Cyber Threat Actor: Ameer Elashmawy
| Actor Type | Location | Known Incidents |
Insider - Disgruntled
|
Egypt
|
1 incident |
|---|
Profile
Ameer Elashmawy, also known by the alias Ameer Elashmawy, is an individual associated with Egypt who worked as an information systems security support coordinator at Trillium Health in the United States. In January 2020 he abused his administrative privileges to gain unauthorized access to the work accounts and personal devices of more than sixty‑five coworkers. The intrusion resulted in the theft of hundreds of explicit photographs and videos, as well as the collection of personal data including social media credentials, driver’s license images, credit card details, and Social Security cards. No patient information was accessed during the incident, and the organization incurred over one hundred thousand dollars in cybersecurity remediation costs while cooperating with law enforcement. Elashmawy was subsequently charged with unauthorized access of a protected computer and identity theft, facing potential penalties of up to five years imprisonment and a quarter‑million‑dollar fine.
The actor’s targeting appears limited to the healthcare sector, specifically a single employer located in Rochester, New York, indicating a geographic focus on the United States. Observed objectives centered on the exfiltration of personal and intimate data rather than financial gain, service disruption, or state‑sponsored espionage, as no evidence of monetary theft, ransomware deployment, or intelligence collection was reported. The impact on victims included potential reputational harm, privacy violations, and the risk of secondary misuse of the stolen identifiers, prompting the employer to provide support services and engage external cybersecurity professionals for mitigation.
Noted tactics, techniques, and procedures involved the misuse of legitimate administrative credentials, the acceptance of passwords provided by coworkers during routine IT assistance, and the subsequent use of those credentials to access personal accounts from his workstation. Elashmawy employed portable storage devices such as USB thumb drives, external hard drives, and personal smartphones to collect and exfiltrate the stolen material. No custom malware, exploit kits, or specific tooling families were referenced in the reporting. Public attribution does not link him to any state actor, criminal consortium, or larger hacking group; the case is treated as an insider threat conducted by a former employee acting independently. The Trillium Health incident stands as the sole publicly documented operation associated with this actor, illustrating how privileged insider access can be leveraged for extensive personal data theft without the involvement of traditional malware or external infrastructure.
