Aug 162018

Patrick McArdle reports:

One of two Nigerians who admitted to being part of a conspiracy to steal personal information from Vermont state employees and other U.S. residents was sentenced Tuesday in Rutland federal court to time served, or 14 months in jail.

Osariemen Isibor, 32, pleaded guilty in U.S. District Court in March to conspiracy to commit wire fraud.

Read more on the Rutland Herald.

Aug 102018

Andy Mannix reports:

Cyberattackers have infiltrated e-mail accounts for about 20 Hennepin County employees since late June, and may have accessed the private information of people who rely on the county’s services, county officials revealed Thursday.

Using e-mails disguised as pay-raise notifications, a sophisticated phishing scam duped the employees into giving up their login information, then used their official e-mail accounts and signatures to spread the attack to other contacts, according to county officials.

Read more on StarTribune.

Aug 092018

As Protenus’s Q-2 report for health data breaches in the U.S. indicates, phishing continues to account for a significant percentage of reported breaches.  Here’s another phishing incident recently disclosed to HHS that will be in Protenus’s Q-3 report as affecting 13,034 patients:

July 20, 2018

At MedSpring Urgent Care (MedSpring), we take the privacy and security of our patients’ information seriously. We are providing the following information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable state law to explain that a third party may have had unauthorized access to personal information about certain patients who were treated at our facilities located in Illinois.

On May 8, 2018, an employee was the victim of an email phishing scam that we learned on May 17, 2018 may have resulted in unauthorized access to the employee’s email account. Email “phishing” scams involve an attempt by an unauthorized individual to obtain sensitive information, such as usernames and passwords, by disguising as a trustworthy entity.  Promptly after discovering the attack, MedSpring blocked the unauthorized party’s access to the email account and hired a leading cybersecurity forensics firm specializing in the investigation and resolution of cyberattacks to investigate the attack and determine what information may have been accessed by the unauthorized party.

On May 22, 2018, MedSpring discovered that the unauthorized party may have been able to access individuals’ personal information contained in the compromised email account and launched a thorough review of those emails. As a result of that review, we recently learned that information in that compromised email account may have included certain patients’ names, account numbers, medical record numbers, and dates and services relating to the provision of medical services.

At this time, we are not aware of any unauthorized viewing or misuse of our patients’ information. We are sending notification letters to all potentially affected individuals for whom MedSpring has up-to-date contact information. If you were treated at one of our Illinois facilities and do not receive a letter from us, you may call (866) 751-1317 toll free to determine whether your information was identified as being involved.  We have arranged to provide 12 months of identity protection and fraud resolution services through Experian to all individuals whose information was contained in the compromised email account.

Any individuals who receive a notification letter from MedSpring or who might otherwise be concerned about identity theft are encouraged to regularly review statements from their accounts and to periodically obtain their credit report from one or more of the national credit reporting companies. Individuals may obtain a copy of their credit report once every 12 months by either visiting, calling toll free at 1-877-322-8228, or completing an Annual Credit Report Request Form (found at and mailing it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. For questions about identity theft, credit monitoring, and how to keep information secure, patients can visit this website:

We take the protection of our patients’ information very seriously and have taken steps to prevent a similar incident from occurring in the future, including the implementation of additional technological security features designed to prevent future phishing scams.

Any individuals who receive a notification letter from MedSpring or who were treated at one of our Illinois facilities may call (866) 751-1317 toll free with questions.

Aug 012018

The Department of Justice announced a stunning arrest today of key players in one of the most damaging threat actors in the last decade.  Kudos to all involved in their arrests. You can read the DOJ’s full press release below, but let’s start with a quote from a FIN7 hunter:

“FIN7 is the most prolific and advanced financially motivated threat actor of the decade.” — Charles Carmarkal, Vice-President and CTO of  Mandiant, who has been tracking FIN7 since 2015. 

For more details on FIN7, read today’s report from FireEye:

On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation

The following is DOJ’s press release, followed by links to some of the indictments:

Victim Companies in 47 U.S. States; Used Front Company ‘Combi Security’ to Recruit Hackers to Criminal Enterprise

Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Annette L. Hayes for the Western District of Washington and Special Agent in Charge Jay S. Tabb Jr. of the FBI Seattle Field Office.

According to three federal indictments unsealed today, Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, are members of a prolific hacking group widely known as FIN7 (also referred to as the Carbanak Group and the Navigator Group, among other names).  Since at least 2015, FIN7 members engaged in a highly sophisticated malware campaign targeting more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries.  As set forth in indictments, FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit.

In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.  Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France.  Companies that have publicly disclosed hacks attributable to FIN7 include such familiar chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.  Additionally in Western Washington, FIN7 targeted other local businesses.

