Jan 072019

I’ve probably reported more on the blackhats known as thedarkoverlord (TDO) than other journalists, and I’ve probably spent more time chatting with them about their work than any other journalist. But despite my considerable investment of time, there are times when I simply do not understand why they are doing what they are doing. As someone who has had decades of professional experience predicting and understanding behavior, I find that when their strategy makes absolutely no sense to me, either their neurology has led them down an unusual path, or I’m failing to appreciate some brilliance on their part.

It might be either. Or both.

So let me use this post to lay out what I’ve observed about TDO’s approach to amassing vast amounts of internet money (as they call it), and how it has been evolving over the past few years.

In the Beginning

When TDO first burst on the scene in June, 2016, it was after they had listed three patient databases with hundreds of thousands of records for sale on The Real Deal marketplace, asking exorbitant amounts of money for them.

It soon became clear that the sale of the patient databases was simply a way to put pressure on their victims, who they had been attempting to extort. By placing such a high price on the data, they got media attention, and with the media attention and reporting, more pressure on their victims.

But did that increased pressure convert to increased payment by the medical clinics? It didn’t appear to. Their early extortion demands, which I was privy to by virtue of having been shown many of their nonpublic email chains with their victims, did not appear immensely successful. From reading their communications, it was clear to me that TDO had done their homework: they had researched their victims and knew the names of the executives and staff, and they had even researched their victims’ families. They had also looked at patient databases closely enough to spot patient names that might belong to celebrities or famous sports figures. [Note: I am referring to TDO as “they” because it appears to be have been than one person over time and even during the same time period.]

So TDO did not appear to be particularly successful in their early attempts to extort the medical sector, even though they appeared to be doing more work researching their victims than the threat actors known as Rex Mundi had done, and even though they were tweeting claims that they had been successful. More than one year later, I would learn that TDO was, indeed, doing better financially than I had imagined, as they showed me some of their wallets from 2016 and signed messages to me from the wallets.

But back in the summer of 2016, TDO was not happy, to say the least. I cannot get into any details, but it almost appeared to be an obsessive battle of wills — that the victims HAD to pay or TDO would make them suffer.

As brilliant intellectually as TDO seemed to be (and yes, I do think the person I was dealing with is intellectually gifted), TDO didn’t seem to really grasp how to get people to do what they wanted them to do. Doctors really do care about trying to protect patient data. Threats or reminders of the consequences of breaches aren’t really necessary or even helpful. TDO’s strategy was to increase the pressure on victims by a parade of horribles, but the victims didn’t need the parade of horribles or more motivation. As psychologist Ross Greene has famously said, “Motivation makes the possible more possible. It does not make the impossible possible.” TDO’s victims were already motivated to protect patient data, but TDO did not seem to fully recognize what was needed or helpful to convert that motivation to payment. And they couldn’t always seem to recognize situations in which they were just never going to get paid – even when doctors told them to go “F…” themselves.

So there was TDO in 2016, setting ridiculously high amounts for extortion payments or for sale of databases. They didn’t care about the patients or what would happen to the patients. They cared only about getting money. Nothing else. And they didn’t seem to fully appreciate how to negotiate with healthcare professionals about protected health information. Perhaps they thought that they figured it out the following year when they began offering victims contracts that included three different payment options, but even that missed the boat.

But let me digress for one minute, because to this day, people still don’t seem to understand one thing about TDO that TDO has always been extremely clear about and consistent about: they do not care about the human emotions or anguish people might feel. They only care about how to exploit human emotions if it gets them more money.

From my perspective, one of the strangest – and most instructive – breaches of theirs was the  Little Red Door Cancer Services of East Central Indiana hack. To this day, I’m still not totally confident that I understand what happened there because the center’s statements and TDO’s statements about “ransomware” and servers being wiped were quite different, but what really puzzled me was that they attacked a little not-for-profit. Why? This NFP had almost no money at all. Why not go after a victim that has the means to pay more? I understood that they didn’t care about the humanitarian effort, cancer, etc. But if they cared about money, why waste time on this little NFP?

