Over a Decade in Prison for Massachusetts Man Behind DDoS Attacks on Healthcare Networks
A Massachusetts man has been sentenced to over 10 years in federal prison for orchestrating Distributed Denial-of-Service (DDoS) attacks against the computer networks of two healthcare organizations in 2014. The attacks were reportedly motivated by a desire to protest the treatment of a teenager receiving care at these facilities.
Martin Gottesfeld, aged 34, received a sentence of 121 months from U.S. District Judge Nathaniel Gorton. In addition to his prison time, he was ordered to pay nearly $443,000 in restitution to cover the damages inflicted on the targeted organizations, Boston Children’s Hospital (BCH) and Wayside Youth & Family Support Network—a nonprofit providing mental health services to young individuals and families.
Gottesfeld executed the DDoS attacks while allegedly acting on behalf of the hacktivist group Anonymous, employing a botnet comprising over 40,000 compromised network routers. His attacks succeeded in disrupting BCH’s services, affecting not only the hospital but several other medical facilities in the Longwood Medical Area for an extended period. The impact on Wayside Youth & Family Support Network was similarly severe, resulting in over a week of incapacitated operations and approximately $18,000 spent on mitigation efforts.
The assault on BCH had broader repercussions, crippling its operations for at least two weeks, which caused significant losses estimated at over $600,000, disrupting both patient care and ongoing research activities. Gottesfeld remained in custody since February 2016, following his arrest in Miami while attempting to flee the state on a small boat. The vessel was subsequently rescued by a nearby Disney Cruise Ship after losing power near the coast of Cuba.
In August 2022, a federal jury found Gottesfeld guilty on multiple counts, including conspiracy to intentionally damage protected computers. During his recent court appearance, Gottesfeld opted to represent himself, expressing intentions to appeal his conviction while voicing no regrets regarding his actions. He claimed that his motivations stemmed from a desire to advocate for Justina Pelletier, the teenage patient at the center of a controversial custody dispute.
The judge, in sentencing, highlighted Gottesfeld’s “arrogance and misplaced pride,” citing that he believed he possessed superior knowledge compared to the medical professionals at BCH. Gottesfeld asserted that his efforts aimed to raise awareness about the treatment of Pelletier, who was initially placed under state custody after a disputed diagnosis. She was later released to her parents after 16 months of treatment.
The cyberattacks deployed by Gottesfeld exemplify several tactics outlined in the MITRE ATT&CK framework. Notably, “Initial Access” and “Persistence” tactics were likely utilized to compromise the routers that constituted the botnet. Techniques involved may include exploitation of software vulnerabilities to gain unauthorized access, as well as maintaining footholds on affected systems to facilitate the DDoS attacks.
As the landscape of cybercrime continues to evolve, Gottesfeld’s case serves as a stark reminder of the potential consequences associated with such actions. His wife’s expressed intent to appeal may prolong the legal proceedings surrounding this high-profile case, reinforcing the ongoing discourse around cyber ethics and accountability in the modern age.
