Cyberattack On Columbia Company, 200 Victims Leads To Indictment

COLUMBIA, MD — Two Iranian men have been indicted for a cyberattack targeting cities and companies across the U.S., including one headquartered in Columbia. The attack resulted in more than $30 million in losses.

Authorities said that the more than 200 victims included hospitals, municipalities, and public institutions, including MedStar Health, headquartered in Columbia.

MedStar Health temporarily took down its electronic systems in March 2016 to recover from what company officials called a "despicable attack" on its electronic systems, after malware was found. The health network encompasses 10 hospitals — Franklin Square, Good Samaritan, Harbor Hospital and Union Memorial in Maryland — as well as dozens of outpatient clinics.

"The attempt to negatively impact an institution designed to save lives and care for those in need is a sad and troublesome reality of our times," MedStar Health CEO/President Kenneth A. Samet said at the time. "—not only for MedStar Health, but for our entire industry and the communities we serve."

• MedStar Attack: Systems Being Restored, Patient Data Protected
• Virus Infects MedStar Health Computers; Networks Shut Down

Other health-related companies targeted by the cyberattack were LabCorp, headquartered in Burlington, North Carolina; Nebraska Orthopedic Hospital in Omaha, Nebraska; and Allscripts Healthcare Solutions headquartered in Chicago, Illinois.

Government entities were also hit with malware, such as Atlanta, Georgia; the Port of San Diego, California; and the Colorado Department of Transportation.

A federal grand jury returned an indictment that was unsealed this week in New Jersey charging Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, in a 34-month-long international computer hacking and extortion scheme involving the deployment of sophisticated ransomware.

The six-count indictment alleges that Savandi and Mansouri, acting from inside Iran, authored malware, known as “SamSam Ransomware,” capable of forcibly encrypting data on the computers of victims.

Starting in December 2015, Savandi and Mansouri allegedly accessed victim computers through security vulnerabilities and installed the SamSam Ransomware. They then demanded ransom paid in the virtual currency Bitcoin in exchange for decryption keys for the encrypted data, collected payments and exchanged the Bitcoin into Iranian currency using Iran-based Bitcoin exchangers, federal prosecutors allege.

“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” Deputy Attorney General Rod Rosenstein said in a statement. “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”

Savandi and Mansouri are charged with one count each of conspiracy to commit wire fraud and conspiracy to commit fraud and related activity in connection with computers, and two substantive counts each of intentional damage to a protected computer and transmitting a demand in relation to damaging a protected computer.

According to the indictment, Savandi and Mansouri created the first version of the SamSam Ransomware in December 2015, and created further refined versions in June and October 2017. In addition to employing Iran-based Bitcoin exchangers, the indictment alleges that the defendants utilized overseas computer infrastructure to commit their attacks. Savandi and Mansouri would also use sophisticated online reconnaissance techniques (such as scanning for computer network vulnerabilities) and conduct online research in order to select and target potential victims, according to the indictment. According to the indictment, the defendants would also disguise their attacks to appear like legitimate network activity.

To carry out their scheme, the indictment alleges that the defendants also employed the use of Tor, a computer network designed to facilitate anonymous communication over the internet. According to the indictment, the defendants maximized the damage caused to victims by launching attacks outside regular business hours, when a victim would find it more difficult to mitigate the attack, and by encrypting backups of the victims’ computers. This was intended to —and often did — cripple the regular business operations of the victims, according to the indictment.

The most recent ransomware attack against a victim alleged in the indictment took place on Sept. 25, 2018.

By Patch editors Tim Darnell, Eric Kiefer, and Elizabeth Janney with reporting from City News Service.

Flier from the FBI. Main photo of MedStar on Grantchester Way in Columbia by Elizabeth Janney.