Cybercrime , DDoS Protection , Fraud Management & Cybercrime
Boston Children's Hospital Hacker Gets Long Prison SentenceHacktivist Martin Gottesfeld Also Ordered to Pay Restitution
A hacktivist who launched distributed denial-of-service attacks on Boston Children's Hospital and another local facility in 2014 has been sentenced to 10 years in federal prison and ordered to pay nearly $443,000 in restitution.
See Also: Buyer's Guide to Securing Privileged Access
Martin Gottesfeld, a 34-year-old biotech professional from Somerville, Massachusetts, was sentenced Thursday in the U.S. District Court in Boston on two counts of conspiracy and two counts of intentionally damaging protected computers, according to court records. He was convicted in August by a federal jury.
The massive DDoS attack that Gottesfeld launched in protest of a controversial child custody case involving Boston Children's Hospital and the Wayside Youth and Family Support Network in Framingham, Massachusetts, disrupted the hospital's network for at least two weeks and hampered internet connectivity of other area hospitals.
Prosecutors say the attack disrupted the children's hospital's day-to-day operations, as well as its research capabilities. The attack cost the hospital more than $300,000 and caused an additional estimated $300,000 loss in donations because the attack disabled the hospital's fundraising portal.
The attack also caused Wayside to spend $18,000 on response and mitigation efforts, prosecutors say.
Prosecutors alleged that Gottesfeld identified himself as a member of the hacktivist group Anonymous and launched the attacks on behalf of the group, demanding changes in the way Boston Children's Hospital was handling a custody situation involving teenager Justina Pelletier. Pelletier's Connecticut parents had lost custody of their daughter to the commonwealth of Massachusetts over allegations by the hospital that her parents medically abused the girl.
But even some individuals associated with Anonymous were not keen on the attacks. An April 25, 2014, Twitter message apparently posted an Anonymous news group known as @YourAnonNews, says: "To all Anons attacking Children's Hospital in the name of Anonymous ... It's a hospital, stop it."
The Department of Justice, in a statement following Gottesfeld's conviction, said the hacktivist "unleashed a DDoS attack that directed so much hostile traffic at the Children's Hospital computer network that he not only knocked Boston Children's Hospital off the internet, but knocked several other hospitals in the [Boston] Longwood Medical Area off the internet as well."
The attack flooded 65,000 IP addresses used by Boston Children's Hospital and several other area hospitals with "junk data" intended to make those computers unavailable for legitimate communications, the justice department charged.
In October 2014, federal law enforcement officials searched Gottesfeld's home and recovered computers, servers and hard drives. Gottesfeld, however, was not formally charged with a crime at the time the search warrant was executed.
But in an odd turn in the case, Gottesfeld was arrested in February 2016 after he was found in a small boat off the coast of Cuba.
Gottesfeld and his wife made a distress call after their boat ran into trouble (see: DDoS Suspect Arrested After Rescue at Sea). A nearby Disney cruise ship responded to the distress call and rescued the couple. The ship returned to Miami, where Gottesfeld was then arrested.
'Contemptible, Invidious and Loathsome'
Gottesfeld's apparent lack of remorse about the attacks drew scathing remarks from U.S. District Judge Nathaniel Gorton, who called his crimes "contemptible, invidious and loathsome," according to the Washington Post.
Gottesfeld has filed a notice of appeal with the court.
Hefty sentencing against hackers - as well as media attention about those sentences get - can potentially have a limited positive impact on crime deterrence, says Larry Whiteside, CISO at Greenway Health, a provider of cloud-based electronic health records and other software. In 2017, the company suffered a ransomware attack that disrupted several hundred of the company's clients (see: Doctors Regain EHR Access After Ransomware Targets Vendor).
The outcomes of cybercriminal cases need to get publicized as widely as the crimes themselves, Whiteside contends. "A lot gets publicized as far as the breaches, but the follow up of accountability when the attacker gets found and sentenced - those things don't get the same level press notoriety," he says. "From the standpoint of accountability, that type of press, those types of sentences and fines are going to stop nuisance hackers - the individuals and small criminals that are doing things out of opportunity."
But tough sentence for cybercrimes likely won't deter nation-state sponsored attackers or larger organized assaults, he argues.
A Boston Children's Hospital spokeswoman tells Information Security Media Group: "We believe the verdict and the sentence are appropriate." And a Wayside Youth and Family Support Network spokeswoman added: "We are pleased that the matter is now resolved."
Attempts by ISMG to reach an attorney representing Gottesfeld for comment about the sentencing were unsuccessful. Several attorneys who defended the hacktivist in earlier stages of the criminal case are no longer representing Gottesfeld.
A Department of Justice spokesperson said the agency could not comment on the sentencing due to partial federal government shutdown. "With the shutdown, we are prohibited from making any statements or putting out any kind of release," the spokesperson said. "My apologies, but we will have to let the sentence speak for itself."