Prosecutors: Insider 'Sabotaged' Medical Equipment ShipmentsHacker Disrupted Delivery of Supplies Used in COVID-19 Crisis, DOJ Says
The former vice president of finance at a Georgia-based medical supplies company has been charged with hacking into the firm's computers and "sabotaging" shipment of personal protective equipment in the midst of the COVID-19 crisis.
See Also: Role of Deception in the 'New Normal'
In an April 16 statement, the Department of Justice alleges Christopher Dobbins committed computer intrusion on March 29. "This defendant allegedly disrupted the delivery of personal protective equipment in the middle of a global pandemic," said U.S. Attorney Byung Pak. "Scarce medical supplies should go to the healthcare workers and hospitals that need them during the pandemic."
The Justice Department did not immediately respond to an Information Security Media Group request for additional details in the case, including the specific charges filed.
Dobbins was arrested on April 16 and released on an unsecured bond, his attorney, Margaret Strickler of the law firm Conway & Strickler, tells ISMG.
While court documents in the case do not identify the company, Dobbins' LinkedIn profile indicates he was vice president of finance at Stradis Healthcare in Peachtree Corners, Georgia, from July 2016 to March 2020.
Stradis Healthcare in an April 21 statement notes the hacking incident allegedly involving Dobbins temporarily disabled the shipping system of the company, which packages and distributes medical equipment, including PPE and surgical kits.
"Employees and the assembly line had been working at full capacity during the man's criminal activity, and the shipping of those key supplies has returned to full strength," the statement adds.
"Of course we are disappointed about a former employee who caused the company immeasurable internal harm and caused some temporary delays in our shipping system, but our focus is completely consumed in working 24/7 to serve the medical community and the public during this critical time," said Stradis CEO Jeff Jacobs.
Stradis Healthcare did not immediately respond to an ISMG request for further comment.
Prosecutors say that Dobbins, who had administrative access to computer systems containing the company's shipping information, was terminated from his employment in March, when his access rights were revoked.
"On March 26, Dobbins received his final paycheck from the company. Three days later, Dobbins used a fake user account that he had previously created while employed at the company to log into the company's computer systems," prosecutors allege.
Once he logged in through the fake user account, prosecutors allege, Dobbins created a second fake user account and used it to edit about 115,000 records and delete about 2,400 records.
"After taking these actions, Dobbins deactivated both fake user accounts and logged out of the system," prosecutors allege. "The edits and deletions to the company's records disrupted the company's shipping processes, causing delays in the delivery of much-needed PPEs to healthcare providers."
Court papers in the case indicate that the alleged hack disrupted PPE shipments for 24 to 72 hours.
"According to the company, the monetary losses caused from the computer intrusion exceeded $5,000 in value," the FBI states in court documents. "The losses, which are still being determined, stem from the costs of responding to the computer intrusion, restoring data to its condition prior to the computer intrusion, and lost revenue and other consequential damages incurred because of interruption of business."
The Justice Department says in court papers: "Aside from monetary damages, the computer intrusions caused potential modification or impairment of the medical examination, diagnosis, treatment or care of at least one person and a threat to public health and safety by delaying shipments of PPE."
Court documents say that Dobbins was hired in 2016, "and was integral in setting up company's NetSuite applications." Dobbins was the company's main NetSuite contact and had responsibilities for adding and removing users from NetSuite, court papers say.
"Due to conflicts between Dobbins and other departments within the company, Dobbins was disciplined by the company on August 9, 2019, and December 16, 2019; and fired on March 2, 2020," the documents say. "The company's investigation has revealed a pattern of escalating abuse of its NetSuite applications by Dobbins that appears to coincide with the company's disciplinary actions against Dobbins."
An FBI affidavit filed in the case offers a detailed timeline of all the steps Dobbins allegedly took, including creating fake accounts.
The Insider Threat
This insider threat case represents a policy failure more than a technical failure, says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C.
"This individual apparently had unfettered and unmonitored access to the company's system; otherwise his creation of a fake account should have been detected using a variety of logging, monitoring and enforcement measures," Teppler says. "In any event, repeated disciplinary acts involving system misuse should have triggered an earlier termination. If there was proper logging and review of account creation by someone outside of his control, the fake account creation might have been detected earlier."
The case also offers important lessons to other organizations, especially as companies furlough and lay off employees during the COVID-19 crisis.
"As unemployment rises and much of the workforce is operating remotely, it's important to understand that your most valuable assets - your employees, contractors and partners - can also become your greatest vulnerability if sufficient protections aren't in place," says Ryan Kalember, executive vice president of cybersecurity strategy at security firm Proofpoint.
"It's not just employees with potentially malicious intent; the potential for user negligence and for account compromise also can increase with such a rapid shift to remote work."
Teppler says it's critical for companies to conduct periodic audits and reviews of any personnel with heightened administrative privileges.
"The sensitivity of the information, and the consequences of no taking these measures augur in favor of tighter controls," he notes. "Establish and enforce policies commensurate with the risk of injury to person or property in addition to the inherent sensitivity of the information at risk.
Stopping insider threats is an immense challenge for cybersecurity teams, Kalember says.
"Data loss potential increases every time new information is created and stored," he says. "It's vital that organizations have visibility into where their critical data resides, have visibility into who has access to it, and verify that those people aren't abusing that access."