This week, the U.S. Attorney’s Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital’s computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.
McGraw had given his one week notice to hospital security contractor, United Protective Services, and was scheduled to depart on July 3, 2009. His intrusion into hospital systems was allegedly made in preparation for a larger attack on July 4th, a day he referred to as "Devil’s Day." The story behind the arrest is laid out in the criminal complaint and supporting affidavit filed in federal court (.pdf); however, a number of other details have emerged over time that demonstrate how vulnerable many institutions may be to insiders.
On Thursday, June 18, 2009, Jesse William McGraw, an individual that apparently went by several monikers, including "GhostExodus," and "PhantomExodizzmo" and allegedly led the hacker group the "Electronik Tribulation Army," made a fatal mistake in his career as a cybercriminal. He bragged of his exploits to the wrong people. In this case, XXxxImmortalxxXX, another member of the "Electronik Tribulation Army" familiar with McGraw’s hack, boasted to Wesley McGrew, a Ph.D. research assistant at Mississippi State University and computer security consultant at McGrew Security, who then investigated the hacker’s claims and reported the intrusion to the FBI and the Texas Attorney General’s Criminal Investigation Division. XXxxImmortalxxXX appears to have burned McGraw/GhostExodus by directing McGrew, who has admitted that he is the informant designated "CW-1" in the criminal complaint, to a series of websites showing screenshots and videos taken while he compromised hospital computer security, such as the following image posted on WarezScene.org:
Among the many damning pieces of evidence uncovered by McGrew were self-made videos of the alleged hacker using security keys to access computers in the Carrell Clinic and uploading malicious software that turned office computers into botnet slaves (computers that could then be controlled by the Electronik Tribulation Army to perform "Distributed Denial of Service" (DDOS) attacks).
[UPDATE: While I originally posted that the GhostExodus video was removed from YouTube, I have since found the video he shot while "infiltrating" the Carrell Clinic: Post July 4th Infiltration. A video boasting of numerous other hacks and that "Nothing can stop XXxxImmortalxxXX" can be found here.]
McGrew responded by tracing McGraw/GhostExodus to a computer used by security officers at the Carrell Clinic and contacted law enforcement agencies to report to attack. McGrew’s ongoing account of these events can be found at his website.
[UPDATE: Thanks are owed to Mr. McGrew and XXxxImmortalxxXX for writing in to clarify the cast of characters involved in this incident.]