Kettering General Hospital's IT security has been breached by a well-known Russian hacking group, which has started using the hospital's email server to send spam emails advertising illegal goods on the dark web according to penetration tester and social engineering expert Richard De Vere, principal consultant for the AntiSocial Engineer Ltd,
SCMagazineUK.com can exclusively reveal that the hospital is believed to have been compromised by Russian hacking group ‘Horux' in mid-August, although the true extent has only now been recognised by senior management at the hospital.
A spokesman for the NHS Trust hospital said it is “investigating the breach... in accordance with our policies and procedures, ”but security experts warn that staff credentials could be being sold online for “dollars each”.
De Vere discovered the breach following research into the Lizard Stresser hack last year. He started researching Lizard Squad after the hacktivist group's Christmas Day 2014 DDoS attacks against Sony's PlayStation Network and Microsoft's Xbox Live. De Vere signed up for a Lizard Stressor demo account with a spam email address to find out more.
Later, when the Lizard Stresser database, containing numerous customer email addresses, was compromised and published at the start of this year, he soon found he was on the receiving end of promotional emails from Russian hacking group ‘Horux'.
Horux's website boasts of being “private information sellers and underground kings” and it sells everything from readily-available hacking tools to credit card details. “We sell every tool that exists on the black market, our prices are reasonable and cheap,” read one email from the group.
On this occasion, it appears to have accessed the email addresses leaked from Lizard Stresser and targeted them with promotional emails – perhaps assuming that all the names on this Lizard Stresser list were ‘black hat' hackers.
Crucially, however, De Vere noticed these emails were being digitally signed by Kettering General Hospital – a strong sign that the hospital's email has been compromised. He believes that the hackers did this to avoid email spam filters. The emails appear to have been sent by a VPS server, hosted by Indian hosting company shocksrv, and then authenticated by the email server at the hospital.
De Vere explained how the attackers work. “The group hack an organisation, gather what they want, then use the hacked email servers to forward these promotional offers,” he said.
The email server would be “at the attackers perusal”, further suggesting that “the same credentials to be able to send mail from these servers could also be used to authenticate email accounts”.
With his knowledge of the Horux group, he added that staff email credentials would likely be sold on the black market for “dollars each” and suggested that the breach may well go beyond email at the hospital.
Most likely, the initial intrusion into the hospital servers would have been through a brute force attack against the email servers, or via credentials that were gathering as part of an ongoing phishing campaign.
Sources with close connections to the hospital have confirmed the security breach to our reporter, with some suggesting that the issue was “swept under the carpet” by senior executives at the hospital. It took two weeks for the hospital to acknowledge they were investigating the issue.
Infosec resources are also said to be tight at the organisation, which has around 3,000 staff.
Last week, the organisation advertised for an IM&T training manager to manage data quality and ensure “information collection and recording is of the highest quality”.
The incident has been reported to the Information Commissioner's Office (ICO) which confirmed it is looking into the issue. “We have received a complaint about Kettering Hospital and are making enquiries,” a spokesperson said.
A spokesman for Kettering General Hospital said: “The Trust has been made aware of an allegation that its IT security has been breached. We take this very seriously and are currently investigating the matter.” Requests for further information were declined and it is not clear whether personal information has been revealed, why the investigation has taken so long and whether the hospital had informed its staff.
Sarah Clarke, owner of the Infospectives Ltd Security GRC Consultancy, said considering the financial constraints in the public sector, she was not “hugely surprised” at the news.
She also said there were several unanswered questions regarding the breach. “There could be so many reasons for a breach like this. How far 'in' this goes will be key. Is it limited to email servers? If not, what is the breadth and depth of compromise across their network? Has patient data been impacted?” she told SC.
Clarke added that if the hospital was running its own email or DNS infrastructure, this could “equate to painting a big red target on your business”.
She believes organisations will ultimately be judged on their response to data breaches. “With breaches, as with any problems, how you deal with it is just as important as the fact it happened – don't skimp on planning an effective response no matter how secure you think you are. If PR-related panic and bureaucracy trumps prompt investigation and notification, it can be a dramatic own goal. I hope that's not the case here and, if it is, I hope staff or patients don't pay with their personal and financial security.”
Doug Drinkwater is a former senior reporter for SCMagazineUK.com.