Hospital hackers revisited: evolution and ethics


My inboxes on social media were flooded with messages as soon as news broke on August 4th about the largest ransomware attack on US hospital infrastructure since last year. So far, it has shut down 16 hospitals and 165 outpatient medical facilities.

That's because I was the first person in recent US history convicted for corrupting industrial control systems involving healthcare.

Interestingly enough, the rise in ransomware attacks against healthcare systems was anticipated. Unfortunately, the unidentified threat actors still managed to cause significant damage. Notwithstanding, what does this mean for the future? This is something I ask myself frequently.

The stakes are getting higher

I was known as “the hospital hacker,” as it were, as though in another life. I was 25 back then, and I operated as an insider threat for the purpose of weaponizing systems in a private healthcare facility to launch an attack against rival hackers. I considered the world my playground and set no boundaries against systems that should invariably be considered off-limits. Although I considered myself a hacktivist, it has never been clearly defined what a hacktivist is, as opposed to what a hacktivist should never be.

Though it wasn’t a hospital in the conventional sense – it was a private clinic – the threat to life and limb could potentially have been a possible consequence. I digress. The recent events contrast my past experiences as a cybercriminal, which is why everyone was quick to inform me about the recent events. As it were, the justice department deemed that my actions could have caused a reckless risk of death and bodily injury. Whether or not that could have happened is not the point here.

Consider this: Hospitals house individuals experiencing a range of health conditions, from those in intensive care units (ICUs) and newborns to women in labor and surgical patients. When dealing with individuals whose well-being depends on the expertise of hospital personnel and the intricate support systems in place, targeting hospital systems is generally regarded as unacceptable.

Cold, sterile environments like hospitals are meant to fight against bacteria and viral growth because these proliferate in warm climates. Following that same vein of thought, I gave remote access to the clinic’s sensitive Heating, Ventilation, and Air Conditioning (HVAC) server to a fellow hacker. This hacker unceremoniously rebooted the machine, triggering a crash that caused all 5 coolers to go offline, with no redundancy server to kick in in case of emergency.

This meant that, during the downtime, climate-controlled medicines spoiled and had to be discarded at the clinic’s expense. Thanks to the prudence of the clinic’s staff, they identified the spoiled medicines before they could be administered to patients.

In retrospect, looking back at the days of my youth as a hacker, I showed little interest in consequences when my objectives possessed the helm of my mind. I never hacked for monetary gain, I hacked for sport and street cred. Still, that doesn’t make a difference when you consider compromising the integrity of healthcare systems.

From my having a historic conviction in US courts so long ago, leading to the moment that these healthcare incidents occurred, I cannot help but wonder if my own actions were just another domino, in effect culminating unto this very moment and leading to an unknown future that affects everyday users. I say this because hospitals aren’t the only critical network infrastructure being targeted by ambitious cyber threat actors.

The stakes are much higher nowadays. Therefore, when this old hacker looks back at the way things used to be in a bygone era, where we largely hacked to sate our appetites for curiosity and for intellectual challenge, I find myself as a staunch outsider when compared to this new generation of hackers driven by greed, a quest for fame, and geo-political leverage – often under the imaginary figment borne from fanatical idealism that they're making the world a better place.

Fast forward to the present day, and this modern hacker generation is targeting nuclear power plants, trains, military installations, financial institutions, and governments across the world, thanks to the seamless autonomy of powerful hacking tools. At some point, I feel something monumental is going to happen that takes human lives, and it will tip the scale in the privacy or security fight, and that debate will be concluded by force of new legislation.

The reason I say this is because the line between cyber terrorism and hacktivism is getting blurry.

The age of the cyberchrist

Nowadays, I reside within dark places, where I'd like to think that I am relatively invisible, as I dwell within a variety of hacker chatrooms, from the clearnet to the dark web. My goal is to track potentially high-risk cyberattacks that could jeopardize human life, and attempt to redirect those attacks.

Hacktivist groups have the right idea at heart because they see a global need to assist those disadvantaged or oppressed by war and injustice. That's because we live in a world where it's increasingly more difficult to redress grievances. And while the world watches and engages in political debate, hacktivists enter the arena and fight for the people. They can now obstruct military advancements and ostensibly save lives, all from the safety of their computers. But does the world need youth across the globe to fight their wars? And most importantly, what is off considered off-limits?

