Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Ransom Moves: The Dark Overlord Keeps Pressuring Victims

Demanding Bitcoins, Blackmailing Hacker Group Turns to 9/11 Conspiracies
Ransom Moves: The Dark Overlord Keeps Pressuring Victims
Beginning on Dec. 31, 2018, The Dark Overlord took to Twitter and Pastebin, claiming that it had a trove of documents tied to 9/11.

The notorious hacker blackmail gang The Dark Overlord continues its shakedown efforts, now turning its hand to 9/11 conspiracy theories to attempt to compel hacked organizations into giving it hush money, payable in bitcoins.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

The modus operandi of the hacking group, which apparently is international, remains unchanged. The Dark Overlord often threatens to leak information or to leak snippets of stolen information - and images - to try to compel victims into sending bitcoins to the group in return for a promise that no more data will get leaked (see: Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers').

Already, the group has targeted health clinics, U.S. school districts, software developers and media giants.

On Monday, however, the group began claiming that it was sitting on a treasure trove of 9/11 litigation information. Via Twitter and text-sharing site Pastebin, the group claimed to have stolen documents tied to 9/11 litigation from "dozens of solicitor firms," as well as two insurers - Hiscox Syndicates and Lloyds of London - and real estate developer Silverstein Properties in New York.

In a Monday - New Year's Eve - post to Pastebin, the group claimed to possess gigabytes of data, including 18,000 litigation documents, which it promised to sell wholesale or in batches. It also said it had released samples of the stolen data to the KickAss forum on Tor.

"The good news for you is that we'll be selling these documents for a limited time," the group said via Pastebin. "If you're a terrorist organisation such as ISIS/ISIL, Al-Qaeda, or a competing nation state of the USA such as China or Russia, you're welcome to purchase our trove of documents."

Concurrently, The Dark Overlord appears to have been trying to interest various media outlets in a 2017 hack against a London plastic surgery clinic that it has apparently not yet been able to pressure into giving it bitcoins.

In response to The Dark Overlord's claims, Twitter suspended the group's latest account (@tdo_h4ck3rs).

Even so, the group's bitcoin wallet has received 3.3 bitcoins ($12,500) this week via 13 transfers, some of which may have been from victims.

Hiscox Disclosed Hack

Victims say that The Dark Overlord may, indeed, be sitting on a cache of information tied to 9/11 insurance claims.

Hiscox on Monday said that The Dark Overlord's claims tie to a hack attack against a specialist U.S. law firm with which it works. Hiscox disclosed the data breach in April 2018, although did not say when it occurred.

"The incident involved illegal access to information stored on the law firm's server, which may have included information relating to up to 1,500 of Hiscox's U.S.-based commercial insurance policyholders," Hiscox said in its April 2018 breach notification. "The law firm's systems are not connected to Hiscox's IT infrastructure and Hiscox's own systems were unaffected by this incident."

On Monday, Hiscox said some litigation tied to 9/11 may have been compromised. "One of the cases the law firm handled for Hiscox and other insurers related to subrogation litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach," Hiscox says in a statement.

"Once Hiscox was made aware of the law firm's data breach, it took action and informed policyholders as required," it says. "We will continue to work with law enforcement in both the U.K. and U.S. on this matter."

Silverstein Disputes Hack

But Silverstein Properties, which signed a 99-year lease for the Twin Towers prior to 9/11, says it has found no indications that it was hacked, the Register first reported.

"We are aware of claims of alleged security breaches at firms involved in the five-year insurance litigation following the attacks of 9/11, and are conducting an internal investigation based on these claims. To date, we have found no evidence to support a security breach at our company," a company spokesman tells Information Security Media Group.

"We have spent the last 17 years fulfilling our obligation to deliver a magnificent and fully rebuilt World Trade Center," he says. "We will not be distracted by 9/11 conspiracy theories."

Similarly, Lloyd's of London says it has found no signs that it was hacked. "Lloyd's has no evidence to suggest that the corporation's networks and systems have been compromised by the hacker group," a spokeswoman tells ISMG. "We remain vigilant with a number of protections in place to ensure the security and safety of data and information held by the corporation. Lloyd's will continue to monitor the situation closely, including working with managing agents targeted by the hacker group."

Hackers' Fresh Media Press

This week, The Dark Overlord has been sharing with media outlets photographs that it appears to have stolen from a U.K. plastic surgery clinic in 2017, Sky News first reported on Friday. The group's attempt to resurrect interest in the old hack appears to be a public relations maneuver designed to pressure the hacked organization - London Bridge Plastic Surgery - into paying, Sky reported.

After the clinic was hacked, however, it attempted to hack back, sending The Dark Overlord a Microsoft Word document that included an IP address beacon, reported Daily Beast's Joseph Cox in 2017. The effort apparently failed.

In the wake of The Dark Overlord this week attempting to whip up interest in the data it stole from the clinic, a spokesman says that it has suffered no new data breach since the 2017 intrusion.

"In October 2017, London Bridge Plastic Surgery was targeted in a sophisticated cyber attack in which patient data was stolen by a malicious, criminal hacking group known to international law enforcement agencies. We took measures to block the attack immediately and reported the matter to the Metropolitan Police," he tells ISMG.

"All patients were informed of the breach at the time of the attack and were offered support and guidance. "We continue to liaise with the cyber crime unit of the Metropolitan Police, whose investigation is ongoing, and we also worked closely with the Information Commissioner's Office."

The spokesman adds: "We have taken further extensive and robust measures to increase our security in order to protect patient data. Once again, we are saddened by news of the latest threats and we condemn the actions of the individuals responsible."

Victims: Under Pressure

The tactics employed this week by The Dark Overlord are nothing new.

"The group has a history of hacking organizations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain," according to a 2017 alert from the U.K.'s National Cyber Security Centre, which is the public-facing part of intelligence agency GCHQ (see: UK Cybersecurity Center Issues 'The Dark Overlord' Alert).

"They leak snippets of data to the media to encourage them to report on their activity," NCSC said. "This is aimed at 'proving' that a breach has taken place and increases the pressure on the victim to pay the ransom."

At Least One Suspect Arrested

Despite law enforcement eradication efforts, The Dark Overlord has proven tough to stop.

Last May, working with the U.K.'s National Crime Agency and the FBI, Serbia's Ministry of Internal Affairs arrested a suspected member of the group.

Identified only as a Belgrade-based suspect born in 1980 with the initials "S.S.," authorities noted that the group had received at least $275,000 in bitcoin payments from U.S. victims (see: Noose Tightens Around Dark Overlord Hacking Group).

Following the arrest, however, as well as the arrest of a man in the U.K. with alleged ties to the group, an individual with control of The Dark Overlord's then Twitter account (@tdo_hackers) told ISMG: "We're still around."

This story has been updated with comments from Lloyd's of London, London Bridge Plastic Surgery and Silverstein Properties.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.