'The Dark Overlord' Advertises Stolen Source CodeHacker Claims to Have Pilfered Code for Healthcare Data Interface Engine
"The Dark Overlord," a hacker who has been attempting to sell batches of personal and medical records supposedly stolen from U.S. healthcare organizations, is claiming a new victim: a large healthcare software developer (see Here's How a Hacker Extorts a Clinic).
His latest advertisement went up on July 12 on The Real Deal, an online bazaar for stolen data, fake IDs and drugs. The hacker is offering for sale what he claims to be the source code, software signing keys and customer license database for a Health Level Seven interface engine, a type of middleware that enables different kinds of software applications to exchange information. HL7 is a set of standards describing how electronic health information should be formatted.
In an interview over encrypted instant messaging, the hacker taking credit declined to name the U.S. software company. Many vendors sell HL7 interface engines as part of their products. He also declined to say how he was able to compromise the company, but claimed he gained root-level access - meaning total administrative control - to its servers.
Alex Holden, chief information security officer of the consultancy Hold Security, says it's difficult to say whether the hacker has, indeed, compromised something significant, but that it's not surprising that a healthcare vendor might have been compromised. "Unfortunately, information security within many medical facilities is not at the highest standards, so the entire industry ... is low-hanging fruit," he says.
For Sale: Digital Signature
The Dark Overlord claims he also obtained the software's signing keys. Software applications are usually "signed" with a digital signature, which then can be verified to ensure that a new version hasn't been tampered with. Software companies guard those secret keys carefully. If stolen, an attacker could insert spying code into the application and sign it with the private key, making the modification of the code appear legitimate.
"Signing applications or communications with properly trusted certificates may obviate a lot of scrutiny that a compromised application would have," Holden says. "With this type of access, theoretically, the hacker may be able to create malicious update packages."
Signing keys are often stored in hardware security modules, which are tamper-resistant hardware devices specially designed to protect the keys from theft. In the case of the compromised software company, the Dark Overlord claims the signing keys were left in a root directory, which he accessed.
The hacker posted a small snippet of code he claims is from the HL7 interface engine on Pastebin. It appears to be part of an HL7 application and is marked as "proprietary" and "confidential." The hacker omitted identifying information from the code sample that would make it possible to easily figure out the vendor. A notice at the start of the code sample says "Copyright 2008-2011," which suggests that the middleware may have last been updated five years ago.
Payment Sought via Bitcoins
The hacker is seeking 800 bitcoins, or about $533,000, for the whole package.
"There will be two sorts of buyers for this software," the Dark Overlord claimed in one instant message. "There will be the buyer whom is likely from a smaller country outside the United States who may be looking to purchase a complete package for a very fair price and use this in their own development or retail it directly after compilation. The second buyer is likely someone whom has very nefarious intentions - someone who would intend on using the keys to push a backdoor to the original customers of the victim company."
Over the last several weeks, The Dark Overlord has placed three other batches of data up for sale on The Real Deal: 48,000 records apparently from a clinic in Farmington, Mo.; 397,000 records allegedly from a healthcare provider in Atlanta; and 9.3 million records allegedly from an unnamed health insurance provider.
ISMG contacted several victims of the Farmington breach, and it appears that the data was legitimate. The Dark Overlord also provided additional information from that breach, including scans of driver's licenses and insurance cards. The clinic has not responded to repeated queries.
How Was Information Compromised?
The Dark Overlord claims to have compromised some organizations using a zero-day vulnerability in Remote Desktop Protocol, which is implemented in many remote access clients. But it's questionable if his claim is true. It's more probable that the attacks have been successful due to weak passwords and RDP clients that are accessible over the internet.
InfoArmor, a Scottsdale, Ariz.-based security vendor, published a report on July 12 summarizing some of the Dark Overlord's escapades. In mid-May, the company shared its findings with the National Healthcare and Public Health Information Sharing and Analysis Center, a U.S. agency that tracks cyberthreats against the health care industry.
"He attacks weak RDP servers," says Andrew Komarov, chief intelligence officer of InfoArmor. "That's why it is not an exotic vector."