So that particular attack made no sense to me, and I don’t like it when things don’t make sense. By the end of 2017, though, they had also attacked a number of school districts, again leaving me wondering … why? Why attack a public school district that almost certainly will not have a lot of resources or a hefty cyberinsurance policy? Why not just go after the real commercially viable firms that are raking in tons of money? Was this really just about getting internet money or was some part of it also the challenge of seeing if they could get their victims to pay them something – anything – just to feel that they have “won” somehow or bested their adversary?

And why continue to use a hack and extort approach instead of just deploying ransomware which might produce faster results?

What was TDO thinking about these questions, and why? I wish I could have gotten them or even still get them to explain their rationale to me, but alas, they have always declined to discuss these things.

Since 2016, TDO has been attacking victims from all sectors, and attempting to extort them all, although sometimes, they don’t get around to attempting extortion until months or a year after they have hacked and exfiltrated data. And at times, they seem to be attempting to extort the wrong entity, as I recently noted in discussing their erroneous claims about National Life Group, although they might try to argue that a deep pockets entity is the right entity to extort even if it wasn’t their servers that were attacked. And if that really is their intention – and not just a coverup for attempting to extort the wrong entity – then that, too, is a change in their methods to note. But what could your firm do with the knowledge that TDO might attempt to extort your firm even if you weren’t the entity they hacked? Are there situations in which non-hacked entities might agree to pay?

NOW What Are They Doing?!

With their recent return to public visibility to try to make money from 9/11 files via both extortion and crowdfunding, TDO seems to be experimenting yet again. Perhaps starting with a page from the Shadow Brokers, TDO may have come up with a winning strategy: demand payment from your victims to return or delete data so that it never sees the light of day, while at the same time asking the public to crowdfund payment to you so that you will make the files public. They can get paid either way.

This strategy really may be a game-changer in terms of extortion attempts going forward if the data or files are sufficiently of interest to the public. In this case, TDO has already tested the water by mentioning that they have files on UFOs. Well, how can that not be a winner, right?

And in a second test of the “pay us not to release the data” and “pay us to show you the data,” TDO is also currently putting pressure on victims of the London Bridge Plastic Surgery hack disclosed in 2017, but now they are attempting to extort the patients themselves. [Note: DataBreaches.net decided not to report on that hack at the time because the data were unusually sensitive, including pictures of genitalia and identifiable patient data and psychological reports.] Having failed to obtain the payment they sought from the surgery itself in 2017, TDO now appears to be trying to extort the patients directly. That, experiment, too, may lead to more extortion of individuals down the road if the London Bridge Plastic Surgery patients pay their demands. And if the patients don’t pay up, well the public may pay to see nude celebrities. Either way, TDO would get some money.

The London Bridge Plastic Surgery-related extortion also highlights another aspect of TDO’s methods: they don’t just extort and pack it in. They go back to the victims and try and try again, even more than one year later. So maybe victims who breathe a sigh of relief when TDO stops contacting them shouldn’t feel relieved. They may come back and try again, or they may reach out to your patients or clients at a later date.

Of concern, while all this is going on right now — while TDO is trying to make money from the 9/11 files they claim they have while at the same time trying to extort National Life Group, patients of London Bridge Plastic Surgery, and likely Advantage Life, and FRS — there are still many more other hacking victims of theirs who are in the process of being extorted or who will receive extortion demands at some point.

And what TDO learns now from its newest experiments may impact what happens to all of their other hacking victims that haven’t been disclosed yet. Some of them are likely small medical practices. Some are public schools. And there’s no point in asking TDO to show them any mercy because they just don’t care. The blackhats that revel in being called cyber-enabled terrorists are still developing their approach and their image doesn’t include being compassionate. It only includes being profitable.

So those of you who have been cheering TDO on for leaking the 9/11 files or because you want the UFO files or to see nude celebrities, remember that you cheered them on when they threaten to expose really sensitive information about you or your family.

Jan 042019

Hackers claimed to have hacked hundreds of thousands of records from National Life Group, but investigation points to Sterling National Financial Group as the likely hacked entity

The blackhat hacker/extortionist(s) known as thedarkoverlord (TDO) ended 2018 and welcomed 2019 with a number of bold announcements about large hacks. One of those announcements was their claim in a since-removed paste that they had hacked National Life Group (NLG) and exfiltrated more than 500,000 records from their servers:

We breached National Life Group and stole over 500.000 records from their servers. They rejected our most handsome business proposition so we’re leaking a few sample documents now with more to come soon.

