The Cyber-Avengers Protecting Hospitals From Ransomware

The Czech incident made it clear to Zaidenberg that his fears were justified. Israel was in the process of locking down, and he knew he would soon have a lot of time on his hands. He also knew his cybersecurity skills could help prevent attacks like the one in the Czech Republic. After all, he was already monitoring virus-related threats for work. What if there were a way to scale that up globally, a way to alert hospitals—any hospital, anywhere—that they might be vulnerable, before an attack happened?

That same day Zaidenberg noticed that Nate Warfield, a Microsoft security manager he’d recently met, was tweeting about the exact same thing. “We as infosec professionals have skills and tools our colleagues supporting the medical field may not,” Warfield wrote. “I encourage all of you to do what you can in your communities and regions to help defend them.” Zaidenberg messaged him right away. He floated the idea of recruiting a group of cyber threat researchers to work, pro bono, assessing threats related to the virus.

Warfield wrote back less than a minute later: “I would absolutely participate.”

Warfield, who has thick, tattooed forearms and an enormous red beard, had traveled to Tel Aviv from his home in Seattle in February. There, he’d given a talk about a recently discovered vulnerability in a piece of hardware called a Netscaler, which helps distribute web traffic across multiple servers. The vulnerability left tens of thousands of companies exposed to remote attackers. After seeing the news from the Czech Republic, he wondered whether any unpatched Netscalers were running on hospital networks. He opened Shodan, a search engine for internet-connected devices, and ran a query for Netscalers, paired with the keyword “health.” Six different health care network names popped up.

“Oh no,” he thought.

That night, he did a more focused search, looking for additional unpatched Netscalers, working through every health-care-related keyword he could think of: “medical,” “doctor,” “hospital.” He also hunted for other vulnerabilities, including one discovered just days before that could travel from machine to machine, letting attackers set their own code loose on computers running Windows 10. By the next day, he’d found 76 unpatched Netscalers and more than 100 other vulnerabilities in health care facilities all across the US. He recognized the names of some of the biggest hospitals in the country. One in particular seemed to jump off the screen —his own doctor’s network was running an exposed Netscaler. “When it’s your own doctor that’s at risk, that’s scary,” Warfield says. “That’s when it really hit home.”

Warfield spent almost 45 minutes trying to figure out how to contact his doctor’s network IT security team. Finally, he found his way to the LinkedIn page of someone who seemed to work there and sent a message, cramming who he was and the problem he’d found into the 1,900-character limit and hoping he didn’t sound like a scammer. As he expected, he never heard back.

“This is not an efficient way to do this,” Warfield realized. “I’m never going to be able to contact all these people.”

Just before Zaidenberg messaged him, Warfield sent his list of vulnerabilities to Chris Mills, a colleague of his at Microsoft. He hoped Mills would have a better idea of how to get in touch with the hospitals. As it happened, Mills knew people at the Healthcare Information Sharing and Analysis Center, or ISAC. An ISAC is an independent nonprofit that monitors and shares threats specific to particular sectors of the economy—the result of a push two decades ago by the federal government for major industries to better understand the risks they face. Today there are ISACs for everything from the entertainment world to the retail sector to the maritime industry.

Mills figured the ISAC would know how to contact the right people at the right hospitals. As he passed the list along, Zaidenberg set up a Slack group for what he’d decided to name the Cyber Threat Intelligence League. A few days later, Warfield sent a message to a group of trusted security researchers he belonged to called the Roadhouse Miscreant Punchers to see if anybody else wanted to join their effort. Mills and Zaidenberg were also spreading the word, and they quickly brought on Marc Rogers, a British expat who oversees cybersecurity at the cloud-based identity management company Okta. Rogers had run security operations at Defcon, one of the world’s biggest hacker conventions, for the past decade and seemed to know just about everyone in the cybersecurity world.