There are so many questions I want to ask when observing certain groups plan and strategize saboteuring cyberattacks. In this case, I observed a group calling themselves “CyberSword” plan a strategic assault against a variety of thermal power plants within Belgorod City, Russia, and the Leningrad Nuclear Power Plant in the Sosnoviy Bor region.

I dug deep into the demographic data in the area around the nuclear power plant and learned that it's home to a population of over 65 thousand citizens. The first thing that came to my mind was Chornobyl. The leader of this collective, known only by the alias “Damien,” likewise noted that it was his goal to avoid causing a nuclear meltdown because “people’s lives are at risk after all, … Plus Finland is directly North of the lake so they’d also get hit.”

Power plants rely on SCADA (Supervisory Control And Data Acquisition) systems which allow operators to continuously manage and monitor industrial devices that often regulate speed, electricity or power, to critical network infrastructure, like power plants, climate controls used for hospitals, water plants, gas, and a variety of others.

Hackers who target sensitive infrastructure idealistically do so with the intent to provide assistance or aid in times of war or political conflict. At the same time, hackers supplementing tactical aid are amid a broad age spectrum ranging from children to adults who have no little to no training in geo-political conflict.

In my own experience, most of us become inducted as outsourced war assets driven by the raw, emotional, and reactionary agitation from what we see and hear from news sources. I emphasize this because the fate of human lives is now crossing into a territory with new consequences we've yet to see but can only predict.

While CyberSword has many objectives in the Ukraine-Russian war, one of its ultimate goals is to help spark a civil war in Russia. Its short-term goals are to disrupt a key region where Russia resupplies the frontlines in its war with Ukraine. While acknowledging the possibility that an attack could go wrong, Damien acknowledges that they might run the risk of triggering a similar fate to Chornobyl. However, he didn't disband the operation, despite the risk of nuclear catastrophe and innocent lives lost.

During my investigation, I realized that while CyberSword’s leader is ambitious, he does not appear to hold radical ideologies. However, others did and were eager to spill the blood of Russian civilians and chalk them up as war-time collateral while yet having no stake in the actions of the Russian dictator.

This same mindset was shared among many within the US armed forces during Operation Enduring Freedom, when US military drone strikes killed hundreds of Afghan civilians and became the premise of the monumental data leak of Classified State Department cables by Pfc. Chelsea Manning to the whistleblowing platform WikiLeaks.

Damien offered this statement, saying: “We're not merely using a conventional method such as SCADA system exploitation as that will disrupt the process flow of target, which could lead to detonation, worst case scenario. What we devised is to first exploit the IoT system governing the power plants in order to disrupt control systems in a proper chain in order to safely cause a disturbance in the regime we will be attacking.”

He further explained that the purpose of the attack was to cause a “combat element” between Russian partisans and Russian forces. “However, if we feel the attack will lead to devastation, a warning will be broadcasted to local parliament urging evacuation.”

The ten nodes of hacktivism

A persistent issue remains – hacktivist groups aren’t governed by a fundamental set of rules or virtues to help participants understand what they stand for and how to avoid causing harm, whether real or imagined. Therefore, I devised a set of advisory nodes or rules to help give hacktivists a moral foundation:

  1. Innocent civilians or commercial infrastructure can never be collateral during an op.
  2. Hospitals, Schools, and industrial controls that potentially might cause the loss of life must never be considered targets.
  3. We do not steal from the general working-class public nor from the innocent. Therefore, we do not cause economic hardship to the public. If money is stolen against this precept, it must be anonymously given back to society as charity.
  4. We do not steal data from the innocent. Services shared must be left the way it was found. Therefore, if we intrude, we touch nothing out-of-scope and leave the systems the way we found them.
  5. We must respect the mask.
  6. We must respect each other.
  7. We must not jeopardize the freedom or livelihood of our fellow person.
  8. We must not steal each other’s achievements so as to claim responsibility for what we did not do.
  9. We must not operate in the official capacity of a government informant except when it involves risk to the lives of the very people we are sworn to protect. (i.e., child sex abuse, terrorism, etc.)
  10. All who violate the precepts herein are to be warned for the first offense, and cancelled for the second offense.

For my role in the healthcare breaches involving industrial controls, I ended up in an unclassified memo published by the North Dakota Homeland Security Anti-Terrorism Summary. This means that governments around the world are taking note and may interpret certain actions as fitting within the parameters of what is defined as terrorism. You and I may disagree with that interpretation, but it won’t matter when it's too late.