DDoS , Governance , Incident Response
Child Custody Case Allegedly Triggered Attacks in the Name of AnonymousThe hacktivist who allegedly launched distributed denial-of-service attacks in 2014 on Children's Hospital of Boston and another local healthcare facility in protest of a controversial child custody case has been indicted on federal charges.
See Also: Protect Your Microsoft Identity Infrastructure
Martin Gottesfeld, a 32-year-old biotech professional from Somerville, Mass., faces up to 15 years in federal prison if convicted on one count of conspiracy and one count of intentional damage to a protected computer. He'll be arraigned Oct. 26 in the U.S. district court in Boston.
Attorney Tor Ekeland, who is representing Gottesfeld in the case, tells Information Security Media Group that his client is being detained in a Rhode Island facility. The attorney, who says he expects the case will proceed to trial, had no comment about a Sept. 18 statement Gottesfeld provided the Huffington Post about "why I knocked Boston Children's Hospital off the Internet."
In the statement, Gottesfeld said he was motivated to launch the assault because, "I had heard ... too many ... horror stories of institutionalized children who were killed or took their own lives in the so-called 'troubled teen industry.'" With Boston Children's involvement in one high-profile case, Gottesfeld said an attack on the hospital during an important fundraising campaign "would hit [the hospital] where they appear to care the most, the pocket book and reputation."
Gottesfeld was arrested in February after he was found in a small boat off the coast of Cuba. Gottesfeld and his wife made a distress call after their boat ran into trouble (see DDoS Suspect Arrested After Rescue at Sea). A nearby Disney Cruise Ship responded to the distress call and rescued the couple.
In a statement issued at the time of his arrest, the U.S. Department of Justice said Gottesfeld had been aware of a federal investigation since October 2014, when the FBI searched his home in relation to a computer attack on the hospital network.
The DDoS Attack
On April 25, 2014, Children's Hospital of Boston confirmed that its website had been undergoing cyberattacks for nearly a week, which made some online services, such as patient appointment scheduling, sporadically inaccessible. At the time, the hospital said its website had been "the target of multiple attacks designed to bring down the site by overwhelming its capacity."
The hacktivist group Anonymous had been suspected of launching the attacks against the hospital in retaliation for its involvement in an ongoing child custody case that had drawn national attention. That case involved two Connecticut parents who had lost custody of their teenage daughter, Justina Pelletier, to the state of Massachusetts over allegations by the hospital that the parents medically abused the girl.
In addition to the DDoS attack on Children's Hospital, the indictment against Gottesfeld charges that he was also responsible for directing the launch of a DDoS attack on Wayside Youth and Family Support Network, a Framingham, Mass.-based residential treatment facility where Pelletier had been transferred for care during the custody dispute.
The indictment says that on March 23, 2014, Gottesfeld and an unindicted co-conspirator exchanged a series of Twitter direct messages discussing attacking the computer networks of institutions involved in Pelletier's treatment. Gottesfeld suggested that the first target be Wayside, according to the indictment.
Two days later, after the news media reported that a judge had granted permanent custody of Pelletier to the Massachusetts Department of Children and Families, Gottesfeld issued a series of public Twitter messages, which included the hashtag #Anonymous, calling for attacks on the Wayside network, the court documents say.
"The conspirators launched a DDoS attack against Wayside that day. The attack lasted for more than a week, crippled Wayside's website during that time, and caused it to spend more than $18,000 on response and mitigation efforts," the indictment says.
You Tube Video
Federal prosecutors also contend that on March 23, 2014, Gottesfeld posted a YouTube video calling, in the name of the hacking organization Anonymous, for action against Children's Hospital in response to its treatment of Pelletier. The video, which was narrated by a computer-generated voice, stated that Anonymous "will punish all those held accountable and will not relent until [Pelletier] is free."
Prosecutors say the YouTube video also directed viewers to a posting on the website pastebin.com that contained information about the Children's Hospital's server necessary to initiate a DDoS attack against that server.
Court documents say that on April 19, 2014, Gottesfeld and the conspirators initiated a DDoS attack against the Children's Hospital server that was identified in the pastebin.com posting.
"The DDoS attack, which directed hostile traffic at the hospital's network for at least seven days, disrupted that network and took the hospital's website out of service. The attack also disrupted the hospital's day-to-day operations as well as the research being done at the hospital," the indictment alleges.
"In an effort to ensure the attack did not compromise patient information, the hospital decided to shut down the portions of its network that communicated with the internet and its email servers. This effort successfully prevented the attackers from accessing any patient records or other internal hospital information," the indictment states.
The shutdown of the Children's Hospital's website, external internet porta, and email servers impacted communication throughout the Boston-area medical community, prosecutors note. It also disrupted an important fundraising period for the hospital by disabling the Children's Hospital fundraising portal.
Responding to, and mitigating, the damage from this DDoS attack cost Children's Hospital more than $300,000, court documents say. In addition, Children's Hospital estimates it also lost more than $300,000 in donations because the DDoS attack disabled the hospital's fundraising portal, the indictment states.
Neither Wayside nor Boston Children's Hospital immediately responded to ISMG's request for comment.
Difficult Cases
A federal law enforcement official tells ISMG that it's rare for DDoS-related cases to be prosecuted. "These are hard cases. It's so easy for bad actors to rent a DDoS platform, and many of these attacks are launched outside the U.S," he says.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, notes: "DDoS attacks like those experienced by Boston Children's Hospital, and the more recent incident involving the domain name system provider that disabled access to several cloud-based electronic health record systems, are a call to action for every healthcare organization."
Holtzman is referring to the recent DDoS attack on Dyn, which reportedly affected some EHR vendors' websites.
"It is critical that healthcare organizations have an incident response plan in place that ensures safe patient care when faced with a downtime incident involving the loss of access to electronic health record systems," he says.
Attorney Martin Tully, co-chair of the data law practice at law firm Akerman LLP, predicts there are likely to be more attacks like the recent one on Dyn, which leveraged numerous hacked internet of things devices to create a botnet. "This is because, among other things, many IoT devices are not designed with cybersecurity in mind," he says.
"The rising frequency and cost of cyberattacks in the healthcare industry is definitely a cause for concern for all institutions, especially those most ill-equipped to rebuff and respond to them," he says.