By the end of 2016, a number of journalists and/or their employers had made an ethical decision not to report on hacks and in-progress extortion attempts by TheDarkOverlord. But did the lack of coverage enable the criminals to expand their operations without any public attention or public pressure on law enforcement to pursue them aggressively?
Reporting on hacks without further victimizing any victims is not always easy. That’s especially true when you know the hackers are trying to use you or your outlet to put pressure on their victims to pay their extortion demands. We experienced that kind of difficult situation with hacks by TheDarkOverlord last summer. When victim clinics resisted paying extortion, the hackers began leaking patient data and providing more details to journalists. Their hope – as one spokesperson explained to me at the time – was that if the patients found out that their data had been stolen but the clinic could get it back by paying up, then the patients might put pressure on the clinics to pay. And to ensure more patients found out, the hackers turned to the media, offering us details and data and quotes to encourage us to report on their hacking. Jeremy Kirk was given an exclusive on one of the hacks, I was given an exclusive on another one of the hacks, and so it went, with TheDarkOverlord working the media to create their brand and get media coverage as widely as they could.
But no one wants to become any kind of accomplice in an extortion plot or to be viewed as an accomplice just because you’re trying to report on an incident. So what does that mean about reporting on it? As I commented in January:
In November, Graham Cluley gave his reasons for not cooperating with TDO’s attempt to get media coverage from him. Graham’s decision is admirable, and feels right ethically on many levels, but it doesn’t change the fact that these hacks and extortion demands are occurring. To not report on them at all deprives the public, policy makers, and those who track breaches of information that might better inform decision making by entities, legislators, and regulators. It may also deprive individuals of the opportunity to rapidly deploy some protections if their personal information has been dumped if they have not yet been notified by the organization that was hacked.
DataBreaches.net continues to grapple with the ethical questions posed by TDO trying to use the media as part of his strategy. For now, this site will likely continue to report on his breaches, but without exposing the personal information that he relishes in exposing or the proprietary information of companies that could harm their business if revealed.
As I indicated at the time, I intended to – and did – continue to report on their hacks. But except for the Larson Studio hack and Netflix data dump which Hollywood news outlets and other news outlets covered, I think this site was pretty much the only site still trying to cover their crimes – including pointing out when hacks that had not been identified as theirs seemed remarkably similar to their methods or writing.
“Either I’m seeing TheDarkOverlord everywhere, or you ARE TheDarkOverlord,” I even wrote to some hackers recently. They never answered. Even as recently as this past week, TheDarkOverlord has declined to answer any questions from me as to whether other operations under other flags/names might be theirs.
So I was seeing what appeared to be signs of TheDarkOverlord everywhere, even though they were not contacting me to tell me about any new hacks or operations. I would discuss my observations with security professionals I occasionally chat with, and I would share my observations with other journalists to ask them what they were seeing.
TheDarkOverlord was either the energizer bunny of blackhats and had expanded their operations significantly or others were now copycats. My money was, and remains, on the former hypothesis.
But no one was saying much publicly other than this site following up on some hacks by TDO in the healthcare sector that they never publicly announced but had shared with me.
And then Flathead County schools happened, and people were shocked and terrified.
I didn’t find out about the Flathead incident right away. Somehow, my news searches never returned any results on it. It was only after the sheriff revealed the ransom letter that I first became aware of the matter.
As I read the posted ransom letter, I felt badly for the parents in the community and could understand their anxiety as a parent. But as someone who has been watching TDO for more than one year now, I knew that the threats of physical violence were bullshit because I had seen threats like that before from them.
But because the parties involved in past incidents had not publicly shared the threats they had received, and because there were no government advisories that prepared entities for hacks and extortion demands from TDO, the public never found out how common it might be for TheDarkOverlord to issue threats of violence as part of their attempts to pressure entities to pay extortion.
Had the many dozens of entities who had previously been hacked and extorted by TheDarkOverlord publicly shared their experiences, or had the government issued any advisories on TDO, might the good folks of Flathead immediately recognized what was happening and know that any threats were likely to be bullshit? I think they might have. Maybe they would have still erred on the side of caution by closing schools for a day, but the overall incident response might have been quite different if more information had already been publicly available.
Some of this is on those who did not disclose/share their experiences so that others might be better prepared. And some of this may be on the government for not issuing any kind of helpful advisory that would lead more entities to be properly prepared with a plan to respond to such hacks and demands.
But some of this is may be on us, as journalists, because we did not serve the public well by not exposing and covering TheDarkOverlord’s crimes. While the media remained silent other than reporting on hacks of TV shows, TheDarkOverlord was hacking and attempting to extort businesses, medical entities, contractors involved in national defense, and schools. And instead of reporting that, news outlets that report on other hacks and security news remained silent.
This site will continue to cover TheDarkOverlord, and I hope other journalists and outlets will reconsider their position and figure out how to cover TDO responsibly so that the public is better informed about what has, indeed, become a persistent threat.
And yes, I realize that others whom I respect may not agree with what I’ve written here. Have at it and tell me your thoughts.