Cybercrime , DDoS Protection , Fraud Management & Cybercrime

Boston Children's Hospital DDoS Attacker Convicted

Hacktivist Was Protesting Controversial Child Custody Case

A federal jury has convicted a hacktivist who launched distributed denial-of-service attacks in 2014 on Boston Children's Hospital and another local healthcare facility to protest a controversial child custody case.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The massive DDoS attack disrupted the Children's Hospital's network for at least two weeks.

Martin Gottesfeld, a 32-year-old biotech professional from Somerville, Massachusetts, faces up to 15 years in federal prison after his conviction on Wednesday in the U.S. District Court in Boston on charges of conspiracy to intentionally damage protected computers and intentionally damaging protected computers. His sentencing is slated for Nov. 14.

The charge of conspiracy provides for a sentence of up to five years in prison, a fine of $250,000 and restitution, according to the U.S. Department of Justice. The charge of damaging protected computers provides for a sentence of up to 10 years in prison and a fine of up to $250,000.

DDoS Attacks

Gottesfeld was arrested in connection with DDoS attacks in April 2014 on Boston Children's Hospital and Wayside Youth and Family Support Network that he launched in retaliation for the facilities' involvement in a controversial child custody case that had drawn national attention.

That case involved two Connecticut parents who had lost custody of their teenage daughter, Justina Pelletier, to the commonwealth of Massachusetts over allegations by the hospital that her parents medically abused the girl.

Prosecutors alleged that Gottesfeld identified himself as a member of the hacktivist group Anonymous and launched the attacks on behalf of the group, demanding changes in the way Boston Children's Hospital was handling the situation involving Pelletier.

The indictment alleged Gottesfeld was also responsible for directing the launch of a DDoS attack on Wayside Youth and Family Support Network, a Framingham, Massachusetts-based residential treatment facility where Pelletier had been transferred for care during the custody dispute.

Court documents in the case note that in his defense, "Gottesfeld ... testified repeatedly that he believed he was acting to save Justina Pelletier's life and that he is an 'activist.'"

Attacks' Impact

Prosecutors say the massive DDoS attack against the computer network of the Boston Children's Hospital involved Gottesfeld customizing malware that he installed on 40,000 network routers that he was then able to control from his home computer.

"After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDoS attack that directed so much hostile traffic at the Children's Hospital computer network that he not only knocked Boston Children's Hospital off the internet, but knocked several other hospitals in the Longwood Medical Area off the internet as well," the Justice Department says.

"The attack flooded 65,000 IP addresses used by Boston Children's Hospital and several other area hospitals with junk data intended to make those computers unavailable for legitimate communications," the justice department contends.

The DDoS attack disrupted the Children's Hospital network for at least two weeks, interrupting access to internet services used by Boston Children's Hospital staff to treat patients, prosecutors say.

"The attack disrupted the hospital's day-to-day operations, as well as its research capabilities. The attack cost the hospital more than $300,000 and caused an additional estimated $300,000 loss in donations, as the attack disabled the hospital's fundraising portal."

The cyberattack also crippled Wayside's network for more than a week and caused the facility to spend $18,000 on response and mitigation efforts, the justice department says.

Getaway Went Astray

In October 2014, federal law enforcement officials searched Gottesfeld's home and recovered computers, servers and hard drives. Gottesfeld, however, was not formally charged with a crime at the time the search warrant was executed.

But in an odd turn in the case, Gottesfeld was arrested in February 2016 after he was found in a small boat off the coast of Cuba.

Gottesfeld and his wife made a distress call after their boat ran into trouble (see DDoS Suspect Arrested After Rescue at Sea). A nearby Disney cruise ship responded to the distress call and rescued the couple. The ship returned to Miami, where Gottesfeld was then arrested.

Armchair Activism?

The DDoS attacks spotlight thorny legal issues that can arise in some cybercriminal cases, especially those involving hacktivists.

"Cases like this exemplify the tension between First Amendment protected activism - that is, an individual's Constitutional right to express displeasure with an organization and its policies - and federal criminal law designed to protect information systems," says attorney Jay Kramer, a partner at the law firm Lewis Brisbois and a former FBI agent.

"It's when the online protest activity crosses the line into a violation of law that the activism becomes hacktivism."

—Attorney Jay Kramer

"It's when the online protest activity crosses the line into a violation of law that the activism becomes hacktivism," says Kramer, who was not involved in the case. "The FBI and other federal law enforcement agencies consider free speech rights very carefully in this area, but when the evidence shows a clear intent to damage a computer network, law enforcement action including arrest and prosecution is appropriate."

Instead of using the tools of their parents' generation - boycotts, rallies, picketing outside an organization - it has become much easier to launch a protest from an armchair through digital means, Kramer says. "Unfortunately, this type of protest activity can be very destructive and will often violate the law," he adds.

'Domestic Terrorism'

While the case against Gottesfeld involved criminal charges of conspiracy and intentional damage to protected computers, other cybercrime cases potentially involve additional charges, Kramer notes.

"When cases involve an act of violence or destruction, and are undertaken in furtherance of stated social or political cause, they are sometimes also approached by the FBI and the Department of Justice as acts of domestic terrorism," he says.

Neither Boston Children's Hospital nor an attorney representing Gottsfeld immediately responded to Information Security Media Group's requests for comment.