What will The Dark Overlord Do Next – a CTI Assessment

On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents.

TDO’s tweet announcing the hack, as collected by the Verint Webint 7.5 system. The Twitter account has been suspended
TDO’s tweet announcing the hack, as collected by the Verint Webint 7.5 system. The Twitter account has been suspended

TDO’s Calculated Breach Announcement and Social Media Campaign

The Dark Overlord first announced the existence of the leaked documents on the text-sharing platform, Pastebin, on December 31, 2018. The announcement claimed the group has obtained a batch of 18,000 documents related to the 9/11 terror attacks, which they referred to as the “9/11 Papers.” According to the group, they successfully breached the network of an unnamed US company, and exfiltrated a significant volume of sensitive data connected to the 9/11 litigation process.

Excerpt from the long paste where TDO announces its intention to extort money from its victims, and makes its motivation explicit
Excerpt from the long paste where TDO announces its intention to extort money from its victims, and makes its motivation explicit

Following the alleged hack, TDO conducted an aggressive money extortion operation on social media, targeting the impacted organizations, mainly airline companies, solicitors’ firms, global insurers, government agencies, and others.

The Guessing Game – Discovering the Breach Origin

A spokesperson for Hiscox Syndicates Ltd. (one of the extorted companies) suggested the hackers had compromised a law firm that advised the company, and likely exfiltrated files related to the litigation around the 9/11 attacks from their servers. Several other companies stated they had found no evidence of a security breach impacting their internal networks.

TDO threatened to release compromising documents that may lead to further liability, should their demands not be met. TDO also established a public auction system, through which anyone can contribute Bitcoins to a TDO-controlled wallet to see more documents published. Moreover, they are also selling the stolen data on an elite Darknet hacking forum we monitor.

The Carefully Planned Release of the Leaked Data

In the first paste, TDO also published a link to download the entire 9/11 World Trade Center litigation archive. The archive is encrypted with a strong AES encryption function using the VeraCrypt open-source utility. On January 2, 2019, to prove the authenticity of the documents in their possession, TDO shared the decryption key for the ‘Preview_Documents’ folder, making it a public domain. Upon verification, the documents appeared to be indeed authentic.

Overview of the files contained in the ‘Preview_Documents’ folder (left), and the content of the ‘00052249 DOC’ file (right)

On January 4, 2019, TDO released the decryption key for another batch, which is comprised of approximately 500 files. Furthermore, they also released three additional batches, named “Checkpoint 05,” “Checkpoint 06,” and “Checkpoint 07,” (~150 additional files). Apparently, these files largely consist of legal documents and email correspondences between legal firms and other entities.

In a subsequent extremely threatening blog post, TDO directly addressed US government organizations, notably the Federal Aviation Administration (FAA), the Transportation Security Administration (TSA), and the FBI, among others, to push them to meet their demands before the situation became “tragic.” In this post, we also detected sporadic spelling mistakes (e.g. ‘tragick’ instead of ‘tragic,’ and ‘choise’ instead of ‘choice’), possibly used as false flags.

We are still processing the great volume of leaked data, but our initial assessment is that the sensitivity of the data published so far has been deliberately inflated by TDO, through a highly professional marketing campaign. We will closely monitor TDO’s media outlets for further publications, and thus test our hypothesis.

Proactively Monitoring TDO – What Can We Learn from Their Previous Activities?

The Dark Overlord is a highly-skilled cybercrime actor (possibly a well-structured cybercrime organization) active since at least June 2016. TDO entered the public spotlight following the 2017 hack of Larson Studios, and the subsequent release of an entire season of the TV show “Orange is the New Black”. TDO claimed the release of the season was to punish Larson for collaborating with the FBI, violating their agreement.

We have closely monitored TDO’s criminal activity since its very inception, infiltrating underground communities where it is most active, and following its social media footprints, to profile the threat actor’s modus operandi and assess the threat level it poses to organizations worldwide.

Example of TDO sales posts on a Darknet forum and marketplaces in recent years. Source: Verint DarkAlert
Example of TDO sales posts on a Darknet forum and marketplaces in recent years. Source: Verint DarkAlert

The threat actor has been prevalently active on Darknet marketplaces and hacking forums, where he tries to sell ‘private’ databases (databases that are not in the public domain yet), but also other goods, such as software source code. In this regard, we recently detected products they sell on an elite hacking forum we monitor, where the group has rapidly achieved a VIP status. In fact, an entire forum room is now dedicated to their sales.

With regards to the “9/11 Papers” case, TDO used a dedicated Twitter profile, created in December 2018, to put pressure on the impacted parties by gaining as much visibility as possible. Twitter soon suspended the account. As a result, TDO had initially moved to Reddit and after being banned from there too, they eventually moved to the blogging and social networking website Steemit (Blockchain-enabled) for maintaining a more stable communication channel.

What Will TDO do next – a CTI assessment

We assess, with a high level of confidence, that the documents possessed by TDO are authentic, and that the threat actor will continue to release further batches from the archive. Nonetheless, we also estimate that the sensitivity level of these documents might be calculatedly inflated by the threat actor via a sophisticated social media campaign attempting to capitalize on the hack they conducted, by leveraging 9/11-related conspiracy theories.

When evaluating this incident, the simple revision of the OSINT publications is not sufficient in order to build a complete intelligence picture. It is necessary to extend the threat visibility by employing additional intelligence methodologies. The combination and comparison of intelligence findings collected by our Cyber Threat Intelligence (CTI) analysts over the course of the years (such as historical data about the TDO group and their underground activities, assessment of their modus operandi and comparison with other attacks of the same type, analysis of the chatter regarding the subject on closed hacking communities, etc.), is crucial to gathering and creating piece by piece, the whole picture of this incident and establishing its credibility and threat levels.

Cyber Threat Intelligence plays a critical role in providing clear threat visibility and developing capabilities for a proactive cyber defense strategy. CTI is a critical layer in this proactive approach, with the purpose of expanding the threat visibility of any organization.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s