Jesse William McGraw, 25, also known as "GhostExodus," "PhantomExodizzmo," and a couple of false names, was charged with downloading malicious code onto a computer at the Carrell Clinic in order to cause damage. As a result, he "threatened public health and safety," according to an affidavit filed by the FBI (PDF). McGraw worked as a night security guard for United Protection Services and was on contract with the hospital, which specializes in orthopedics and sports medicine.
McGraw heads up the Electronik Tribulation Army, an underground hacking group; ironically, one of his followers may have inadvertently given him up to the feds. Security researcher Wesley McGrew helped crack the case wide open after a "script kiddie" known as "XXxxImmortalxxXX " contacted him, bragging that he had hacked a hospital's HVAC system. "Upon further googling, it became apparent that XXxxImmortalxxXX was lying to me, and that it was the leader of the group Immortal had joined that allegedly carried out the attack. This attacker went by the name of 'GhostExodus,'" or McGraw, McGrew blogged.
Researcher McGrew, who is an expert in control systems and SCADA security, says he saw screenshots of the interface to the hospital's HVAC system posted online by GhostExodus. "Screenshots taken by the attacker showed an HMI that gave the user control over many elements of the hospital, including pumps and chillers in the operating room. Messing around with a system like this can seriously impact the health and safety of the patients," he blogged. After gathering more information on GhostExodus, he contacted the Texas attorney general's office and the FBI, which on Friday arrested McGraw.
The suspect had planned to use the hacked systems on July 4 for what he called "Devil's Day," when he was planning to wage with other attackers a mass DDoS attack. He had posted videos online trying to recruit other attackers to join in the DDoS attack.
McGraw had given one-week notice to United Protection Services recently, and his last day of work was scheduled for July 3.
Carrell Clinic administrator Tom Blair told The Dallas Morning News in a published report that it had no evidence of patient information being compromised.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.