My phone has been blowing up most of the day about this. To sum it up: On the evening of the 18th, a script kiddie that was involved in a previous post on this site (“Perl Hacking is Dead”), XXxxImmortalxxXX, contacted me and began to brag about hacking a hospital’s HVAC system. Upon further googling, it became apparent that XXxxImmortalxxXX was lying to me, and that it was the leader of the group Immortal had joined that allegedly carried out the attack. This attacker went by the name of “GhostExodus”.
As most of my readers here know, my research area is control systems/SCADA, specifically human-machine interface (HMI) software. Being involved in a field that involves elements of our critical infrastructure, I know how serious an incident involving a hospital’s HVAC system can be. Screenshots taken by the attacker showed an HMI that gave the user control over many elements of the hospital, including pumps and chillers in the operating room. Messing around with a system like this can seriously impact the health and safety of the patients.
I spent a large amount of time that weekend gathering up information on GhostExodus, and his hacker group, the “Electronik Tribulation Army”. Monday, I met with my major professor at Mississippi State University’s Critical Infrastructure Protection Center, where I work as a Ph.D. research assistant. I presented the information I had found, and we contacted the Texas attorney general’s office and the Jackson, MS FBI office, where we already had contacts. For the rest of the week, I cooperated with the FBI by sharing the information that I had found. GhostExodus was picked up by the FBI on Friday night.
I plan on sharing more, because there’s a huge amount of interesting data, images, and video involved with this case. The alleged attacker uploaded many videos of his actions to Youtube and other sites, and when I put it all together into a coherent lecture, it should be pretty informative and entertaining. Until then, there’s plenty of media coverage of the arrest:
- http://dallas.fbi.gov/dojpressrel/pressrel09/dl063009.htm
- http://www.google.com/hostednews/ap/article/ALeqM5hGIxH-4yZGtIwfRX4kk3oYkhkvsAD995A5H82
Google News shows over 170 related stories.
The best and most accurate thing to read, however, is the criminal complaint against “Jesse William McGraw”. I have been informed that this is part of public record, however I have taken the liberty of editing out SSNs, DLs, VINs and such on this copy:
(Edit: moved it offsite, because it was chewing bandwidth a lot more bandwidth than you’d expect. You can read it online or download it from the above link)
If you’re reading the above, I’m “CW-1″.
I plan on keeping you updated on further developments and more information as this progresses. There will also likely be some very interesting multi-media talks and lectures I can give on this, so if you want me to take the show on the road, get in touch.
For now, though, I’ve had a long day, and I shall rest 
That’s so frickin’ awesome Wesley! Good work man. Can’t wait to hear the talk to develop out of this.
Congratulations! Another one off the streets (or, should I say, wires). Keep good records and notes. Sounds like you may need them in the future… (I learned my lesson on the notes thing…)
Congrats on following through with this. I only hope that the legal system works as hard on processing this as you did in collecting it all and bringing it to them. Keep up the excellent work.
Well, I’ve been extremely impressed with the technical savvy and willingness to take action by the FBI so far. I’ll definitely be following what goes on carefully and post updates when I know what’s going on
Nice work! Thanks for sharing.
My pleasure. It’s nice to see some InGuardians representation in here. You or any of your guys that’re going to Black Hat or Defcon really should get in touch with me so we can hang out.
Great sleuth work, my friend! Common sense, though, should tell skiddiez to quit bragging. Thankfully, Skiddiez lack common sense. Glad this was put to an end before anyone got hurt. Messing with climate controls in a hospitals is a recipe for disaster!
[...] neccessary for the arrest to be made. Details,including the criminal complaint, can be found on his blog and it looks like there is loads more information about the investigation and the trail of bits he [...]
WTF
i knew him he was nice
REALY i did
Great work! Good to see that the FBI got this guy!
[...] is great. Looking forward to hearing more about it in the future. Way to go Wesley! GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 1) << McGrew Secu… Tags: ( crime-doesnt-pay [...]
Scary that someone who’s been indicted (not proven guilty yet, regardless of these specific circumstances) can have his name, address, DL#, and SSN posted for the world to see.
Why is industry taking such pains to protect this information when the government is releasing it on mere suspicion of a crime?
[...] GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 1) – McGrew Security [...]
I just finished reading information on the ghost exodus and can not thank you enough for what has been done to stop this insane being!!! What would have been the outcome of his act?
[...] ‹ GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 1) [...]
dude’s a fucking legend!
way to go you busted some kid who turned on and off a acc unit like a kid with a light switch and then you sugar coated it like your a badass. you just want attention get that chip off your shoulder your not even a pen tester
Hi nobody,
Sorry for the delay in accepting that comment. I saw the one that you had posted to Part 2 and accepted it, noticed in the access_log’s that you had posted one here as well, and then dug through the spam filter to find this one.
