While most people in the U.K. and U.S. might have been preparing for New Year’s Eve celebrations, the hackers known as thedarkoverlord had their own plans for the evening, and their plans seemed to involve spoiling the plans of a number of corporative executives on both sides of the Atlantic.
Earlier in the day, the hackers, whose past hacks and extortion demands have been covered extensively on this site, announced that a law firm hack earlier in 2018 that had not garnered much notice had been one of their hacks. That hack, they claim, had reportedly given them access to files from major insurers such as Hicsox Group and Lloyd’s of London.
But it was in poring through the files they obtained that the hackers realized that they had acquired a treasure trove of files concerning the World Trade Center attacks and post-attack litigation. And as you might expect with such complex litigation involving subrogation, there were files containing Sensitive Security Information “from the likes of the FBI, CIA, TSA, FAA, DOD, and others.”
By the time they were done pillaging, thedarkoverlord had acquired what they described as 18,000 files relating to the litigation.
Consistent with their past methods, thedarkoverlord claims that they had offered to keep the files out of the public’s eye if their victim paid them. And the victim did pay, they say, but as in the Larson Studio case, the victim then allegedly cooperated with law enforcement, which thedarkoverlord viewed as a breach of their contract. When the victim was unwilling to pay an additional penalty, thedarkoverlord went public with a sample of files, a new Twitter account (@tdo_h4ck3rs) to tweet out some files, and some threats.
“If a full public release happens in the near future, we’ll guarantee that we’re going to withhold only the most highly confidential and sensitive documents for private sale. For the rest of you: don’t worry, there’s thousands of documents still to go around. If you’re one of the dozens of solicitor firms who was involved in the litigation, a politician who was involved in the case, a law enforcement agency who was involved in the investigations, a property management firm, an investment bank, a client of a client, a reference of a reference, a global insurer, or whoever else, you’re welcome to contact our e-mail below and make a request to formally have your documents and materials withdrawn from any eventual public release of the materials. However, you’ll be paying us. “
The paste included links to a sampling of files that one might expect to see in any large litigation case. But the hackers also released an encrypted archive of files, and urged journalists and others to make copies of the archive, saying that in the future they would provide decryption keys to journalists who had reported on their past hacks or to those who paid for access.
Somewhat surprisingly, they did not agree to give this site decryption keys, and as far as I know, no one has actually been given decryption keys at this point. But they did agree to provide this site with exclusive access to some additional files created by Locke Lord Bissell & Liddell, the U.S. Department of Transportation, the U.S. Department of Homeland Security, and Condon & Forsyth. Because files get mailed, faxed, and otherwise shared, it was not obvious where the files had been hacked from, but they were clearly all related to the World Trade Center (WTC) litigation, as were transcriptions of voicemails, and a fascinating memorandum by Todd A. Scharnhorst of Blackwell Sanders Peper Martin (now Husch Blackwell) that was sent to Hicsox about litigation strategy reviewed with Charles Slepian. As just one example, the memo summarizes Slepian’s rationale for holding the security companies liable (as well as airlines and other defendants):
a. Again, Slepian agrees with our approach with respect to Huntleigh and Globe. He said our approach would be equally applicable to Argenbright (with respect to our pursuit of subrogation for aircraft hull losses). He also added that the security companies themselves had a duty to exceed the minimum FAA criteria recognized by 14 CFR § 107 and 14 CFR § 108.
b. In addition, Slepian suggested the following:
(1) Insufficient security staffing at each gate. There are minimum staffing standards established by the FAA and recognized by the airline industry. We will need to do some discovery to figure this out. However, he is fairly confident that the staffing at Boston’s Logan International Airport on 11 September was not up to those standards. This is due to the fact that they have one of the highest security employee turnover rates in the industry. Nearly 400 percent in the years proceeding 11 September 2001.
(2) He indicated that part of the problem was a lack of communication between all involved. This includes a lack of communication between the airlines and the security companies. He believes the breakdown in communication led to the “right hand not knowing what the left hand was doing.” This is precisely why the security companies may be one of the weakest links in the chain (although the airlines themselves could have strong-handed the security companies and made security much tighter).
So who got hacked, you may be wondering? It’s not clear to me. Although thedarkoverlord claimed in their announcement that they had hacked Hicsox, Hicsox reportedly gave Motherboard a statement saying that it was a law firm that they had used who was hacked but that their system had not been compromised. They did not name the law firm to Motherboard. When asked to respond to Hicsox’s reported denial that they were hacked, thedarkoverlord declined to comment at this time.
While exactly who got hacked or in what order entities were hacked may not yet be clear, it does seem clear that there are likely to be some very serious and interesting files in what the hackers have acquired that could provide some new perspectives on one of the biggest events of the century and its aftermath.
Within hours, word of the release of 9/11-related files had spread to 4Chan, where there was a mix of disbelief and enthusiasm for release of the files and discussion of trying to crowd-fund the release of the files.
This is a developing story that will be updated.
Update 1: Hicsox had responded to an email inquiry by publication time, but I had not spotted it in my inbox. Here is the statement from a company spokesperson, which appears to be the same as what they told Motherboard:
The tweets relate to an incident we reported in April 2018 (https://www.hiscoxgroup.com/news/press-releases/2018/12-04-18), when we were made aware that a US law firm that advised Hiscox, some of our commercial policyholders and other insurers, had experienced a data breach in which information was stolen. The law firm’s systems are not connected to Hiscox’s IT infrastructure and Hiscox’s own systems were unaffected by this incident. One of the cases the law firm handled for Hiscox and other insurers related to litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach.
Once Hiscox was informed of the law firm’s data breach, it took action and informed policyholders as required. We will continue to work with law enforcement in both the UK and US on this matter.