Hacking Incident Has an Unusual EndingHacker Claims to Drop Malicious Plans After Learning of Entity's Mission
A recent hacking incident had an unusual twist: The hacker who broke into the network of a Pennsylvania-based nonprofit entity apparently decided against injecting malware or proceeding with other malicious activities after discovering the organization serves individuals with intellectual disabilities.
The hacker notified Passavant Memorial Homes Family of Services through its "contact us" webpage of the unauthorized network entry using an authorized user's username and password.
"The unauthorized user claimed not to have taken malicious actions - such as infecting the system with malware - in light of the 'activity' of PMHFOS, presumably referencing PMHFOS' mission and provision of services to individuals with intellectual disabilities, autism and behavioral health needs," the organization says in a notification statement.
"We learned of the [hacking] incident through that communication on the contact us page. That also gave us a chance to overhaul our systems" to enhance security, the organization's in-house attorney, Andrea Parenti, tells Information Security Media Group.
Still a Breach
Despite the hacker's claims of not having installed malware, the organization reported the incident to law enforcement as well as to its cyber insurance carrier.
"Forensics investigators were hired immediately to determine what information, if any, may have been affected," the notification statement says. "Investigators quickly verified that no viruses or malware were left behind on the system and that no data had been encrypted. Forensic experts also ran a 'dark web' search for any information related to PMHFOS data for this event, and no information was found."
The forensics investigation, however, was unable to rule out the possibility that individually identifiable information may have been accessed or removed from the PMHFOS network, the statement adds.
"We didn't want to take anything for granted," Parenti says. As a result, PMHFOS on Oct. 14 reported the hacking incident to the Department of Health and Human Services as a breach affecting 25,000 individuals and also notified state regulators and individuals who were potentially affected..
Lucky Break or False Promises?
Situations involving hackers having a change of heart in carrying out their schemes due to professed moral or ethical issues are relatively rare (see: Boston Children's Hospital DDoS Attacker Convicted).
"While actors claim to avoid attacks on certain sectors based on their principles, it could also be a matter of simple self-preservation."
—Brett Callow, Emisoft
"A number of ransomware groups claim to avoid attacks on healthcare organizations and have held that position since before the pandemic started," notes Brett Callow, a threat analyst at security firm Emisoft (see: COVID-19 Complications: Ransomware Keeps Hitting Healthcare).
Some groups also claim to avoid attacks on charities, schools, 911 services and governments, he says.
"In past cases in which organizations have been unintentionally targeted, the actors have supplied the decryption tool at no cost - as was the case in the recent Dusseldorf incident," Callow notes, referring to a recent ransomware attack that was aimed at a German university but affected an affiliated hospital instead.
That German incident allegedly led to the death of a patient whose emergency care was delayed as a result of the ransomware attack (see: Ransomware Attack at Hospital Leads to Patient's Death).
"While actors claim to avoid attacks on certain sectors based on their principles, it could also be a matter of simple self-preservation," Callow says.
"Attacks on healthcare providers may elicit a stronger response from governments and, of course, any resulting loss of life could result in negligent homicide charges against the individuals responsible.
"For purely egotistical reasons, some groups like to portray themselves as Robin Hood-like characters - they're not. They're conscienceless criminals. Every single one of their attacks impacts people's lives and livelihoods - in some cases drastically."
Max Henderson, incident response lead and senior security analyst at security consultancy Pondurance, offers a similar assessment.
"During the initial phase of the COVID-19 lockdown, some ransomware groups did appear to partake in a ceasefire on encrypting emergency care centers," he says. "However, this truce didn't apply to the ransomware industry nor the healthcare industry as a whole."
Henderson adds: "It is rare that we truly understand the moral or ethical consciousness for any individual or group effort behind these attacks. We have seen organizations who operate under mission statements similar to PMHFOS' that have been extorted by ransomware groups. I've seen many situations where you would've hoped a moral line would be drawn - and it wasn't."
Although he acknowledges that there are strong ethical and moral concerns surrounding the unauthorized entry into the FMHFOS network, Henderson observes: "I'd like to believe that a boundary may have been reached which, for me, is refreshing to hear that it might even exist."