Thanks for commenting, and I’m sorry you haven’t enjoyed these posts. I’ve had a lot of positive feedback on them, so there will be more. If that doesn’t sound like a good time to you, you might not want to subscribe by RSS or anything.
Hope you have a good day!
Wesley
[...] Part 1 – Definitely read the criminal complaint. [...]
fuck u asshole someday u will bow down 2 ghost and the eta jackass
.xXanarchykingXx., I loved the Nintendo Wii user agent. How long does it take to type all that out with the pointer thing?
There is a so called member ( GhostExodus) ETAFixer at wyldetube.com
way to prove yourself as snitch that didnt gather any evidence you just took what sombody gave you and made up all this bullshit on how you caught him when all you really did is picked up a phone and called to police
[...] Part 1 – Criminal Complaint [...]
You fucking snitch.
u will bow
snitch
Hey there Mc grew all i got to say is you might can take out one of us but you cant take out all of us.
LONG LIVE THE ETA and fuck off nigger!
we are still here
and we are still watching you
we will destroy you
and everything you live for
you will bow down to eta
and every member from it
I knew the guy because he frequented a hacking site I go to. I don’t really hack much anymore, more just the real spirit of a hacker, which is nothing like these ETA retards. He was a pretty good guy, when he found that HVAC thing, he was surprised, he had been scanning IP’s and was really quite astounded at the lack of security. He didn’t intend on changing anything, although that doesn’t really matter because the penetration of the system is a crime in and of itself. It’s really disappointing to have such a brilliant member of the site I frequented to be gone. I disagree with your actions and think he only should have been prosecuted had he done something. Oh well. It’s a shame, I would really enjoy an email from you however, I’d like to hear your input. Thanks, sincerely:
Michael Wiley
Thanks for the comment, Michael. Sorry to hear that you disagree, but I appreciate that you’re polite and civil about it.
[...] meant to post this a little more than a week ago, but all the GhostExodus stuff sort of bumped this up until now. If you’re new to the site because [...]
[...] split into teams and sign up for the DC3 forensics challenge. On another site, I noticed that GhostExodus, before he was arrested, had signed up for the DC3 challenge as well, as had XXxxImmortalxxXX (the [...]
[...] Part 1 [...]
i knew ETA. I know Immortal, immortal is a faggot who builds up a persona online for himself because truely he is a lonely person.
Mc Graw was a cool guy, he was nothing like Immortal and i just wish you could have caught Immortal instead
Anyways i have plenty of info on immortal if you want it
Hes called William palmer =D
If you want more post here
[...] http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carre... [...]
[...] http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carre... [...]
[...] entire episode can be found in a very readable account at the website of the somewhat eponymously named Wesley McGrew, who actually located and identified McGraw after a [...]
[...] A hospital security guard at a Dallas Texas hospital had been planning an attack to be launched July 4. He had been installing malware on several systems at the hospital including the environmental control systems and many systems that contain sensitive data. I am hopeful that more information will come out on this as I can’t figure out what the motive was or what he planned to gain from this attack. Needless to say, (and I have been saying it the entire year), you have to be very careful regarding your internal employees. This one specifically calls out the need for access controls to be in place. Why a security guard would have access to systems like these is beyond me. A few days ago I wrote a story about the need for policies and procedures and then active enforcement. Here is just another example. The guy even posted video online of him doing this. Feel free to watch here. [...]
So you ‘caught’ him even tho all the ‘facts’ were there,you ‘took him down’ even tho you just handed shit to the fbi and now your taking credit for it?maybe if you made a citizens arrest it’d be abit better but seriously i think your a cunt personally i think your a cunt and you should have your tongue and fingers cut out or off,should be shot burned and then shot again.if he wanted to fuck with things he would’ve done it but look REALLY look he didnt do shit.you should pull your head out of your arse get yourself out of this motherfuckin fantasy world your livin in and do some real ‘detective’ work.fuck you i hope eta give you what you deserve CUNT
.xXanarchykingXx is RamhatX of youtube, he thinks he can hack because he made an HTML page and some java float vids, oh, and he can use ghost mouse, most important hacker tool of all time!
(Not)
He is also an ETA member (when it suits him) and is also doing illegal shit, more or less stalking.
Some Arab hackers went after him for messing with a white girl, they say his name is Chris Scot Norris, wannabe IT geek from TX but now in Baton Rouge, LA
ETA = Skiddies.
XxxImmortalxxX also goes by Hex00010 Now, you should refer to him as that more.
[...] http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carre... [...]
[...] neccessary for the arrest to be made. Details,including the criminal complaint, can be found on his blog and it looks like there is loads more information about the investigation and the trail of bits he [...]