Heartbleed fallout: Hackers nab 4.5 million records

Cyberattacks are getting more advanced than ever. Look no further than a recent case where hackers were able to nab 4.5 million health records from hospital patients after acting quickly to exploit the Heartbleed bug.

Heartbleed RemediationThe attacks against Community Health Systems (CHS), which allegedly were based out of China, took place in sometime in May or June of this year. It was first reported that the hackers used sophisticated malware as part of an advanced persistent threat (APT) attack.

That term covers a lot of ground. And recent reports fr0m several sources show that the actual vector for that attack was the well-known, highly publicized Heartbleed vulnerability.

Hackers were able to collect sensitive information from 4.5 million CHS patients and others who had received referrals to the organization’s 206 hospitals in 29 states.

This includes patients':

  • names
  • birth dates
  • social security numbers
  • phone numbers, and
  • addresses

Attackers didn’t get credit card or medical data, however.

Well-known group

While it’s not known why the hackers were after this information, the group is well-known to Mandiant, the company CHS hired to analyze the attack.

The group usually targets intellectual property such as “medical device and equipment development data.”In this case, however, it appears that no intellectual property was stolen.

So why change course and go after personal information?

In short, the answer may just be “because it was there.”

Today’s hackers are highly opportunistic. If they find something worth taking, many take the stance that it’s always best to grab what you can, then determine if you have a use for it later.

Heartbleed opened the door

And according to TrustedSec, that’s exactly how this one came to be:

Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.

From here, the attackers were able to further their access into CHS by working their way through the network until the estimated 4.5 million patient records were obtained from a database.  This is no surprise as when given internal access to any computer network, it is virtually a 100% success rate at breaking into systems and furthering access.

What makes this case so interesting is that Heartbleed only came to light in early May, a few weeks before this attack took place.

In other words, the attackers acted quickly learning about the vulnerability, immediately testing to see if they could take advantage of it and stealing records all before Juniper could release a patch for its services.

Lessons learned

First and foremost, this attack shows why it’s important to react quickly to major vulnerabilities (even though that’s sometimes easier in theory than in practice). A recent report even showed that most companies hadn’t fully protected against Heartbleed, some three months after this attack was made public.

It also shows that today’s hackers aren’t always picky about their targets. With so many available targets, they can abandon plans of getting intellectual property and switch gears to stealing customer records as easily as flipping a switch.

Despite what many companies think, all data is valuable and it can all be the target of an attack.

If a hacking attempt has been made on your systems, that might not be the end of the story. What you detected may have been the opening barrage of a sophisticated attack, not a near-miss.

In the event of any attack, successful or not, evaluate what protections you have in place on other data. Alert key decision-makers right away, and work quickly to isolate the targeted data and remove any malware that may have made its way through.