A hacker who attacked Boston Children’s Hospital (BCH), fled the US when the Feds came knocking, and was subsequently plucked off a sailboat bobbing off the coast of Cuba has been found guilty.
A federal jury in Boston found Martin Gottesfeld guilty of one count of conspiracy to damage protected computers and one count of damaging protected computers, the Department of Justice (DOJ) announced on Wednesday.
In 2014, Gottesfeld affiliated himself with the Anonymous brand of hacktivism and left multiple hospitals hamstrung by flooding their computer networks with distributed denial of service (DDoS) e-garbage and putting out the standard, monotone Guy Fawkes call for others to join in.
It was done as, what he considered, justifiable payback for BCH’s “parentectomy” in the Justina Pelletier case, Gottesfeld said. As you might recall, starting 14 February 2013, then-15-year-old Justina was held in custody as a ward of the state in Massachusetts, at the order of a Boston hospital that decided her illness was all in her head, aggravated by what some doctors perceived to be medical abuse doled out by her parents.
The public and patients’ rights advocates were memorably outraged over the girl’s ordeal, which entailed strictly limited visitation with her parents, restriction of discussions of her medical issues in front of Justina, plus a gag rule imposed on her father (he broke it in order to tell the media her story; contempt charges were subsequently filed against him).
That outrage rose to a head in April 2014 and burst into cyber warfare. That’s when hacktivists who slapped themselves with the Anonymous label decided to inject themselves into the situation by launching #opJustina .
As the DOJ describes it, the first target was Wayside Youth and Family Support Network, the Framingham residential facility where Justina had been living under state custody. The DDoS attack crippled Wayside’s network for more than a week and caused the facility, which provides mental health counseling and family support services to children, to spend $18,000 on response and mitigation efforts.
Then, Gottesfeld went after BCH, launching a massive DDoS attack against the hospital’s network. The DOJ says he customized malware that he installed on 40,000 network routers that he was then able to control from his home computer.
He spent more than a week polishing that ball of bad. Then, he unleashed the attack on 19 April, 2014, directing so much e-flotsam at the hospital that it not only knocked BCH off the internet but it also spilled over and swamped several other hospitals in Boston’s Longwood Medical Area.
The attack flooded 65,000 IP addresses used by BCH and the other local hospitals. BCH’s network was out of commission for at least two weeks, interrupting access to internet services used to treat patients, preventing patients from talking to their doctors, and meaning that patients and medical personnel couldn’t access their online accounts, check appointments, or access test results and other case information.
All told, BCH claimed that the attack cost more than $300,000 in damage and remediation, plus another $300,000 or so loss in donations, given that the attack disabled the hospital’s fundraising portal.
The BCH attack was planned for maximum financial damage, Gottesfeld said: he knew that the hospital was planning a big fundraising drive and that most donors gave online.
Gottesfeld had posted a YouTube video on 23 March 2014, calling, in the name of Anonymous, for action against the hospital in response to its treatment of Justina. The video directed viewers to a Pastebin post that supplied information necessary to initiate a DDoS attack against the hospital’s server.
Multiple DDoS attacks hit Boston Children’s Hospital over the weekend of 19 April and on into the following week.
The FBI searched Gottesfeld’s apartment in October 2014, in connection with the attack. Then, he skipped town. The FBI tracked him down to a Disney cruise ship that came to his aid when the hacker and his wife wound up on a disabled sailboat, along with some luggage and three laptop computers.
After Disney rescued the couple, they dropped them off in Miami, into the arms of waiting FBI agents, who arrested Gottesfeld. He was charged in February 2016.
The charge of conspiracy could result in a sentence of no greater than five years in prison, three years of supervised release, a fine of $250,000 and restitution. The charge of damaging protected computers provides for a sentence of no greater than 10 years in prison, three years of supervised release, and a fine of up to $250,000. Maximum sentences are rarely handed out, though.
Gottesfeld’s sentencing is scheduled for 14 November, 2018.
Source : Naked Security