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski.  “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”

“Protecting consumers and companies who use the internet to conduct business – both large chains and small ‘mom and pop’ stores — is a top priority for all of us in the Department of Justice,” said U.S. Attorney Hayes.  “Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong.  We will continue our longstanding work with partners around the world to ensure cyber criminals are identified and held to account for the harm that they do – both to our pocketbooks and our ability to rely on the cyber networks we use.”

“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said Special Agent in Charge Tabb.  “As the lead federal agency for cyber-attack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”

Each of the three FIN7 conspirators is charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

In January 2018, at the request of U.S. officials, foreign authorities separately arrested Ukrainian Fedir Hladyr and a second FIN7 member, Dmytro Fedorov.  Hladyr was arrested in Dresden, Germany, and is currently detained in Seattle pending trial.  Hladyr allegedly served as FIN7’s systems administrator who, among other things, maintained servers and communication channels used by the organization and held a managerial role by delegating tasks and by providing instruction to other members of the scheme.  Hladyr’s trial is currently scheduled for Oct. 22.

Fedorov, a high-level hacker and manager who allegedly supervised other hackers tasked with breaching the security of victims’ computer systems, was arrested in Bielsko-Biala, Poland.  Fedorov remains detained in Poland pending his extradition to the United States.

In late June 2018, foreign authorities arrested a third FIN7 member, Ukrainian Andrii Kolpakov in Lepe, Spain.  Kolpakov, also alleged to be a supervisor of a group of hackers, remains detained in Spain pending the United States’ request for extradition.

According to the indictments, FIN7, through its dozens of members, launched numerous waves of malicious cyberattacks on numerous businesses operating in the United States and abroad.  FIN7 carefully crafted email messages that would appear legitimate to a business’ employee, and accompanied emails with telephone calls intended to further legitimize the email. Once an attached file was opened and activated, FIN7 would use an adapted version of the notorious Carbanak malware in addition to an arsenal of other tools to ultimately access and steal payment card data for the business’ customers. Since 2015, FIN7 sold the data in online underground marketplaces. (Supplemental document “How FIN7 Attacked and Stole Data” explains the scheme in greater detail.)

FIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise.  Combi Security’s website indicated that it provided a number of security services such as penetration testing.  Ironically, the sham company’s website listed multiple U.S. victims among its purported clients.

The charges in the indictments are merely allegations, and the defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

The indictments are the result of an investigation conducted by the Seattle Cyber Task Force of the FBI and the U.S. Attorney’s Office for the Western District of Washington, with the assistance of the Justice Department’s Computer Crime and Intellectual Property Section and Office of International Affairs, the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, FBI offices across the nation and globe, as well as numerous international agencies. Arrests overseas were executed in Poland by the “Shadow Hunters” from CBŚP (Polish Central Bureau of Investigation); in Germany by the LKA Sachsen – Dezernat 33, (German State Criminal Police Office) and the Polizeidirektion Dresden (Dresden Police); and in Spain the Grupo de Seguridad Logica within the Unidad de Investigación Technologica of the Cuerpo Nacional de Policía (Spanish National Police)..

This case is being prosecuted by Assistant U.S. Attorneys Francis Franze-Nakamura and Steven Masada of the Western District of Washington with assistance from Trial Attorney Anthony Teelucksingh of the Justice Department’s Computer Crime and Intellectual Property Section.

Related Files from DOJ:

Jul 302018

The DesMoines Register reports:

One of Iowa’s main hospital and clinic systems has notified about 1.4 million patients that their personal information might have been breached.

UnityPoint Health officials said hackers used “phishing” techniques to break into the company’s email system. The company, based in West Des Moines, said the hackers could have obtained medical information, such as diagnoses and types of care, that was included in emails.

Read more on the Des Moines Register.

UnityPoint’s web site has a notice and substitute notification. The former reads:

UnityPoint Health recently notified patients of a phishing email attack which compromised our business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients.

We take our responsibility to protect patient information very seriously and deeply regret this incident occurred. Upon learning of this attack, we informed law enforcement authorities and launched an investigation with an expert computer forensics firm. We have taken a number of important steps to further protect our system and prevent similar situations from happening in the future.

We want to help our patients understand what happened and what it means for them. This site provides information from the patient notification letter and answers to frequently asked questions (FAQs). If you received a notification letter and have questions, or to determine if you may be affected, you may call our toll-free help line at (888) 266-9285. The help line is staffed by professionals familiar with this incident and knowledgeable about what you can do to protect against misuse of your information. The help line is available Monday through Friday, 8 a.m. to 8 p.m. Central Time.

Their substitute notice appears below:

Security Substitute Notification