A man in Ann Arbor, Michigan, hacked the Washtenaw County government computer system in an attempt to alter inmate records and have his friend released early. Konrads Voits, 27, was arrested earlier this year following an FBI investigation and pleaded guilty in federal court last week to damaging a protected computer.
Between approximately 24 January to 10 March this year, Voits used classic phishing and social engineering techniques, using both email and phone calls, to trick Washtenaw County employees into downloading and running malware on their computers.
According to court documents obtained by Bleeping Computer, Voits first attempted to dupe employees by sending them emails asking for help with obtaining court records under the name "Daniel Greene".
He also registered a phony website under the domain name "ewashtenavv.org", which looks similar to the Washtenaw County's official portal – "ewashtenaw.org".
After his email spear-phishing attempts were unsuccessful, Voits began calling county jail employees in February and claimed to be a manager at the County Jail's IT department. He managed to trick several employees into visiting the phony website riddled with malware and obtained the remote login information of an employee.
He then used the stolen information to install malware on the County's network to gain access to sensitive County records, such as the XJail system – the programme used to monitor and track inmates, search warrant affidavits, internal discipline records and store County employee personal information.
Voits was able to obtain the personal data of more than 1,600 County employees, including their usernames, passwords, emails and other person details.
Once Voits gained full access to the system in March, he accessed the County Jail records of several inmates and altered the electronic records of at least one to have him released early.
However, County Jail employees soon noticed the change and alerted the FBI. No inmates were released early, authorities said.
The Washtenaw County Jail hired a security company to clean up its IT network and said they paid at least $235,488 (£174,826) after responding to and investigating the breach.
Voits faces a maximum of 10 years in prison and a $250,000 fine. He is currently in custody with his sentencing hearing scheduled for 5 April, 2018.