Disclosure: Our family is one of the “tens of millions” of Americans that may be affected by the Anthem data breach announced last year.
One of the repeating themes at this year’s annual Black Hat cybersecurity conference was the idea that cyber threats in general are now moving rapidly beyond the “prototype” phase into full scale production. One way that becomes apparent is by looking for datasets that are for sale on what’s known as the “dark web” using tools that are specifically designed to buy (or sell) anything with industrial strength anonymity.
Most of us have no need or use for this murky portion of the web because it’s rife with criminals selling drugs, illegal porn and now – software source code that has a significant footprint inside healthcare.
In fact, the dark web isn’t really accessible through a standard browser for this reason. Standard browsers are too easy to track and trace – down to a specific IP address and (potentially) username. Using a browser known as The Onion Router (TOR – estimated to have about 3M users) the browser traffic and users can be effectively anonymized with industrial strength. When combined with cybercurrencies like Bitcoin, anonymous accounts can then launder money for any number of criminal activities – including drug sales, illegal porn and lucrative datasets obtained illegally. Obviously a single data record has limited value, but large data sets – with enough individual detail – can attract (in theory) big money.
Earlier this month, the Chief Intelligence Officer for InfoArmor – Andrew Komarov – came across a listing on the dark web that raised the stakes considerably in healthcare’s ongoing battle with cybercriminals. I checked the URL and it’s still active today on a dark website known as AlphaBay Market.
Unlike other listings that offer actual datasets for sale, however, this listing is offering to sell software source code that was obtained illegally from a commercial software company called PilotFish Technology. PilotFish isn’t as recognizable a name in healthcare software generally, but that’s mostly because it doesn’t sell actual applications like Electronic Health Record (EHR) software. Instead, PilotFish sells what’s known as “middleware” software used by healthcare organizations globally to build custom connections for a wide range of healthcare applications – including EHR’s – leveraging HL7 data standards.
Now you can rapidly build HL7 and other healthcare interfaces with the PilotFish Automated Interface Assembly Line architected into our HL7 Interface Engine. Its modular design and automated functions offer the flexibility to integrate even the most challenging EHRs and other healthcare systems, applications and databases to any others. PilotFish Technology website
In many ways, because of its function as connecting software, it poses a potentially greater risk to the healthcare community globally that relies heavily on secure software to exchange critical (and sensitive) health information. It’s effectively software that brokers the exchange of health data between healthcare organizations.
The seller uses the alias batwhatma, but experts believe that it’s just a variant of the alias known as TheDarkOverlord – who may have amassed about 10 million health records that are also for sale (separately) on the dark web. It does appear that this one actor is specifically targeting healthcare – at scale.
I reached out to the CEO of PilotFish for comment, but there was no reply and that’s to be expected at this point in the criminal investigation. Once law enforcement is engaged, all information is hermetically sealed around a virtual layer of “Crime Scene” yellow tape.
Andrew offered this technical assessment.
Because this is source code from a software vendor with a sizable footprint inside healthcare, it does represent a pretty rare and significant type of security incident. The attack vector creates a significant supply chain risk, along with an opportunity of targeted cyber attacks and spear phishing directed at customers of the affected software vendor, especially, inside healthcare, which does aggregate a lot of sensitive data. This source code was first offered at “The Real Deal Market” with a price of 150 BTC (~$87,000). The seller at that time (“dark0verlord”) seemed to have difficulty with a buyer at that price – which may be the reason he changed marketplaces and lowered the price to 50 BTC (~$29,000). Previously, he has compromised big number of healthcare organizations, and sold the data about their patients in the underground. Some new victims can be expected soon, as this breach is one of the latest in his timeline, affecting over 1 thousand companies from the US, UK, Canada, Australia and Asia (customers of PilotFish). Andrew Komarov – Chief Intelligence Officer, InfoArmor
Is the listing real? In many ways, that’s the toughest question of all. By all appearances, it looks to be genuine, but it could also be an elaborate hoax. By definition, extortion is illegal – and it’s a tricky business – with lots of cons and deceit. That’s especially true on the dark web where anonymity is both standard and critical. Assuming it is real, as a “digital only” product, there’s also no way to prevent multiple sales – at different times – as a kind of revenue stream in perpetuity.
Stealing health records is one thing, but critical infrastructure software used by healthcare organizations globally does represent a new and different challenge. The legal liabilities – and costs – could easily bankrupt many companies. While I don’t know with any certainty, it’s unlikely that companies the size of PilotFish have sufficient cyber insurance coverage for the long term liabilities associated with an event of this magnitude – and corporate death by bankruptcy is a very real threat with data breaches. A separate headline today highlights just how real that possibility is.
Of course the other big cyber headline today wasn’t really healthcare related at all – but demonstrates the potential scale and scope of a production grade breach.
Just how much is 1 million BTC? At today’s exchange rate – about $578 million – give or take.