It appears from the preliminary investigation of the Central Criminal Police that the police connected the data breach with the help of a “digital fingerprint”.
Accused of Vastaamo data breach and related extortion Alexander Kivimäki, 26, ended up as the police’s main suspect because of the IP address he used. At the same address, the Psykoterapikeskus Vastaamo database was visited, shopping was done on the Onlyfans website, and Hotellihuone Kämpsi was booked.
The authorities connected Kivimäki to the data breach with the help of a “digital fingerprint”.
At the time of the data breach, the Psychotherapy Center Vastamo’s server was accessed with the same IP address that, according to the police, was used by Kivimäki.
The counter’s database was also found on the server used by Kivimäki’s company, which was rented with Kivimäki’s credit card.
Dispute
Kivimäki’s passport photo. Police preliminary investigation material
During the preliminary investigation, it was found that four logins to the server containing the patient database were made from the IP address used by Kivimäki using the unique SSH key connected to him.
An SSH key is a certain type of digital fingerprint, the purpose of which is to identify the user logging into the service and verify that he has access to the service in question.
During logins, the database was processed and searched. In addition, the IP address in question was used to log in to the Vastaamo server with the same SSH key at the same time when the Tor network was also connected and information was published there.
Based on the preliminary investigation, the IP address connected to Kivimäki had been used by him between May and October 2020.
Kivimäki himself denies the crime.
Watched series and movies on the computer
In the interrogations, Kivimäki has said in the interrogations that he uses VPN services, in which case there are also other users with the IP address. According to the police, the IP address in question is not the VPN address of any service provider.
The picture published by the name Ylilauda. According to the statement of the forensic laboratory of the Central Criminal Police, the photo shows Julius Aleksanteri Kivimäki. Aleksanteri Kivimäki was formerly known as Julius Kivimäki. Police preliminary investigation material
Aleksanteri Kivimäki lived a mobile life before his imprisonment. London, the United Arab Emirates, Kiev, Barcelona, France and Dubai are mentioned in his interrogation reports. He could not remember all the addresses where he has stayed. During the interrogations, he said that he owns cryptocurrencies.
When asked about IT devices, Kivimäki said that he only has a phone. Kivimäki said that he used Mac computers and sometimes Linux. In his London apartment, he said that he kept “some servers”, which mainly contained movies and series.
The hotel reservation for Kämpi had been made using Kivimäki’s personal information. The Onlyfans profile that used the same IP address was once again in use by Kivimäki based on a request for information. Kivimäki admitted that he used the service, but did not want to comment on the matter otherwise.
Kivimäki participated in the preparatory session for the Vastaamo data breach in the district court of Länsi-Uusimaa in October. Henri Kärkkäinen
– I had a Macbook, at the beginning of the year, on which I have watched the series, but it suffered an unfortunate accident with a drinking glass. For a long time, I haven’t done anything on the computer other than watching series and TV, he stated.
Kivimäki said that he doesn’t have any other physical possessions other than clothes. He said that he owns IT equipment, but according to his own words, he has no idea where they have gone.
– Quite a lot in the store, so it’s a bit of what fits in the bag, said Kivimäki.
Managing director
Kivimäki said that he is the CEO of a company called Scanifi LLC. According to Kivimäki, the purpose of the company was to perform risk assessments for insurance companies that sell cyber insurance to companies.
Kivimäki had numerous passports and identity cards at his disposal. Police preliminary investigation material
The purpose was to make a product that monitors the views of companies’ devices on the Internet and their updates.
– The purpose was to collect historical data on insurance companies’ customers, how well software updates are installed on devices visible on the Internet and if there are any services that should not be available on the Internet. The insurance companies could have monitored how well the companies have managed information security and evaluated the insurance risks from the historical data.
The police found a database dump, or data, used to extort Vastaamo on a server rented by Scanif. According to Kivimäki, this came as a surprise to him. The twenty servers used by Scanifin were paid for by Kivimäki’s credit card.
“I know something”
The police tracked down Kivimäki with the help of simple investigative measures. In the photo, KRP’s head of investigation, crime commissioner Marko Leponen. INKA SOVERI
Aleksanteri Kivimäki did not know how to characterize his information technology skills during the interrogations. He said he knows how to use a computer, but not programming.
– I can do something on the computer. I hardly program anything. I know how to use a computer, I’m not really into programming or programming development, that’s other people’s trouble.
He said that he knows how to make small changes to existing programs, depending on the programming language. From the beginning, he does not build or develop programs, according to his own words.
– I have always stated that it will be easier to hire someone else to do it than to spend time on it myself.
Kivimäki said during the interrogations that he considers the accusations unfounded. He denies hacking into Vastaamo’s server, stealing, extorting or leaking the information found there. Kivimäki claims that he also personally knows the victims of the data breach.
– I think it’s a pretty lame trick, answered Kivimäki to the question about publishing the patient database.
READ ALSO
Timeline of a data breach
The Vastaamo suffered a data breach on November 25, 2018 – November 26, 2018, in connection with which the Vastaamo’s entire current patient database is suspected to have leaked into the possession of a third party.
28.09.2020 A blackmail letter was sent to the counter, demanding a ransom in exchange for not publishing patient information.
When the ransom was not paid, patient information began to be published on the internet on 21 October 2020.
On October 23, 2020, the extortionist accidentally published a file containing part of the patient database online for a few hours.
On 24 October 2020, extortion letters were sent to the reception desk’s customers demanding a ransom for the deletion of patient data.
During the blackmail, the suspect shared patient information on the dark Tor network. Patient information was also shared on a discussion forum called Ylilauta.