Close this search box.

Throwback Attack: An “ethical” DDoS attack on a children’s hospital

Courtesy: Brett Sayles
Courtesy: Brett Sayles

As the number of cyberattacks continues to rise, protecting critical infrastructure is more important than ever because it is just that — critical to maintaining human life and structure. This can only be achieved by instituting proper cybersecurity practices and management, as well as by learning from previous attacks. One particular attack type that is gaining more traction is the direct denial of service (DDoS) attack.

Hospitals are obviously a very important piece of critical infrastructure. Cyberattacks of any kind on hospitals will be detrimental to its patients. In 2014, Boston Children’s Hospital was hit by a DDoS attack by a hacker from the hacktivist group Anonymous that could have crippled their entire hospital system, but it didn’t go beyond collapsing their internal network — resulting in a $300,000 loss of donations, according to HIPAA Journal. However, this isn’t a typical “hacker wants money” story. This is a story of retribution.

What is a DDoS attack?

A DDoS attack is when a threat actor overloads a server with requests. Ultimately, this leads to a shutdown of the system. An example of a DDoS attack took place in March of 2022 on the Marshall Islands, where a hacker was able to take the republic’s telecommunication systems offline.

DDoS attacks are commonly used to send a message to the victim (and, of course, to make money via ransomware or other means). During the 2020 election, Chinese “hacktivists” hit Google with several DDoS attack campaigns, as well.

Threat actor finds a cause to hack ethically

In 2013, a teenager named Justina Pelletier was admitted to Boston Children’s Hospital due to a mitochondrial disease. Issues arose when the Children’s Hospital thought the disease was a psychological issue, rather than a physical one.

Ultimately, her parents tried to transfer Pelletier back the referring medical center (Tufts Medical Center), but Boston Children’s Hospital took them to court under claims of medical abuse. This led to the parents losing custody of their daughter, and she remained in the custody of the state of Massachusetts for 16 months.

One hacker — Martin Gottesfeld — heard the news of this incident and wanted to protest it. He decided to take matters into his own hands. The Department of Justice reported that, “[Gottesfeld] unleashed a DDoS attack that directed so much hostile traffic at the Children’s Hospital computer network that he not only knocked Boston Children’s Hospital off the internet, but knocked several other hospitals in the Longwood Medical Area off the internet as well.”

If the cyberattack had caused the hospital to lose power or taken any of its life-saving systems offline, the well-being of patients would have been at risk, adding a potential death toll to the equation. This is the risk with attacks to physical systems. Losing patient records or access to email is one thing, but it’s another thing entirely to attack building automation systems or critical infrastructure.

This cyberattack caused many issues with the hospital’s networks for two weeks. This led to Boston Children’s Hospital losing $300,000 in donations. More importantly, the workers reported that there was a disruption in communications with other health care facilities.

The DDoS attack timeline

The DDoS attack took place over the span of a week, starting with a threat on Twitter from Anonymous. It stated that the hospital would fall victim to a cyberattack if they didn’t give Pelletier back to her parents and punish the clinicians that had diagnosed her.

When the hospital didn’t follow through, Gottesfeld targeted their website first. When there was no change, he ramped up his attacks to include domain name system (DNS) reflection flood (a manipulation of servers) and significantly slowed all traffic on their site.

Luckily, the hospital was able to stop the DDoS from reaching its desired targeted servers and wreaking havoc on the hospital. If the DDoS was big enough, it could have the potential to slow network connections between devices. This could have caused a variety of issues related to care delivery, as one radware article suggests.

According to radware, when the attack peaked, the threat actor was using spear-phishing email techniques to “try to lure recipients into clicking embedded links or opening attachments, thereby granting access to part of the network behind the hospital’s firewall.”

Boston Children’s Hospital was swift to respond and mitigate any damages from the attack, activating their incident response team. When the team started their diagnostics, they noticed that the hospital had lost the ability to move prescriptions to pharmacies and to access remote health records. The internal email system was also taken down.

Gottesfeld taken into custody for cyberattack

The FBI suspected Gottesfeld was behind the attack, so they took his computers and hard drives to further investigate. When charges were pending, Gottesfeld and his wife fled the country.

Soon after, they ran into trouble with their boat and needed to notify authorities for aid, resulting in them being picked up by a Disney cruise ship and taken into custody by the FBI. In February 2018, according to HIPAA Journal, “Gottesfeld was charged with two counts of conspiracy and two counts of causing damage to protected computer.”

Gottesfeld is on record as saying that he regrets none of his actions. He was sentenced to 10 years in prison plus $443,000 in restitution. The major concern upon his release is that he will continue to attack other places if he has a cause.

Where does ethical hacking stand in the game of ethics? It’s a gray area. Needless to say, instilling strong cybersecurity practices into a business will help prevent attacks. Because Boston Children’s Hospital had a response team in place, they were able to act quickly before any excessive damage was done.

Although this attack only truly led to lost money, it could’ve led to lost lives had the DDoS been executed on a larger scale OR had Gottesfeld chosen a different type of attack to use (malware, logic bomb). If the attack had reached the point where it impacted different life-saving medical devices, things could have been much worse.




Keep your finger on the pulse of top industry news