Kettering General Hospital's IT security has been breached by a well-known Russian hacking group, which has started using the hospital's email server to send spam emails advertising illegal goods on the dark web according to penetration tester and social engineering expert Richard De Vere, principal consultant for the AntiSocial Engineer Ltd,
SCMagazineUK.com can exclusively reveal that the hospital is believed to have been compromised by Russian hacking group ‘Horux' in mid-August, although the true extent has only now been recognised by senior management at the hospital.
A spokesman for the NHS Trust hospital said it is “investigating the breach... in accordance with our policies and procedures, ”but security experts warn that staff credentials could be being sold online for “dollars each”.
De Vere discovered the breach following research into the Lizard Stresser hack last year. He started researching Lizard Squad after the hacktivist group's Christmas Day 2014 DDoS attacks against Sony's PlayStation Network and Microsoft's Xbox Live. De Vere signed up for a Lizard Stressor demo account with a spam email address to find out more.
Later, when the Lizard Stresser database, containing numerous customer email addresses, was compromised and published at the start of this year, he soon found he was on the receiving end of promotional emails from Russian hacking group ‘Horux'.
Horux's website boasts of being “private information sellers and underground kings” and it sells everything from readily-available hacking tools to credit card details. “We sell every tool that exists on the black market, our prices are reasonable and cheap,” read one email from the group.
On this occasion, it appears to have accessed the email addresses leaked from Lizard Stresser and targeted them with promotional emails – perhaps assuming that all the names on this Lizard Stresser list were ‘black hat' hackers.
Crucially, however, De Vere noticed these emails were being digitally signed by Kettering General Hospital – a strong sign that the hospital's email has been compromised. He believes that the hackers did this to avoid email spam filters. The emails appear to have been sent by a VPS server, hosted by Indian hosting company shocksrv, and then authenticated by the email server at the hospital.
De Vere explained how the attackers work. “The group hack an organisation, gather what they want, then use the hacked email servers to forward these promotional offers,” he said.
The email server would be “at the attackers perusal”, further suggesting that “the same credentials to be able to send mail from these servers could also be used to authenticate email accounts”.
With his knowledge of the Horux group, he added that staff email credentials would likely be sold on the black market for “dollars each” and suggested that the breach may well go beyond email at the hospital.