DataBreaches.net has been reporting on TheDarkOverlord (TDO) since they first burst on the scene in June, 2016. Since then, this site has reported on numerous attacks by them on health care entities, financial and business entities, a Hollywood post-production studio, and a defense contractor.
Now they have begun to target the education sector, and an official at the the U.S. Department of Education tells DataBreaches.net it is looking into what it can do in response.
Upping the ante with threats of physical violence
In September, TDO attacked Flathead County schools in Montana, and hit them in a way that they have only rarely used before – reaching out to send highly personalized messages with threats of violence. More typical of TDO, they also sent a lengthy and detailed letter to the district that included excerpts of very personal and detailed information on students taken from records the hackers had managed to access and acquire. The message was clear: the hackers were in possession of extremely sensitive information about children and weren’t above dumping it publicly if the district did not pay their extortion demands.
In response to the threats, Flathead – not yet knowing who they were dealing with and understandably preferring to err on the side of safety – closed more than 30 schools for days while law enforcement investigated the threats.
TDO had seemingly brought the district to its knees. Even weeks later, people in the community are still unnerved by the experience.
Would TDO actually resort to physical violence or try to so humiliate some children that the children might become depressed and/or suicidal? They have never done so to date to this blogger’s knowledge, but DataBreaches.net believes it’s actually quite likely that they will reveal students’ and parents’ most intimate and sensitive details that they were able to acquire if extortion demands are not met – because that’s their usual pattern. It may not get these victims to pay them, but they will likely do it anyway to serve as a warning to future victims.
Blame it on the FBI??
One important piece of this is that TDO seems to blame the FBI for victims not paying up. It would not be surprising if districts did ask the FBI for information about these hackers or for advice about whether to pay extortion. But what is the FBI telling them?
When TDO hacked Larson Studios last year, the studio paid up – $50,000. And under the contract TDO had given them, TDO should not have further disclosed any data and should not have “double-dipped” or tried to get even more money. But months later, TDO did disclose the data after attempting to also extort Netflix over the episodes Larson Studios had been working on. When asked why they seemingly broke their word after Larson paid up, TDO claimed that Larson had paid but had violated the contract by cooperating with the FBI. TDO wanted victims to know that cooperating with the FBI or listening to the FBI if the FBI should tell them not to pay extortion was not okay with them.
So now TDO appears to be taking that message more directly to the FBI. As TDO told The Daily Beast, “We’re escalating the intensity of our strategy in response to the FBI’s persistence in persuading clients away from us.” They used slightly different words with DataBreaches.net, but the sense this site got from them was that if the FBI doesn’t back off, children will be harmed. “We’re focusing on critical infrastructure to send a message to the FBI. We like to hit close to home,” a spokesperson for TheDarkOverlord told DataBreaches.net.
Two more victim districts come forward
Flathead was not the only school district recently hacked by TDO. Splendora ISD in Texas also was hacked by them. TDO acknowledged their responsibility for the hack in a tweet:
One of our favourite musical tracks is “You’re Standing on My Neck” by Splendora. It’s a most splendid piece. We enjoy standing on necks.
— thedarkoverlord (@tdo_hackers) September 28, 2017
One of our favourite musical tracks is “You’re Standing on My Neck” by Splendora. It’s a most splendid piece. We enjoy standing on necks.
Splendora’s response was much more measured and lowkey than Flathead’s response – probably because they learned from Flathead’s experience.
Splendora ISD did not close schools.
Splendora ISD labeled the hacker’s early threats as a “hoax,” and told the parents they would keep them apprised. And if you had checked the district’s web site, you would see no alarming messages from the district to parents about the situation. Indeed, the district’s response was so understated that one person told KHOU:
“Everyone’s scared but we’re just going with the flow to see what happens,” said Elizabeth Taylor who is related to several students attending SISD schools. “Nothing has happened over the years, so I don’t think anyone thinks anything is going to happen, just probably childish kids.”
Regardless of whether that characterization of “childish kids” is true (DataBreaches.net does not believe that it is), the hackers are likely in possession of all of Splendora ISD’s personal and sensitive records and information about its students.
And TDO didn’t stop with Flathead and Splendora. They also attacked Johnston Community School District in Iowa. Like Flathead, Johnston closed down their schools while they investigated the threats. TDO subsequently publicly acknowledged that they were the attackers:
We’re now publicly claiming responsibility for the threats that resulted in the closure of JCSD in Iowa and 7.200 children without school.
— thedarkoverlord (@tdo_hackers) October 4, 2017
With the student directory from JCSD we released, any child predator can now easily acquire new targets and even plan based on grade level.
— thedarkoverlord (@tdo_hackers) October 5, 2017
If TDO intended to cause alarm among parents by suggesting that they had now made children more likely targets for predators, they might have been disappointed at how many parents – and students – responded to their threats. As reported first by Joe Cox, some students threatened individually and directly by TDO reacted by calling them back and leaving them their own obscenity-laced messages. TDO uploaded a number of messages they claim they received. Rather than responding with terror, at least some of the students seem to have decided to call TDO out and challenged them to show up at the school, calling them wusses and other names and threatening to “fuck them up.” One student calmly stated that he wanted to become a doctor, and that TDO’s threats were not going to stop him from becoming a doctor.
And while at least some of the students did not appear to be intimidated at all by the bullying and threatening messages they had received, some of the parents were similarly unintimidated, with one woman, likely a mother, leaving a voicemail that said:
“I don’t know who you are, but the shit that you are pulling, it kinda needs to stop, because the messages that you are sending to parents is pretty fucked up. If you have it out for that many children, then maybe you deserve to be in a hole.”
If TDO’s intention was to intimidate the populace and thereby increase pressure on the school district to pay up, uploading voicemails from unafraid parents and students would not seem to be helpful. It’s not clear to DataBreaches.net why the attackers would upload those responsive messages.
Meanwhile, in Washington and district offices….
Earlier this week, DataBreaches.net contacted Kathleen Styles, Chief Privacy Officer for the U.S. Education Department, to ask what the federal agency was doing to help schools protect themselves against these hackers. While federal law does not require k-12 districts to report data security breaches to the federal regulator, the agency is responsible for enforcing FERPA, the federal statute protecting the privacy of student records and has issued a number of guidances on security and privacy over the past few years.
The agency has not yet provided any formal statement in response to these attacks by TDO, but DataBreaches.net understands from ongoing contacts with the Department of Education that the agency has been working to address the threat and to provide support to schools. This post will be updated if and when the agency does issue some public statement.
But what are the victim districts doing to prepare children that their deepest and darkest secrets that they or their parents shared with the school may be dumped maliciously and become public fodder? DataBreaches.net has sent inquiries to Flathead, Splendora, and Johnston asking whether children are being prepared for what might be a privacy nightmare and what supports the districts have in place should TDO dump the data. This post will be updated if the districts reply.
Need to fix netwrk security especially micro soft products