On April 27, this site linked to a post by Cyble.io, describing how a threat actor claimed to have gained access to Huiying Medical’s AI-assisted COVID-19 Detection source code as well as experimental data. And it was all up for sale for 4 BTC.
On April 28, Vinny Troia tweeted:
Regarding the stolen COVID-19 vaccine data now for sale / ransom. Please do not pay for this data. It is NOT real. Data Viper has identified a history of the user’s other “hacks” and marketplace history. This appears to be a PR stunt. #databreach #covid #coronavirus
— Vinny Troia (@vinnytroia) April 28, 2020
Troia also posted a comment under the April 27th post, claiming that this was a “confirmed scam.” He was asked to provide proof that the claims were a scam, but hasn’t yet responded.
In any event, DataBreaches.net reached out to Cyble to ask for their response. In a DM exchange on Twitter with Beenu Arora, CEO of Cyble, he addressed two questions I put to them: (1) Why did Medium, where their article had first appeared, suspend their account on Medium, and (2) What was their response to Troia’s claims that this was a confirmed scam?
With respect to the first question, Arora says that they reached out to Medium to ask what rule they had violated, but have gotten no response as yet, so they moved the content of their original reporting on Medium to Cyble’s own site.
In response to this site’s query about Troia’s claim that the original claims were a “confirmed scam,” Arora explained that they initially thought it was a scam, too:
We were also under the same impression of being a scam, until we verified the access of the hacker ourselves and collected additional information.
They referred to that proof and additional information in a second article. Quoting it here:
Easter Egg: On the topic of Huiying Medical Data Breach , we have listened to the public reports calling it as a ‘fake’ breach or a scam carried out by the actor i.e. nothing is out there — we have been made aware of 3 “INTEL” companies that have denied this which we find quite funny as their due diligence was quite basic or ignored a lot of pieces to the puzzle!
Let’s get the facts right straight: Cyble would never publish an unverified breach without having tangible pieces of evidence. In an improbable scenario, which in this instance is not the case, we will admit and inform the audiences of our mistakes.
On this instance, we have exclusive information or the real ‘intel’ hence we decided to make it public due to the potential exposure to the hospitals and medical facilities. That said, see below a basic screenshot as a starting point to support the claim. Obviously, we have access to a lot more sensitive information, including their security infrastructure layout which we would never put it on the public!
Additional screenshot:
“We got the images of the source code which is nonpublic,” Arora informed DataBreaches.net
So here is the short version, according to Arora:
- Cyble said it’s true. Three intel companies said it’s not true. Chinese media said it’s not true.
- So Cyble shared some proof.
- 1 intel firm said “Oh shit, this is real. The other two intel firms said “it’s a scam.” Chinese media confirmed it’s true, but said it’s of limited impact.
This doesn’t doesn’t sound like a “confirmed scam” in light of Cyble’s report that they were able to verify the hacker’s access and could obtain nonpublic data. Huiying had claimed that it wasn’t their main business platform that had been compromised, but a training platform server. Whether anything was exaggerated or misstated by THE0TIME remains to be seen and is a distinct possibility, but jumping to calling this all a “confirmed scam” seems premature, at best.