Hackers Sell Backdoors to $2 Billion Nonprofit, California Hospital and Michigan Government
Cybercriminals charge between $500 and $7,000 to access organizations’ computers and the morality seems to have disappeared as Doctors Without Borders and a US hospital are targeted.
They’re called access brokers: hackers who find ways to gain access to corporate or government computers and open backdoors, charging others for entry. Typical buyers include cybercriminals wielding ransomware, the malware that has plagued businesses and governments worldwide in recent months. For sellers, who advertise their failings on the Internet’s dark forums, morality is irrelevant when profit is all that matters. Risky targets include academic institutions, healthcare providers, and even charities.
Since late 2021, Alex Holden, founder of Hold Security, has seen various organizations get hit by these opportunistic digital underworld businessmen, including a handful Forbes could confirm, from local government to a hospital and a large non-profit organization.
In January, an advertisement was published offering access to a Spain-based server owned by Médecins Sans Frontières (Doctors Without Borders), a non-profit organization that draws between $1 billion and $2 billion a year from donors to help to provide medical and humanitarian aid worldwide. world. A screenshot showing the hacker’s access said he had access to a web panel for Citrix owned by the Spanish branch of MSF, which could have allowed remote access to the nonprofit organization’s data lucrative, though it’s unclear how much or what kind of information.
A spokesperson for Médecins Sans Frontières said the attack ultimately had no impact on its operations. “Fortunately, this attack had no impact on MSF, neither financial nor related to our medical humanitarian operations. After a quick assessment, we immediately took corrective action and reinforced security procedures to prevent new, similar attacks,” they added.
“Such attacks have increased dramatically in recent years, not only in the NGO sector but in all organizations and businesses of a certain size. We continuously research and develop security procedures to prevent cyberattacks from affecting our humanitarian medical activities. Just last month, the International Committee of the Red Cross announced that it had been the victim of a serious cyberattack, which could have resulted in the loss of data on 500,000 people.
Also last month, for just $800, the username and password for an account at John C. Fremont Hospital, a small facility in Mariposa, California, was offered by hackers on encrypted messaging chats. Holden says he was bought, although the hospital’s IT manager said Forbes he had found “no intrusion”. They did, however, confirm that the hackers had acquired a legitimate login from an IT employee. The hospital wasn’t sure how, as it continues to investigate.
In another alleged breach at a small, though not insignificant organization for the region, hackers were offering access to a Citrix server in the city of Ann Arbor, Michigan, with a population of over 120,000 and home to the University of Michigan. Holden could not determine the amount of this sale or if there was a buyer.
The ministry declined to say Forbes more on the incident, as a spokesperson added: “Since Friday [11 February], the city’s IT team worked to further investigate this claim and determined that no personal information was compromised and the city’s online services continued uninterrupted. Our IT team is dedicated to protecting city data and continuously working to assess and implement cybersecurity best practices. »
Other alleged victims examined by Holden included a water treatment facility in Europe and a water management facility in Florida, although Forbes could not confirm details of the apparent violations.
A comfortable life for a hacker
The hacks show the diversity of breaches perpetrated by access brokers, which is confirmed in a report released Wednesday by cybersecurity firm CrowdStrike and shown at Forbes before publication. Looking at ads published since 2019, research shows that the United States is by far the most targeted country, with more than 50% of access broker hacks tracked by CrowdStrike targeting US entities. The academic sector was the most targeted vertical, although government, technology and healthcare were also popular among access brokers.
As for the cost, the average price for a trip inside a healthcare facility was over $3,800, compared to $6,150 for a government agency. Geography also affected the price, with American and British victims attracting a higher price, around $4,000 on average.
Whether it’s access brokers themselves or their customers stealing data or infecting targets with ransomware, the online underworld is only getting more profitable, according to Adam Meyers, senior vice president of intelligence at CrowdStrike. “It’s a dynamic economy [where] people spin and sell and make a lot of money. Hundreds of millions, billions of dollars.
Successful brokers could earn up to $20,000 per month if they sell four accesses per month. “It’s a volume business,” Meyers said. It’s also a business where dealers have done a risk assessment, deciding to only open the door to other hackers, rather than stealing data or locking files and demanding a ransom, which would attract more attention from law enforcement, but offers a bigger salary. , if a company coughs. “Many access brokers […]don’t want to take the highest risk.
“It’s probably a very comfortable lifestyle.”