FBI Private Industry Notification warns schools about TheDarkOverlord

On January 31, 2018, the FBI released a Private Industry Notification (PIN) warning schools about the hacker(s) known as TheDarkOverlord. The information in the PIN was provided by the FBI and the Department of Education’s Office of the Inspector General, and it appears to be an expanded version of a prior alert to schools issued by the Department of Education.

While there was nothing really new in the PIN in terms of the description of the TDO’s methods, some of the numbers in the PIN may surprise members of the public. According to the PIN, TheDarkOverlord (TDO) was responsible for “at least 69 intrusions into schools and other businesses, the attempted sale of over 100 million records containing personally identifiable information (PII), and the release of over 200,000 records including the PII of over 7,000 students due to nonpayment of ransoms.”

Unfortunately, the PIN does not break down the 69 intrusions to indicate exactly how many of them involved schools. Nor do I know whether some recent reports out of Florida universities were the work of TDO or were the work of copycats.  But the reference to the release of the  personally identifiable information (PII) of over 7,000 students sounds like a reference to the Johnston Community School District incident.

But has TDO really attempted to sell “almost 100 million records?” I would love to know what  hacks those 100 million records came from, as we haven’t seen any media or HHS reports with numbers that would come anywhere close to that, and I’m aware of somewhat more than 60 of their hacks. Indeed, I suspect that the FBI’s figure of 69 attacks is a significant underestimate or intentional under-reporting of how many attacks have been the work of TDO.

But thinking about the information in the PIN reminded me of one question that’s puzzled me for quite a while now. I’d love to know why we haven’t read about any victims experiencing concrete harm. With hundreds of thousands of patient records up for sale or 100 million records up for sale, wouldn’t you think that we would have heard about large numbers of patients from Doctor A’s practice or customers or employees of Company B’s business becoming victims of ID theft or fraud?

With all of the hacks TDO has done that have been confirmed, how is it that we have not heard of numerous instances of concrete harm that could be linked to specific hacks? 

Importantly, the PIN incorporates IT best practices** for schools to help protect data assets, and I hope districts act upon those recommendations.

DataBreaches.net does not know what TDO thinks of the PIN or if they have even seen it yet, but I imagine that they would likely be pleased that at least now, the FBI refers to them as “highly trained hackers.”

As it has done in other PINs, the FBI notes that it does not recommend paying ransom, but understands that entities will evaluate all options to protect their organizations and those they serve.

Of note, the FBI claims that TDO’s prior threats of violence directed at schools and parents did not result in any financial gain for the hackers. Even if that were true, the fact that schools in Montana were closed for days and people were terrorized means that there was huge cost to the victims on multiple levels – a cost or impact that TDO could try to use for leverage in dealing with future victims. Unless school districts decide to remain open despite threats of bombs or violence, TDO has an interesting model:  pay us or we’ll close you down by scaring parents and students or exposing the students’ sensitive counseling and health records.  If their extortion demands are low enough, some school districts might decide it makes sense to just pay them and hope that then they will not have to deal with school closings, having to make up days, losing state aid, worried parents, or fragile or vulnerable students having their most sensitive information exposed publicly.

TDO has been publicly quiet since early November, but that does not mean that they are not active, and I have reason to believe that they are around but just not poking their head up publicly for now.  Stay tuned, I guess…..

**Note: Normally, this site would not link to a PIN that was marked “TLP:Amber,” but it was made freely and publicly available online not only by PublicIntelligence.net, but by the U.S. Education Department as well.  The US Education Department subsequently restricted access to the file. 

About the author: Dissent

Comments are closed.