Hackers who raided Neiman Marcus' credit-card payment system belong to a sophisticated Russian syndicate that has stolen more than 160 million credit-card numbers from retailers over seven years, according to people with knowledge of the matter.
The Russian group is well known to U.S. authorities, who have indicted several members and linked it to pillaging more than 100 companies, including Citigroup and J.C. Penney.
Attempts to shut down the criminal network have failed despite international sting operations and secret meetings with Russian intelligence officials, according to two former U.S. officials who asked not to be named because they weren't authorized to discuss the activities. FBI officials visited their Russian counterparts in 2008 and 2009 to share information that could help locate and stop hackers, one of the former officials said.
"The FBI has tried to get cooperation, the State Department has asked for help and nothing happens, so law enforcement options under the current circumstances are pretty negligible," said Richard Clarke, special adviser for cybersecurity under George W. Bush.
Law enforcement officials describe Russian stonewalling as just one obstacle as they try to curb the burgeoning theft of credit-card data that has sparked a Congressional inquiry and left banks and retail chains blaming one another for the failures of outdated credit-card technology.
Investigators initially suspected that the Russian syndicate was responsible for the recent series of security breaches at Target and other retailers. The trails diverged, however, during the investigations.
Serious incursions at Target and Michaels Stores are now thought to have been perpetrated by two less-experienced and less-sophisticated hacking groups, or mix of veterans and newcomers, according to people with knowledge of the cases. These new hackers are successful because of simple tools that have become ubiquitous and cheap, and are operating throughout Eastern Europe, further confounding law enforcement efforts to stop cybercrime.
"We're really expanding the base of criminals committing some of the attacks that used to be limited to the best of the best," said Kimberly Peretti, a former cybercrime prosecutor at the Justice Department. "Even just a couple of years ago there was a sense that if we took those top individuals out of play we'd make a dent in some of the more sophisticated attacks."
The FBI and Secret Service declined to comment, as did the FSB, Russia's main intelligence agency. Ginger Reeder, a spokeswoman for Neiman Marcus, didn't respond to an email seeking comment.
Peretti, now a partner at law firm Alston & Bird LLP, first encountered in 2008 the Russian syndicate that hacked Neiman Marcus as a prosecutor investigating the theft of 130 million credit and debit cards from Heartland Payment Systems, one of the U.S.'s largest payment processors. Prosecutors have since compiled a lengthy list of other victims they believe the group has hacked, including 7-Eleven, JetBlue Airways, J.C. Penney, Visa, and the French retailer Carrefour, according to court documents.
The group is responsible for hacking more than 100 companies in all, Peretti said.
Five members of the gang were indicted last year at a federal court in New Jersey. Only two of them are in custody, and Russia is seeking the return of one who is in a Dutch jail.
The group is larger than that and membership fluctuates as key leaders break off to do heists on their own or with other cybercriminals they meet on underground forums, according to court documents and investigators. The members who have been detained appear to have been easily replaced, and the arrests have done little to slow the group's activities.
"Some of the hacking groups connected to large data breaches are not necessarily static organizations, but loose confederations of hackers who come together to commit a particular hack or series of hacks, swapping members in and out based on the skills needed," said Christopher Kelly, deputy criminal chief in the Office of the U.S. Attorney in New Jersey, which issued the 2013 indictment.
Still, the core of the gang has emerged as one of the most prolific and successful criminal hacking syndicates in the world, according to former and current law enforcement officials who asked not to be named when discussing an active investigation.
The Secret Service and private investigators involved in the Neiman Marcus breach spent weeks retracing the hackers' steps. The evidence linking the group to Neiman Marcus includes unique hacking tools and common methods to move stolen data across the globe.
U.S. officials believed they were close to a breakthrough following a series of trips senior FBI officials made to Russia in 2008 and 2009, according to the person familiar with the dealings. After years of courting Russian officials, cooperation suddenly improved, and the Secret Service and FBI began providing the country's law enforcement with dossiers on the most wanted cybercriminals.
Russia's FSB insisted the contacts be kept secret over concerns that they would appear to be cooperating too closely in a sensitive area, a person familiar with the exchanges said.
Despite pledges of cooperation, Russian authorities made no arrests.
Some U.S. officials eventually concluded that the Russians were using the FBI's information to spot talented hackers who could be used for their own purposes, including national security operations like the cyber-attacks now occurring against Ukraine, two former U.S. government officials said.
Top Russian hackers continue to operate unimpeded and live in conspicuous luxury, even if they can't leave the country or other safe harbors.
"You get some sense fairly quickly whether the individuals are protected or not," Peretti said. "If they are, those individuals continue to operate even though your evidence over time grows stronger and stronger."
The individuals indicted last year include Roman Kotov, a Moscow-based hacker who specializes in harvesting data from financial networks, and Aleksandr Kalinin, a hacker in Saint Petersburg, according to court documents. Vladimir Drinkman was also indicted and is in custody in the Netherlands. Drinkman is fighting extradition to the U.S.; Russian authorities are seeking his extradition as well.
Kalinin was a rising star in the Russian hacking scene as early as 2007, according to Don Jackson, a South Carolina-based cybersecurity expert who has interacted with him on elite Russian hacking forums by posing as a fellow cyberthief. Kalinin often referenced his luxury car collection, especially BMW 7- series sedans, and never seemed concerned he might be arrested, Jackson said. Peretti, who has interviewed Kalinin's associates, estimated that he is now in his early thirties.
The breach at Neiman Marcus has garnered less attention than those at Target and Michaels, in part because the theft was smaller. After saying in January that about 1.1 million credit cards may have been compromised, Neiman Marcus later lowered the estimate to 350,000, and said that 9,200 had been used fraudulently as of Feb. 21.
The sophistication of the Neiman Marcus operation, including how the stolen cards were sold, set it apart from the Target attack.
In the Target case, one person involved appears to be a middling Ukrainian hacker that uses the name Rescator, after a pirate in a 1967 French movie. He likely partnered with a group of more skilled operators who have been connected with at least six other hacks in the past two years, according to investigators.
In the Michaels case, investigators found dormant malware in the retailer's computers that can be traced back to the Neiman Marcus hackers, apparently from a previous breach. Investigators believe the attack on Michaels was carried out by a relatively new group about which little is known, said a person familiar with the probe.
Even with less experience, the group that hacked Target pulled off one of the largest retail breaches in U.S. history, stealing 40 million credit-card numbers from the company at the peak of the Christmas shopping season.
Investigators discovered at least five other victims, including another large U.S. retailer, when they examined servers used by the Target hackers to move stolen data to Eastern Europe, according to Jaime Blasco, director of research for AlienVault Labs, a digital-security firm based in San Mateo, Calif. The companies have yet to be publicly identified, Blasco said.