A suspected Chinese hacker group reported to have stolen approximately “4.5 million patient records from an American hospital network” may have orchestrated this attack via the Heartbleed exploit, according to an article recently published on the Mashable web site. The article indicates that this is “the first time the bug has been reported to be at the center of a high-profile breach.” According to the Mashable report, the attackers breached “a device that had not been patched to fix the Heartbleed bug to steal user credentials.” At a later time the hackers used this data to gain access to the Community Health Systems (CHS) network where the “names, addresses, birth dates, telephone numbers and social security numbers” of patients were extracted, as noted by security experts quoted in the report.
Dave Kennedy, CEO of the security firm TrustedSec – not involved in the breach investigation – was quoted in the article to say, “This is the first confirmed breach of its kind where the heartbleed bug is the known initial attack vector,” Kennedy authored a blog post which contained “information obtained from a trusted and anonymous source close to the CHS investigation“, according to the article. The article notes that per Kennedy’s comments, the attackers gained entrance through a “CHS Juniper device that had not been immediately patched after the Heartbleed bug was disclosed in April” which enabled them to obtain “user credentials from the device’s memory.” One this was accomplished, according to the article, the hackers gained access to the system through a Virtual Private Network (VPS), a tool that allows an individual to connect remotely.
The report indicates that no detailed information regarding the breach has been released by FireEye, the security firm retained to conduct the investigation. Mike Lennon of SecurityWeek, a cybersecurity trade publication, was quoted in the article to say, “The facts support claims that Heartbleed could have been what enabled attackers to run off with the personal information on 4.5 million individuals“, outlining that “a previously disclosed attack” according to the presented findings “seems to match the one that was publicized this week by CHS.”