National Life Group

The hackers’ claims are disputed by NLG on a few important points. Until DataBreaches.net called NLG, they reportedly had no idea that anyone was claiming that that they had been hacked and they were not aware that anyone was trying to extort them over a hack they knew nothing about. When contacted by DataBreaches.net, their initial response could be summarized as, “What hack? What extortion attempt? We have no idea what you’re talking about.” But to understand how we got to that point, we need to back up a few weeks.

A few weeks before their public claims, TDO had contacted DataBreaches.net and provided a sample of files that they claimed were from a hack of NLG. The files that DataBreaches.net received at that time are the same files that TDO recently made publicly available in a data dump that DataBreaches.net will not link to.

On December 21, after a preliminary examination of the files, this journalist contacted NLG and spoke with Ross Sneyd about TDO’s claims. Sneyd denied ever having had any email communication from TDO, despite TDO insisting that they had made contact with him previously. He also denied any knowledge of any hack. I verbally provided him with some data — the names of policyholders whose names appeared in the files I had and the names and affiliations of the insurance agents who completed the applications. Sneyd informed me that they would immediately investigate the claims.

Suiting action to their word, one of the things NLG immediately did was to contact FireEye’s Mandiant division for assistance in their investigation.

While they pursued their investigation, this site kept digging into the files it had received, becoming less and less certain that there had been any hack of NLG. Although the files were applications for NLG policies and products, the files and the metadata all appeared to point to Texas-based Sterling National Financial Groupa firm that provides retirement and financial planning services to employees in the public marketplace.

Sterling National Financial Group

When asked to provide DataBreaches.net with more data that would prove that it was NLG that had been hacked and not Sterling NFG, thedarkoverlord declined to provide more materials.

Sample Data

Many of the files in the small sample this site received were confirmations that individuals had successfully applied for an insurance product. The files contained a wealth of personal and financial information such as name, postal and email address, telephone numbers (landline and cell), date of birth, Social Security number, driver’s license number (in some cases), country of birth, name of beneficiaries and their dates of birth, the applicant’s employer and job title, and bank account information including Bank name, routing number, and full account number.

Note: Although TDO subsequently released theses same files to the general public unredacted, DataBreaches is redacting the files to protect the personally identifiable information.

One of the files provided to DataBreaches.net by thedarkoverlord. Redacted by DataBreaches.net
Some files contained employment information as well as banking details such as bank name, account number, and routing number, all in plain text. Redacted by DataBreaches.net

For some applicants, the files would include health information on the applicant and their minor child if they had a policy that called for term coverage:

Health history form, as completed by one applicant (redacted by DataBreaches.net)
If a Child Term Rider was sought, the company inquired about neurological disorders or diagnoses that the child might have, as well as heart, lung, or cancer-related problems. DataBreaches.net does not know how many forms with this Part E completed are now in the hackers’ hands.

National Life Group and Sterling NFG Respond

Late yesterday, DataBreaches.net received statements from both National Life Group and Sterling National Financial Group. National Life Group’s statement, below, appears to confirm what DataBreaches.net had suggested: that it wasn’t their hack:

When we learned of this incident on Dec. 21 we began working with Mandiant, a leading independent digital forensics firm. Mandiant’s initial findings are that there is no evidence of a breach at National Life and this incident likely originated with an independent insurance agency. Mandiant’s work is ongoing.
We understand the independent agency, which works with multiple insurance carriers, is now or will shortly be notifying the affected individuals.
We are also working with law enforcement.

Sterling NFG’s statement to DataBreaches.net, below, seems to acknowledge that they are responsible for notifying customers of a breach, although we might wish that their statement was a bit clearer:

Sterling is aware of this incident. We are working with third party professionals to investigate the situation as well as working diligently to send notification letters to affected customers who will be eligible for credit monitoring services at no cost to them. Due to the current investigation we are unable to provide further comment.

