Exclusive: Attack on HVAC vendor gave threat actor access to Boston Children’s Hospital
If you think about “supply chain attack” and “HVAC,” you will probably immediately think of the headline-making Target breach of 2013. But that wasn’t the only breach via a third-party HVAC vendor. Just this month, several hospitals in Boston may have narrowly escaped potentially serious breaches when their HVAC vendor was hacked and the threat actor remotely accessed the clients’ systems. This is what we know — and don’t know — so far about the incident:
During the first week of August, DataBreaches.net was contacted by a threat actor. The threat actor mentioned that they had successfully attacked a HVAC vendor and had tried to extort the vendor to pay a fee. The threat actor claimed that the vendor knew that they had been breached as there had been communications about the breach and extortion demand. The vendor allegedly claimed that they were not really concerned about the breach — even though, the threat actor claimed, they had not been locked out and still had access to the vendor’s network — and to the vendor’s clients.
One of those clients, the threat actor claimed, was a children’s hospital.
After a few days, the threat actor informed this blogger that they really didn’t want to harm a children’s hospital or attempt to extort it — even though they claimed they already had been able to gain access to it.
Eventually, they agreed to tell this blogger the name of the vendor, the name of the hospital, and to provide screencaps with proof of access. The understanding was that this site would be contacting the hospital to make sure that they knew they had been breached via remote access from the vendor so that if the vendor had not informed them of the breach, they could take steps to protect themselves from other attacks.
On August 5, this blogger made contact with a security professional in the healthcare space and shared the proof with him. When he confirmed that it appeared that the threat actor had gained access, DataBreaches.net asked him to reach out to his contact at the victim hospital and give them the files in case they did not know they had been breached. He did.
DataBreaches.net has waited until now to report on the incident, trying to get confirmation from the parties and more details. That has been an exercise in futility. But here’s what we do know:
The vendor in question is ENE Systems in Canton, Massachusetts. ENE Systems lists three hospitals on its web site: Boston Children’s Hospital, Brigham & Women’s Hospital, and Mass General Hospital.
All three of those hospitals are part of Harvard.
Boston Children’s Hospital (BCH) was the hospital the threat actor told me they had access to and showed me screencaps for, taken remotely from within ENE Systems.
DataBreaches.net was provided with screencaps showing schematics and wiring diagrams. Some were for specific floors of the hospital, and the threat actor claimed to have a diagram for every floor of the hospital. The screencaps raised concerns about whether the threat actor could shut off BCH’s alarm systems and start tampering with the HVAC settings.
Because DataBreaches.net cannot evaluate the risk from publishing any of the screencaps, this site will not be publishing any of them at this time.
ENE Systems was sent multiple inquiries. They didn’t respond to any of them. DataBreaches.net does not know whether they notified BCH before DataBreaches.net did, and/or how many other clients of theirs they may have notified.
DataBreaches.net understands that the FBI is involved in the case, but does not know whether the vendor notified the FBI, or whether BCH did, or if the FBI found out through other means.
Boston Children’s Hospital, Mass General, and Brigham & Women’s Hospital were all sent multiple requests for statements and details. Only Mass General Hospital responded, and with a brief statement:
The hospital was made aware of potential cyber security issues involving one of its vendors. Once notified, immediate action was taken to follow appropriate guidance to mitigate the risk. Hospital systems and operations remain unaffected by this incident.
But how were they made aware? By ENE Systems? By the FBI? By Boston Children’s Hospital? It’s not yet clear, but as these are all Harvard-connected hospitals, it’s instructive to look back at what Boston Children’s Hospital did in 2014 when it received a threat that it would be attacked by a self-described member of Anonymous, and when it was subsequently attacked. In discussing the hospital’s response to the attacks by Martin Gottesfeld, Daniel Nigrin, M.D., their CIO, stressed how they immediately convened the organization’s Incident Response Team. Not just IT, but the whole organization’s team that mobilizes during disasters. Their response also included a number of proactive steps such as “going dark,” and shutting down the entire email system within 30 minutes of detecting malware-laden emails being sent to employees. They also contacted authorities, with the federal authorities subsequently advising them not to share information with the media as that attention might encourage Anonymous to keep attacking them.
The 2014 incident involving hacktivist motivation, escalating DDoS attacks, and malware-laden email seems significantly different than this recent attack, but it seems plausible that once BCH became aware of a threat, the entire incident response team might be notified and activated. And because they all use the same HVAC vendor, then it seems likely that the other hospitals would be contacted by BCH if they had not already been alerted by the vendor.
And perhaps, once again, they would close ranks and not answer questions from media.
So how many Harvard-connected hospitals did the threat actor actually access? We do not know because the threat actor did not tell DataBreaches.net and the Harvard-connected hospitals are not answering such questions – at least, not yet.
And how many of the vendor’s other clients were also compromised? ENE Systems’ web site lists schools, higher education facilities, high rises, biotech/research facilities, Commonwealth buildings — including the Statehouse — and even banks as clients. We do not know how many of them were either notified or actually breached by the threat actor– at least, not yet.
If ENE Systems, or any of the Harvard-related hospitals provide more information, this post will be updated.
DataBreaches.net suspects that the Boston Globe will follow up on this story and they have the resources, sources, and clout to make a lot of calls and, hopefully, get some answers.