Hackers Sell Backdoors Into A $2 Billion Nonprofit, A Californian Hospital, And Michigan Government

Hackers Sell Backdoors Into A $2 Billion Nonprofit, A Californian Hospital, And Michigan Government
Thomas Brewster
Thomas BrewsterForbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance.
Cybercriminals are charging anything from $500 to $7,000 for access to organizations’ computers and morals appear to have gone out the window, as Doctors Without Borders and a U.S. hospital are targeted.
They’re called access brokers: hackers who find ways onto business or government computers and open up backdoors, charging others for entry. Typical buyers include cybercriminals wielding ransomware, the malware that’s been a scourge for global businesses and governments in recent months. For the sellers, advertising their breaches in the dark forums of the internet, morals don’t come into the equation when profit is all that matters. At-risk targets include academic institutions, healthcare providers, and even charitable organizations.

Since late 2021, Alex Holden, founder of Hold Security, has witnessed various organizations being hit by these opportunistic businessmen of the digital underworld, a handful of which Forbes has been able to confirm, from local government to a hospital and a major nonprofit.

In January, an advertisement went up offering access to a server based in Spain belonging to Médecins Sans Frontières (Doctors Without Borders), a nonprofit that draws in between $1 billion and $2 billion a year from donors to help provide medical and humanitarian aid around the world. A screenshot showing the hacker’s access indicated they had access to a web panel for Citrix belonging to the Spanish arm of MSF, which could have allowed for remote access of the nonprofit’s data, though it’s unclear just how much or what kind of information.

Médecins Sans Frontières cyberattack victim
Médecins Sans Frontières (MSF Doctors Without Borders) confirmed it was the target of a cyberattack but believes it has avoided any serious breach of its data. (Photo by Fabrice COFFRINI / AFP) (Photo by FABRICE COFFRINI/AFP via Getty Images) AFP VIA GETTY IMAGES
A Médecins Sans Frontières spokesperson said the attack did not ultimately have any impact on its operations. “Fortunately, this attack has had no impact on MSF, either financial or related to our medical humanitarian operations. After a rapid assessment, we immediately took corrective measures and strengthened security procedures to prevent further similar attacks,” they added.


“Such attacks have increased significantly in recent years, not only in the NGO sector but in all organizations and companies of a certain size. We continuously research and develop security procedures to prevent cyber attacks from affecting our medical humanitarian activities.” Just last month, the International Committee of the Red Cross announced it had been hit by a severe cyberattack, which could have led to the loss of data on 500,000 individuals.

Also in the last month, for just $800, the username and password for an account at the John C. Fremont hospital, a small facility in Mariposa, California, was on offer by hackers on encrypted messenger chats. Holden says it was bought, although the hospital’s IT manager told Forbes he had found “no intrusion.” They did, however, confirm the hackers had acquired a legitimate login of an IT employee. The hospital wasn’t sure how, as it continues to investigate.

In another alleged breach at a small organization, though a not insignificant one for the area, hackers were offering access to a Citrix server at the City of Ann Arbor, Michigan, with a population of over 120,000 and home to the University of Michigan. Holden couldn’t determine how much that sale was or if there was a buyer.

The department declined to tell Forbes any more about the incident, as a spokesperson added, “Since Friday [11 February], the city’s IT team has worked to further investigate this claim and has determined that no personal information was compromised and online city services have continued uninterrupted. Our IT Team is dedicated to protecting city data and continually works to evaluate and implement cyber security best practices.”

Amongst other alleged victims reviewed by Holden included a water treatment facility in Europe and a water management facility in Florida, though Forbes could not confirm the details of the apparent breaches.

A comfortable living for a hacker
The hacks show the diversity of breaches being perpetrated at the hands of access brokers, something that’s borne out in a report released by cybersecurity company CrowdStrike on Wednesday and shown to Forbes ahead of publication. Looking across advertisements posted since 2019, the research shows the U.S. is far and away the most targeted nation, with over 50% of access broker hacks tracked by CrowdStrike targeting American entities. The academic sector was the most targeted vertical, though government, tech and healthcare were all popular amongst access brokers too.

As for cost, the average price for a route inside a healthcare institution was over $3,800, compared to $6,150 for a government body. Geography also affected price, with U.S. and U.K. victims attracting a higher price, averaging around $4,000.

Whether it’s the access brokers themselves or their customers who steal data or infect targets with ransomware, the online underworld is only getting more profitable, according to Adam Meyers, senior vice president of intelligence at CrowdStrike. “This is a vibrant economy [where] people are wheeling and dealing and making a lot of money. Hundreds of millions, billions of dollars.”

Successful brokers could be earning as much as $20,000 a month, if they sell four accesses a month. “It’s a volume business,” said Meyers. It’s also a business where the dealers have done a risk assessment, deciding to only open the door for other hackers, rather than steal data or lock up files and demand a ransom, which would come with more law enforcement attention, though provides a bigger payday, if a company coughs up. “A lot of access brokers [...]don't want to take on the higher risk.