspended ceiling in the service room, after that they broke the prison network, and got the opportunity to go in prohibited zone and engaged in illegal activities on the Internet. All of this became possible just due to the fact that the prisoners were made to work under the Green Initiative program, in which they were engaged in the recycled different electronics.
Administrators of MCI began to notice something strange in the summer of 2015: an account belonging to one of the contractors of the prison began to exceed the daily quota of traffic. Then similar behavior began to show the accounts of other employees, including on weekends, when these employees were not at all in the workplace. Worse, a few days later, these employees began to make attempts to evade the proxies that monitored the traffic. Administrators' suspicions gave rise to a full-fledged investigation, during which strange activity could be traced to a computer that appears in the report as -lab9-. This name did not fit into the internal naming system at all.
Officials of MCI first began to notice in the summer of 2015, when an account of one of the contractors of the prison began to exceed the daily quota of traffic. Then other accounts of the employees started showing the same behavior.
After all this, administrators' started a full-fledged investigation, and during which they found out a computer name that did not fit into the internal naming system at all.
With further investigation, the team found out the suspicious traffic was from port 16 of the switchboard located in the prison, and they traced out the device in the suspended ceiling.
It was indeed a great shock for the employees of MCI to find out two prisoners working on the computers behind the plywood planes of the ceiling.
All the five prisoners were engaged in the recycling of electronics under the Green Initiative program, and from this initiative, they took all the necessary parts for assembling the PC.
Investigators found two detected hard disks: hacking tools, legitimate software, traces of illegal activity. While, the Forensics experts said that they found self-signed certificates, Pidgin accounts, links to different Tor-websites and the following software:
CC Proxy - proxy server for Windows;
Cain - tool for recovering passwords;
Zed Attack Proxy (ZAP) - a vulnerability scanner;
Wireshark - network traffic analyzer;
NMap - utility for mapping networks and auditing;
ZenMap - vulnerability scanner and GUI for NMap;
Webslayer - tool for brute-force attacks;
JanaServer - multi-platform proxy server;
Yoshi - spammer tool;
AdvOr Tor Browser - version of Tor browser;
THC Hydra - tool for hacking passwords;
Cavin - editor for encryption and decryption of text;
Paros - Java-based proxy server, also used for MitM attacks;
3CXVoip Phone - free VOIP-utility for Windows;
VirtualBox - virtual machine with Kali Linux;
TrueCrypt - utility for full disk encryption;
CC Cleaner - tool for optimizing the system, cleaning, and privacy;
VideoLan - media player;
Clamwin - antivirus;
PhpBB - open-source forum engine;
SoftEther VPN;
OpenVPN;
Custom software.
However, the prisoners were not only interested in "internet-surfing", they hacked accounts, intercepted prison traffic, and compromised the prison network.
All five hackers were identified, and now they are serving their sentence in different correctional facilities.
According to the reports, five prisoners from the Marion Correctional Institution (MCI) secretly got hold on two computers, then they hid the computers under the suspended ceiling in the service room, after that they broke the prison network, and got the opportunity to go in prohibited zone and engaged in illegal activities on the Internet. All of this became possible just due to the fact that the prisoners were made to work under the Green Initiative program, in which they were engaged in the recycled different electronics.
Administrators of MCI began to notice something strange in the summer of 2015: an account belonging to one of the contractors of the prison began to exceed the daily quota of traffic. Then similar behavior began to show the accounts of other employees, including on weekends, when these employees were not at all in the workplace. Worse, a few days later, these employees began to make attempts to evade the proxies that monitored the traffic. Administrators' suspicions gave rise to a full-fledged investigation, during which strange activity could be traced to a computer that appears in the report as -lab9-. This name did not fit into the internal naming system at all.
Officials of MCI first began to notice in the summer of 2015, when an account of one of the contractors of the prison began to exceed the daily quota of traffic. Then other accounts of the employees started showing the same behavior.
After all this, administrators' started a full-fledged investigation, and during which they found out a computer name that did not fit into the internal naming system at all.
With further investigation, the team found out the suspicious traffic was from port 16 of the switchboard located in the prison, and they traced out the device in the suspended ceiling.
It was indeed a great shock for the employees of MCI to find out two prisoners working on the computers behind the plywood planes of the ceiling.
All the five prisoners were engaged in the recycling of electronics under the Green Initiative program, and from this initiative, they took all the necessary parts for assembling the PC.
Investigators found two detected hard disks: hacking tools, legitimate software, traces of illegal activity. While, the Forensics experts said that they found self-signed certificates, Pidgin accounts, links to different Tor-websites and the following software:
CC Proxy - proxy server for Windows;
Cain - tool for recovering passwords;
Zed Attack Proxy (ZAP) - a vulnerability scanner;
Wireshark - network traffic analyzer;
NMap - utility for mapping networks and auditing;
ZenMap - vulnerability scanner and GUI for NMap;
Webslayer - tool for brute-force attacks;
JanaServer - multi-platform proxy server;
Yoshi - spammer tool;
AdvOr Tor Browser - version of Tor browser;
THC Hydra - tool for hacking passwords;
Cavin - editor for encryption and decryption of text;
Paros - Java-based proxy server, also used for MitM attacks;
3CXVoip Phone - free VOIP-utility for Windows;
VirtualBox - virtual machine with Kali Linux;
TrueCrypt - utility for full disk encryption;
CC Cleaner - tool for optimizing the system, cleaning, and privacy;
VideoLan - media player;
Clamwin - antivirus;
PhpBB - open-source forum engine;
SoftEther VPN;
OpenVPN;
Custom software.
However, the prisoners were not only interested in "internet-surfing", they hacked accounts, intercepted prison traffic, and compromised the prison network.
All five hackers were identified, and now they are serving their sentence in different correctional facilities.
