FBI Thwarted ‘Despicable’ Cyberattack on Boston Children’s Hospital

In 2021, the Federal Bureau of Investigation (FBI) helped Boston Children’s Hospital mitigate a cyberattack by Iranian state-sponsored hackers before any damage could be caused. FBI Director, Christopher Wray, said the attempted cyberattack was “one of the most despicable cyberattacks I have ever seen.”

Speaking at Boston College for the Boston Conference on Cyber Security, Wray said Iranian state-sponsored hackers exploited a vulnerability in a popular software solution made by the Californian cybersecurity vendor Fortinet. The FBI was alerted to the breach and the pending attack by another intelligence agency and notified the hospital on August 3, 2021. Wray said the FBI met with representatives of the hospital and provided information that helped the hospital identify and mitigate the threat.

Wray said this was “a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response,” and explained that the incident should serve as a reminder to all healthcare organizations to ensure they have an incident response plan that includes the FBI. Wray said this incident highlights the risk of high impact cyberattacks by nation-state threat actors from Russia, China, Iran, and North Korea, and said “We cannot let up on China or Iran or criminal syndicates while we’re focused on Russia.”

In November 2021, the FBI, in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC) in the UK, and the Australian Cyber Security Centre (ACSC) issued a security alert warning the healthcare sector and operators of critical infrastructure about an Iranian nation-state Advanced Persistent Threat actor who was known to be exploiting Microsoft Exchange and Fortinet vulnerabilities to steal data, conduct ransomware attacks and extort money from victims.

Wray did not specify what type of attack the threat actor was attempting to conduct, only that a cyberattack could have damaged the network, which could have had a devastating impact on the sick children that depend on it. The cyberattack in question appears to have been conducted through an HVAC vendor.

In August 2021, a threat actor contacted Databreaches.net and shared evidence of a successful attack on an HVAC vendor and claimed that they had breached the HVAC vendor’s systems and also had access to the systems of a children’s hospital. It was confirmed that the HVAC vendor in question ENE systems, which provides services to the Harvard-linked hospitals, Boston Children’s Hospital, Brigham & Women’s Hospital, and Mass General Hospital.

Boston Children’s Hospital is no stranger to cyberattacks. Back in 2014, the hospital suffered a series of attacks that disrupted its systems for more than a week. The attacks were conducted in retaliation for how the hospital handled the case of patient Justina Pelletier, who was involved in a custody battle. The individual behind that attack was apprehended and convicted and was sentenced to 10 years in jail in 2019.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.