Hackers Target European Security Watchdog and Law Firms; Medical Marijuana Database Breached

Another busy week in Threatwatch, Nextgov's regularly updated index of cyber incidents.

Medical Marijuana Database Taken Offline After Breach

Nevada's medical marijuana program database was taken offline this week after personal and sensitive information of roughly 11,700 dispensary applicants were leaked online. 

A bug affecting the online portal used by the state's medical marijuana program resulted in Social Security numbers, phone numbers, addresses, dates of birth and driver's license numbers being publicly accessible, according to Daily Dot.

The Nevada Division of Public and Behavioral Health, which operates the website, said it was investigating a “cyberattack” on the affected program.

"DPBH said it has contacted a number of credit-reporting services to alert them that a number of dispensary applicants' personal information was exposed," Daily Dot reported. "DPBH has also contacted law enforcement agencies 'for further investigation.'"

European Security Watchdog OSCE Hacked

Hackers targeted the IT systems of the international security monitoring group Organization for Security and Cooperation in Europe, the group's spokeswoman said Wednesday.

Though Le Monde newspaper said a “Western intelligence service” attributed the attacks to Russia-linked group APT28, also known as Fancy Bear, an OSCE spokeswoman told Reuters the organization does not want to speculate who is behind them.

The organization became aware of a data breach in November and has replaced its security systems and passwords, the spokeswoman said.

OSCE has been on a special monitoring mission of the conflict between Ukrainian forces and Russian-backed separatists since 2014.

US Charges 3 Chinese Citizens with Hacking into Law Firms for Insider Info

Three Chinese citizens made $4 million in illegal profits after hacking into New York-based law firms for insider information about pending mergers and acquisitions, according to a Justice Department release.

Federal prosecutors in Manhattan on Tuesday unsealed charges against Iat Hong, Bo Zheng and Chin Hung for conspiracy, insider trading, wire fraud and computer intrusion.

From April 2014 through late 2015, the trio allegedly targeted at least seven unnamed law firms that handle M&A transactions, hacking into the networks, servers and emails to find information about deals that hadn’t been publicly announced. The release states they attempted to access law firms more than 100,000 times in 2015, and successfully exfiltrated information from at least two firms.

They then bought into target companies prior to deal announcements and then sold them for about $4 million in profits. Some of the deals included biotech company Intermune, chipmaker Intel and business logistics company Pitney Bowes Inc.

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” U.S. Attorney Preet Bharara said in a statement.

Hong, a resident of Macau, was arrested Dec. 25 in Hong Kong and faces pending extradition proceedings. Zheng, a Macau resident, and Hung, a Changsha, China, resident, are not in custody, according to a Reuters report. The three worked for Robotics Company, a startup founded by Zheng to develop robot controller chips and control system solutions.

The U.S. Securities and Exchange Commission also charged the trio with violating the antifraud provisions of the federal securities laws and related rules, and is working to freeze their assets. The SEC's investigation is ongoing.