A Michigan man pleaded guilty last week to hacking the computer network of the Washtenaw County Jail, where he modified inmate records in an attempt to have an inmate released early.
The man, Konrads Voits, 27, of Ann Arbor, Michigan, was arrested earlier this year after an FBI investigation.
According to court documents obtained by Bleeping Computer, starting from approximately January 24, 2017, and until March 10, 2017, Voits used email spear-phishing and telephone social-engineering to trick Washtenaw County Jail employees into downloading and running malware on their computers.
Voits sent emails to jail staff posing as a man named "Daniel Greene" and asked for help with obtaining court records, and later also registered the domain "ewashtenavv.org," a look-alike of "ewashtenaw.org," the Washtenaw County's official portal.
Despite his efforts, the email spear-phishing campaigns were unsuccessful, and in mid-February, Voits switched to calling county jail employees.
During his calls, investigators said Voits posed as "T.L." and "A.B.," two actual Washtenaw County Jail, both working in the jail's IT department.
Voits called other jail employees and asked them to visit certain websites to download and install an executable that would "upgrade the County's jail system."
Some jail employees fell for Voits' scheme and installed malware on their computers.
"Through the installation and use of this malware, Voits was able to gain full access to the County network, including access to sensitive County records such as the XJail system (the computer program used to monitor and track inmates in the County Jail), search warrant affidavits, internal discipline records, and County employee personal information," the plea agreement reads.
The FBI says Voits was able to obtain information, including passwords, usernames, emails, and other personal information of over 1,600 County employees.
Once Voits had access to this data, investigators said he accessed the XJail system, searched and accessed the records of several inmates, and modified at least one entry "in an effort to get that inmate released early."
Jail employees noticed the modification right away and alerted the FBI soon after, realizing what happened. The Washtenaw County Jail also hired a security company specialized in incident response to clean its IT network.
Jail officials said they paid $235,488 "to determine the full extent of the breach, to reimage numerous compromised County hard drives, to verify the accuracy of the electronic records of nearly every then current County Jail inmate, and to attempt to reassure the 1,600 County employees whose personal data had been compromised by purchasing an identity theft program for County employees."
After pleading guilty last week, Voits now faces up to ten years in prison and a fine of up to $250,000. Voits also had to forfeit all the electronics equipment he used to carry out his attacks — a laptop, four phones, one circuit board, and an undisclosed amount of Bitcoin.
Voits remains in custody. A judge scheduled his sentencing hearing for April 5, 2018.