Cyber Incident Victim: ENE Systems
Date:
Aug 2021
Location:
United States of America
Summary
A threat actor compromised ENE Systems, an HVAC vendor, gaining remote access to client systems including Boston Children’s Hospital and potentially other Harvard-affiliated hospitals. The attacker attempted to extort the vendor and demonstrated access to sensitive infrastructure schematics, raising concerns about potential manipulation of alarm and HVAC systems. Evidence included internal diagrams of hospital floors, though the full scope of compromised clients remained unclear as ENE Systems did not respond to inquiries. The FBI was involved, but attribution and notification pathways were undetermined. One hospital confirmed mitigating actions after being alerted to the vendor’s security issues, stating operations were unaffected. Multiple high-risk facilities, including government buildings and banks listed as ENE clients, faced potential exposure, though confirmation of further breaches was lacking due to non-disclosure by involved entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early August 2021, a threat actor contacted DataBreaches.net to disclose a breach involving ENE Systems, a Canton, Massachusetts-based HVAC vendor serving multiple high-profile clients, including Boston Children’s Hospital (BCH), Brigham & Women’s Hospital, and Massachusetts General Hospital. The attacker claimed to have compromised ENE Systems’ network, attempted to extort the vendor, and retained persistent access despite the vendor’s alleged indifference. The threat actor specifically highlighted unauthorized access to BCH’s systems through ENE’s remote connections, providing screenshots of internal hospital schematics, wiring diagrams, and floor-specific infrastructure layouts. These images raised concerns about the actor’s ability to manipulate critical systems, including alarms and HVAC controls. On August 5, DataBreaches.net shared evidence with a healthcare security professional, who verified the breach and alerted BCH’s security team to mitigate potential risks. ENE Systems did not respond to repeated inquiries about the incident, leaving uncertainty about whether they had proactively notified clients or authorities. The FBI was confirmed to be investigating, though the source of their involvement remained unclear.
The confirmed impact included the threat actor’s access to BCH’s sensitive operational data, though no disruptive actions or data exfiltration were reported. Massachusetts General Hospital acknowledged being alerted to “potential cyber security issues” involving ENE Systems and implemented immediate mitigation measures, confirming no operational disruptions. BCH and Brigham & Women’s Hospital did not publicly comment, but historical context suggested BCH might have activated its organization-wide incident response protocols, similar to its 2014 response to hacktivist attacks. ENE Systems’ broader client base—including schools, government buildings, and financial institutions—faced potential exposure, though no additional compromises were verified. The hospitals’ shared affiliation with Harvard and their coordinated non-disclosure to media mirrored prior security incidents, indicating a pattern of controlled communication during crises. The threat actor emphasized reluctance to harm BCH, ceasing further extortion attempts against the hospital, but the long-term security implications for ENE’s clients remained unresolved due to the vendor’s lack of transparency and ongoing law enforcement involvement.