In a Private Industry Notification, the Federal Bureau of Investigation revealed they knew of threat actors who targeted specific healthcare facilities. The FBI explained that these “hackers” hunted open FTP connections from medical and dental practices across the United States. From there, the intruders stole sensitive medical information and use it for extortion, identity theft, or simply a darknet marketplace listing.
According the FBI, the hackers take advantage of the anonymous FTP servers for “the purposes of intimidating, harassing, and blackmailing business owners.” At DeepDotWeb, we mainly cover hacked healthcare records that Iand on the darknet. TheDarkOverlord is one of the most well-known examples of hackers who hacked healthcare practices for the purpose of extortion.
The entity, interviewed with DeepDotWeb at one point about his attacks against health care practices across the United States. TDO hacked (mainly orthopedic) practices through Remote Desktop Protocol. So not FTP. However, TDO then listed the stolen dumps on the darknet. Often on TheRealDeal marketplace. The listings served his extortion needs.
The hacker explained that “contact was attempted with the victim organization. However, they declined to respond. The attempt was made with each of their board of director members.”
“Why not just pay?” he asked in the encrypted chat with DeepDotWeb. “Money makes it all go away and it is a modest cost compared to the total financial damage you will suffer if you do not pay to keep it from getting leaked.”
The entity hacked, most notably, 9.3 million healthcare records from a single organization in the United States. Dissent Doe, a security researcher and analyst, verified information from the breach. Although she tested only a sample provided by the person(s), she effectively proved that the stolen data was legitimate. The legitimacy of her website, along with anyone else who reported the story, only increased the value of healthcare data if a company bought back the stolen data. If a company refused compliance with TDO, darknet sales provided fall-back income.
TDO matched only part of the FBI’s summary but the extortion or blackmail aspect worked similarly; many companies hide breaches for an indefinite period of time for obvious legal and appears reasons.
The Private Industry Notification pointed to a 2015 study from the University of Michigan that focused on open FTP servers. They found 1 million FTP servers that allowed anonymous access. Anonymous access usually allows anyone—an attacker, in this example—to access the server with default or potentially fictional credentials. The notice closed with a recommendation respect the study:
“The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.”