Sterling NFG declined to provide additional details so DataBreaches.net.

DataBreaches.net asked thedarkoverlord to respond to NFG’s denial that they were hacked. The hackers responded:

The insurance policies of the affected materials are held by National Life Group. This makes National Life Group the parent and holds responsibility over the security of the policyholders, who will now have their sensitive PII sold in droves on the dark web, due to NLG’s refusal to accept our most handsome business proposition.

Who’s the Target of the “Handsome Proposition” ????

TDO declined to comment further in response to additional questions posed by this site. Their response — attempting to justify NLG paying their “handsome proposition” instead of Sterling NFG — was a bit surprising, but seems somewhat consistent with other recent statements they have made where they have attempted to hold large insurers with deep pockets such as Hicsox and Lloyd’s of London responsible for a breach that the former firm claims was actually at a law firm that had done some work for them.

If this is TDO’s newer business model or approach, it doesn’t make much sense to me. Yes, I can see claiming that National Life might potentially take a reputation hit because it is their policyholders whose data was stolen, and I can see someone making an argument that National Life’s duty to its policyholders should extend to them ensuring that independent insurance agents who collect information destined for them should have adequate data security, but why would National Life’s insurer reimburse them if they were to pay any “handsome proposition” or extortion demand? If TDO is motivated solely by “internet money” as they repeatedly claim, why go after a firm that won’t get reimbursed for paying their request? Wouldn’t they stand a better chance with a firm that has insurance coverage for a hack?

And yes, I readily admit that I have no business acumen. Thedarkoverlord gives a lot of thought to their methods and business model. Maybe they are on to something that I just fail to recognize or appreciate. Then again, maybe they’re just extorting up the wrong tree, so to speak?

At some point, we will hopefully get some clarification and additional details on this breach. For now, I have no proof as to how many records were actually stolen. Nor do I know if all of the records pertained to NLG policyholders (unlikely if the hack was of Sterling), or if a hack of Sterling’s servers also compromised data of policyholders of other insurers. The latter possibility seems much more likely.

For now, though, it’s important to emphasize that just because thedarkoverlord claims they hacked an entity, they may not have hacked that entity at all and journalists will need to be especially cautious about repeating any claims that contain attributions.

Jan 012019

The events of 9/11 and theories about those events have occupied a prominent place in our culture. As someone who was there in the aftermath, as a rescuer with the Red Cross, I have enduring memories of what is was like to be just north of Ground Zero in eery silence, and to see the faces of dozens of widows of FDNY firefighters who had given their lives to save others. A few weeks later, as I walked through New York City with my daughter, still in stunned silence, we walked past all the “Have You Seen” posters that were still up. By then, we knew that those posters would never result in joyous reunions, but no one had the heart to take the posters down.

I realize that thedarkoverlord does not care about any of the above. They are only interested in getting lots and lots of internet money, as they have repeatedly informed me and the public over the past 2+ years. But it matters to me. And so one of the documents that they provided from their cache of hacked documents about 9/11 just stopped me cold, because it reminded me how uncaring aspects of the settlement and subrogation litigation could be.

In a confidential letter to Condon & Forsyth, LLP, who were the attorneys for Flight 11 defendants, Kreindler & Kreindler (attorneys for plaintiffs), discuss documentation that they will provide for the wrongful death/personal injury case. That documentation, as outlined in their March 14, 2005 letter, would include:

    Income tax returns (at least 3 years);
    birth certificates of decedents, survivors, and heirs;
    marriage certificates;
    death certificates;
    decedent’s education certificates and degrees;
    employer provided benefits (including fringe benefits) documentation;
    pension plan documentation;
    medical examiner reports;
    personal health/medical documentation;
    divorce degrees; if any

I don’t know how much other documentation was to also be provided, as I only have the first page of the correspondence, but I wouldn’t be surprised if there were more document types listed on the next page of that letter, too.

So this is how the worth of our lives is to be calculated in the event of a wrongful death or personal injury case? Not by whether we’ve done good in the world or had hopes and dreams that will never be realized, or we have left behind shattered families. But by a list of data types that bean-counters and lawyers can agree upon?

