Hacker tied to D.C. Health Link breach says attack ‘born out of Russian patriotism’
The data beach that has exposed sensitive health care information of nearly two dozen members of Congress and their families — putting them along with tens of thousands of Washington area residents at risk of identity theft and additional cyberattacks — is apparently the work of a patriotic Russian hacker seeking to inflict damage on U.S. politicians.
In an online conversation with CyberScoop, the hacker who goes by the handle “Denfur” said the D.C. Health Link breach “was an idea born out of Russian patriotism.” Additionally, Denfur claimed that they and another persona known as “IntelBroker” who claimed responsibility for the attack previously focused on “the US and US politicians in attacks.” In this case, Denfur told CyberScoop, they targeted something in “the DC area and services that people in Congress/Senate would use.”
First reported on March 7, the breach of D.C. Health Link included included names, email addresses, dates of birth, home addresses, Social Security numbers and details about insurance policies belonging to members of Congress, their family and staff and prominent national security figures. The breach has already sparked three law enforcement and congressional investigations and a civil lawsuit, according to CBS News.
On March 9, Denfur posted a sample of the data to BreachForums that contained 200 entries, adding later that day that the “intended target WAS U.S. Politicians and members of U.S. Government” with a message that read “Glory to Russia!”
Denfur claimed that he is a Russian national, but that claim could not be independently verified. Asked to show proof of his nationality, Denfur said, “You just have to take my word.”
CyberScoop spoke with Denfur via an encrypted online messaging service after Denfur originally spoke with DataBreaches.net, a news site focused on cybercrime and data breaches. CyberScoop asked the author behind DataBreaches’ story to have Denfur contact CyberScoop. Denfur reached out on March 15. Over a series of conversations spanning several days, Denfur explained that targeting D.C. Health Link was purposeful and that it was not an altogether complicated operation to execute.
Denfur told CyberScoop that not all of the data that was stolen has been shared. “It will be released once our use for it no longer exists,” they said. Denfur added that they are not worried about U.S. or other international law enforcement. “If anything, I’m more worried about my country trying to do a favour for the US and myself or group becoming a sort of bargaining chip,” they said. “The current time brings uncertainty.”
Initially, IntelBroker offered the complete data set for sale March 6 for an undisclosed sum on BreachForums, a site where breaches were frequently announced and data posted and sold. That post was pulled down shortly after it went live. On March 8, House Speaker Kevin McCarthy, R-Calif., and House Minority Leader Hakeem Jeffries, D-N.Y., said in a joint letter to the Health Benefit Exchange Authority that the FBI informed them that it had purchased the data.
CyberScoop also reached out to IntelBroker, but did not receive any response after repeated requests. IntelBroker has claimed previous hacks or scrapes of information related to the U.S. Department of Defense, the Department of Health and Human Services and other U.S. government information. “If you look at past IB posts, Government was often a target,” said Denfur, who claimed IntelBroker is a “close friend” and collaborator. “But, as time goes on, it became harder to breach Government web servers, so you start to branch out to what they might use.”
This would not be the first time databases containing massive amounts of sensitive information about U.S. lawmakers and other government officials were attacked by hackers. Perhaps most famously, hackers linked to China obtained a treasure trove of data from the Office of Personnel Management in 2015.
However, it does not appear that this breach involved much technical sophistication, based on Denfur’s account of how the health care data set was obtained. Denfur claimed that the attackers managed to pull data from the Health Benefit Exchange Authority via a process known as “Google dorking,” where online searches through clever Google searches combined with queries through services such as Shodan (a search engine for internet-connected devices) can reveal information intended to be private. Denfur first made the claim about the data exfiltration method to DataBreaches.net.
Denfur could not provide proof that this was how the data was obtained, but an independent expert told CyberScoop that the method described by Denfur was “plausible,” and that finding databases online in this manner is not uncommon in the hacking world. “Finding open databases using Shodan is really basic script kiddie vibes,” said Silas Cutler, senior director for cyberthreat research and analysis at the Institute for Security and Technology. Even if it isn’t sophisticated, he added, it “continues to be highly effective.”
That data revealing private information of Congressional members — let alone tens of thousands of others in the DC area — would be stored and accessible this way would be “a sloppy mistake,” Cutler added. “It’s also a basic thing a pentesting team should have caught.”
The D.C. Health Benefit Exchange Authority has said that the data associated with 56,415 customers has been impacted, and that “the issue which led to this data breach has been identified and eliminated.” Its investigation remains ongoing, and it is working with cybersecurity firm Mandiant, the agency has said.
In a statement provided to CyberScoop, Adam Hudson, the agency’s public information officer, said the “investigation remains ongoing, however the issue which led to this data breach has been identified and eliminated. DC Health Link is working closely with Mandiant to conduct a comprehensive review of its security measures and controls, and we will be implementing new protocols going forward.”
A lawsuit that has been filed as a result of the breach accuses the D.C. Health Benefit Exchange Authority of maintaining the data “in a reckless and negligent manner,” and on a “computer system and network in a condition vulnerable to cyberattack.” The lawyer who filed the suit did not immediately respond to a request for comment.
A source familiar with the response to the breach previously told CyberScoop that whoever pulled the data from the site had at least some familiarity with database software to access the data.
CyberScoop obtained and analyzed the sample posted by Denfur and determined it was mostly likely authentic and included a range of public and private individuals throughout the D.C. area. Denfur shared a link to the full dataset on the forum March 12, and a CyberScoop analysis revealed that the full set included the data of at least 21 members of Congress, more than 1,800 people somehow connected to Congress, hundreds of people linked to 20 different foreign embassies and tens of thousands of other people.
Since the DC Health Link breach news broke, BreachForums has come under intense scrutiny. Last week, the FBI arrested Conor Brian Fitzpatrick, the alleged administrator of the forum known online as “Pompompurin,” and charged him with one count of conspiracy to solicit individuals with the purpose of selling unauthorized access devices, according to an affidavit filed by FBI Special Agent John Longmire. Since the news of the arrest was first published March 17 by Bloomberg, another forum administrator promised the site would remain online with new infrastructure.
It’s not clear whether Fitzpatrick’s arrest is related to the D.C. Health Link data breach. Fitzpatrick “has been something of a nemesis to the FBI for several years,” cybersecurity journalist Brian Krebs reported, citing examples of high-profile activity on Fitzpatrick’s site.
The other BreachForums administrator said in statement posted March 19 that “someone” had logged in to an old content delivery network server that was “used to just download large files from time to time,” suggesting that “someone has access to Poms machine.” As such, the administrator wrote, “I can’t confirm the forum is safe,” and said the site would not return.