I wonder how the families of the 9/11 victims feel seeing these types of cold negotiations for settlement. It must have been brutal for them if they knew.

As I said yesterday, thedarkoverlord’s cache of documents related to 9/11 will probably show us some of the underside of subrogation litigation and government investigations that we would not otherwise see. History buffs may welcome the release while the companies involved may shudder.

Update of January 3: Thedarkoverlord released more files last night, and the full document from Kreindler & Kreindler was included in that batch. As I had commented, there could be more types of data in their list, and there was: Page 2 of the document listed three other types of information on the dead or injured:

    documentation or narrative details concerning lost household services and other extraordinary circumstances;
    any other materials or information counsel may want you to consider to fairly evaluate their case including the identity of the persons who are entitled to share any award, settlement, or verdict; and<
    with respect to “ground victims”, the best estimate of their location oat the time of death.

And of course, all materials were to be kept strictly confidential. But were they, or years later, did they wind up in the hands of thedarkoverlord? So far, I have not seen any sensitive victim records in the materials that the hackers have released, but they have a lot more in their possession.

Jan 012019

While most people in the U.K. and U.S. might have been preparing for New Year’s Eve celebrations, the hackers known as thedarkoverlord had their own plans for the evening, and their plans seemed to involve spoiling the plans of a number of corporative executives on both sides of the Atlantic.

Earlier in the day, the hackers, whose past hacks and extortion demands have been covered extensively on this site, announced that a law firm hack earlier in 2018 that had not garnered much notice had been one of their hacks. That hack, they claim, had reportedly given them access to files from major insurers such as Hicsox Group and Lloyd’s of London.

The World Trade Center, September 11, 2001.
© Kentannenbaum 

But it was in poring through the files they obtained that the hackers realized that they had acquired a treasure trove of files concerning the World Trade Center attacks and post-attack litigation. And as you might expect with such complex litigation involving subrogation, there were files containing Sensitive Security Information “from the likes of the FBI, CIA, TSA, FAA, DOD, and others.”

By the time they were done pillaging, thedarkoverlord had acquired what they described as 18,000 files relating to the litigation.

Consistent with their past methods, thedarkoverlord claims that they had offered to keep the files out of the public’s eye if their victim paid them. And the victim did pay, they say, but as in the Larson Studio case, the victim then allegedly cooperated with law enforcement, which thedarkoverlord viewed as a breach of their contract. When the victim was unwilling to pay an additional penalty, thedarkoverlord went public with a sample of files, a new Twitter account (@tdo_h4ck3rs) to tweet out some files, and some threats.

“If a full public release happens in the near future, we’ll guarantee that we’re going to withhold only the most highly confidential and sensitive documents for private sale. For the rest of you: don’t worry, there’s thousands of documents still to go around. If you’re one of the dozens of solicitor firms who was involved in the litigation, a politician who was involved in the case, a law enforcement agency who was involved in the investigations, a property management firm, an investment bank, a client of a client, a reference of a reference, a global insurer, or whoever else, you’re welcome to contact our e-mail below and make a request to formally have your documents and materials withdrawn from any eventual public release of the materials. However, you’ll be paying us. “

The paste included links to a sampling of files that one might expect to see in any large litigation case. But the hackers also released an encrypted archive of files, and urged journalists and others to make copies of the archive, saying that in the future they would provide decryption keys to journalists who had reported on their past hacks or to those who paid for access.

Somewhat surprisingly, they did not agree to give this site decryption keys, and as far as I know, no one has actually been given decryption keys at this point. But they did agree to provide this site with exclusive access to some additional files created by Locke Lord Bissell & Liddell,  the U.S. Department of Transportation, the U.S. Department of Homeland Security, and Condon & Forsyth.  Because files get mailed, faxed, and otherwise shared, it was not obvious where the files had been hacked from, but they were clearly all related to the World Trade Center (WTC) litigation, as were transcriptions of voicemails, and a fascinating memorandum by Todd A. Scharnhorst of Blackwell Sanders Peper Martin (now Husch Blackwell) that was sent to Hicsox about litigation strategy reviewed with Charles Slepian. As just one example, the memo summarizes Slepian’s rationale for holding the security companies liable (as well as airlines and other defendants):

a.             Again, Slepian agrees with our approach with respect to Huntleigh and Globe.  He said our approach would be equally applicable to Argenbright (with respect to our pursuit of subrogation for aircraft hull losses).  He also added that the security companies themselves had a duty to exceed the minimum FAA criteria recognized by 14 CFR § 107 and 14 CFR § 108.

b.             In addition, Slepian suggested the following:
(1)          Insufficient security staffing at each gate.  There are minimum staffing standards established by the FAA and recognized by the airline industry.  We will need to do some discovery to figure this out. However, he is fairly confident that the staffing at Boston’s Logan International Airport on 11 September was not up to those standards.  This is due to the fact that they have one of the highest security employee turnover rates in the industry.  Nearly 400 percent in the years proceeding 11 September 2001.  
(2)          He indicated that part of the problem was a lack of communication between all involved.  This includes a lack of communication between the airlines and the security companies.  He believes the breakdown in communication led to the “right hand not knowing what the left hand was doing.”  This is precisely why the security companies may be one of the weakest links in the chain (although the airlines themselves could have strong-handed the security companies and made security much tighter).

So who got hacked, you may be wondering? It’s not clear to me. Although thedarkoverlord claimed in their announcement that they had hacked Hicsox, Hicsox reportedly gave Motherboard a statement saying that it was a law firm that they had used who was hacked but that their system had not been compromised. They did not name the law firm to Motherboard. When asked to respond to Hicsox’s reported denial that they were hacked, thedarkoverlord declined to comment at this time.

While exactly who got hacked or in what order entities were hacked may not yet be clear, it does seem clear that there are likely to be some very serious and interesting files in what the hackers have acquired that could provide some new perspectives on one of the biggest events of the century and its aftermath.

Within hours, word of the release of 9/11-related files had spread to 4Chan, where there was a mix of disbelief and enthusiasm for release of the files and discussion of trying to crowd-fund the release of the files.

This is a developing story that will be updated.

Update 1: Hicsox had responded to an email inquiry by publication time, but I had not spotted it in my inbox. Here is the statement from a company spokesperson, which appears to be the same as what they told Motherboard:

The tweets relate to an incident we reported in April 2018 (https://www.hiscoxgroup.com/news/press-releases/2018/12-04-18), when we were made aware that a US law firm that advised Hiscox, some of our commercial policyholders and other insurers, had experienced a data breach in which information was stolen. The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident. One of the cases the law firm handled for Hiscox and other insurers related to litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach.

Once Hiscox was informed of the law firm’s data breach, it took action and informed policyholders as required. We will continue to work with law enforcement in both the UK and US on this matter.

Dec 062018

TheDarkOverlord is back on Twitter with a new account, and their first tweets give a hint as to why their @tdo_hackers account had been suspended.  In two tweets posted overnight to @tdo_hack3rs, TDO writes:

Perhaps Twitter is most concerned with suspending us when we’ve not made any clear violations because 1/2

the FISA order we’re planning to release is one that the USA gov served to Twitter in an attempt to deploy a NIT against us. 2/2

This is not the first time TDO has mentioned a FISA order – or a NIT  (network investigative technique) deployed against them. In November, 2017, DataBreaches.net reported TDO’s claims, but at the time, they did not provide any details or specifics:

At this time, we’re only at liberty to disclose that in at least one case of a NIT usage, a widely used internet service, used by millions, was a witting accomplice in the NIT’s usage. We can confirm that this widely used internet service is under a legal order. We’ve solicited the assistance of a globally recognised and highly reputable cyber-security firm to further unravel the NITs. We believe these NITs are highly disruptive, and far too dangerous to be in the wild.

If they are now naming Twitter as that service and do release the FISA order, that would be something.

So far, they have not publicly revealed any details of the NIT, but perhaps they will.

Twitter did not immediately respond to a request for comment on the claims.  This post will be updated if a response is received.

Update of December 7:  It appears Twitter has suspended TDO’s new account, too, which is why the embedded tweets no longer show up in this article, although the text was quoted.