Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

The notorious hacker blackmail gang The Dark Overlord continues its shakedown efforts, now turning its hand to 9/11 conspiracy theories to attempt to compel hacked organizations into giving it hush money, payable in bitcoins.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

The modus operandi of the hacking group, which apparently is international, remains unchanged. The Dark Overlord often threatens to leak information or to leak snippets of stolen information - and images - to try to compel victims into sending bitcoins to the group in return for a promise that no more data will get leaked (see: Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers').

Already, the group has targeted health clinics, U.S. school districts, software developers and media giants.

On Monday, however, the group began claiming that it was sitting on a treasure trove of 9/11 litigation information. Via Twitter and text-sharing site Pastebin, the group claimed to have stolen documents tied to 9/11 litigation from "dozens of solicitor firms," as well as two insurers - Hiscox Syndicates and Lloyds of London - and real estate developer Silverstein Properties in New York.

In a Monday - New Year's Eve - post to Pastebin, the group claimed to possess gigabytes of data, including 18,000 litigation documents, which it promised to sell wholesale or in batches. It also said it had released samples of the stolen data to the KickAss forum on Tor.

"The good news for you is that we'll be selling these documents for a limited time," the group said via Pastebin. "If you're a terrorist organisation such as ISIS/ISIL, Al-Qaeda, or a competing nation state of the USA such as China or Russia, you're welcome to purchase our trove of documents."

Concurrently, The Dark Overlord appears to have been trying to interest various media outlets in a 2017 hack against a London plastic surgery clinic that it has apparently not yet been able to pressure into giving it bitcoins.

In response to The Dark Overlord's claims, Twitter suspended the group's latest account (@tdo_h4ck3rs).

Even so, the group's bitcoin wallet has received 3.3 bitcoins ($12,500) this week via 13 transfers, some of which may have been from victims.

Hiscox Disclosed Hack

Victims say that The Dark Overlord may, indeed, be sitting on a cache of information tied to 9/11 insurance claims.

Hiscox on Monday said that The Dark Overlord's claims tie to a hack attack against a specialist U.S. law firm with which it works. Hiscox disclosed the data breach in April 2018, although did not say when it occurred.

"The incident involved illegal access to information stored on the law firm's server, which may have included information relating to up to 1,500 of Hiscox's U.S.-based commercial insurance policyholders," Hiscox said in its April 2018 breach notification. "The law firm's systems are not connected to Hiscox's IT infrastructure and Hiscox's own systems were unaffected by this incident."

On Monday, Hiscox said some litigation tied to 9/11 may have been compromised. "One of the cases the law firm handled for Hiscox and other insurers related to subrogation litigation arising from the events of 9/11, and we believe that information relating to this was stolen during that breach," Hiscox says in a statement.

"Once Hiscox was made aware of the law firm's data breach, it took action and informed policyholders as required," it says. "We will continue to work with law enforcement in both the U.K. and U.S. on this matter."

Silverstein Disputes Hack

But Silverstein Properties, which signed a 99-year lease for the Twin Towers prior to 9/11, says it has found no indications that it was hacked, the Register first reported.

"We are aware of claims of alleged security breaches at firms involved in the five-year insurance litigation following the attacks of 9/11, and are conducting an internal investigation based on these claims. To date, we have found no evidence to support a security breach at our company," a company spokesman tells Information Security Media Group.

"We have spent the last 17 years fulfilling our obligation to deliver a magnificent and fully rebuilt World Trade Center," he says. "We will not be distracted by 9/11 conspiracy theories."

Similarly, Lloyd's of London says it has found no signs that it was hacked. "Lloyd's has no evidence to suggest that the corporation's networks and systems have been compromised by the hacker group," a spokeswoman tells ISMG. "We remain vigilant with a number of protections in place to ensure the security and safety of data and information held by the corporation. Lloyd's will continue to monitor the situation closely, including working with managing agents targeted by the hacker group."

Hackers' Fresh Media Press

This week, The Dark Overlord has been sharing with media outlets photographs that it appears to have stolen from a U.K. plastic surgery clinic in 2017, Sky News first reported on Friday. The group's attempt to resurrect interest in the old hack appears to be a public relations maneuver designed to pressure the hacked organization - London Bridge Plastic Surgery - into paying, Sky reported.

After the clinic was hacked, however, it attempted to hack back, sending The Dark Overlord a Microsoft Word document that included an IP address beacon, reported Daily Beast's Joseph Cox in 2017. The effort apparently failed.

In the wake of The Dark Overlord this week attempting to whip up interest in the data it stole from the clinic, a spokesman says that it has suffered no new data breach since the 2017 intrusion.

"In October 2017, London Bridge Plastic Surgery was targeted in a sophisticated cyber attack in which patient data was stolen by a malicious, criminal hacking group known to international law enforcement agencies. We took measures to block the attack immediately and reported the matter to the Metropolitan Police," he tells ISMG.

"All patients were informed of the breach at the time of the attack and were offered support and guidance. "We continue to liaise with the cyber crime unit of the Metropolitan Police, whose investigation is ongoing, and we also worked closely with the Information Commissioner's Office."

The spokesman adds: "We have taken further extensive and robust measures to increase our security in order to protect patient data. Once again, we are saddened by news of the latest threats and we condemn the actions of the individuals responsible."

Victims: Under Pressure

The tactics employed this week by The Dark Overlord are nothing new.

"The group has a history of hacking organizations to obtain sensitive information before demanding money in exchange for not leaking it into the public domain," according to a 2017 alert from the U.K.'s National Cyber Security Centre, which is the public-facing part of intelligence agency GCHQ (see: UK Cybersecurity Center Issues 'The Dark Overlord' Alert).

"They leak snippets of data to the media to encourage them to report on their activity," NCSC said. "This is aimed at 'proving' that a breach has taken place and increases the pressure on the victim to pay the ransom."

At Least One Suspect Arrested

Despite law enforcement eradication efforts, The Dark Overlord has proven tough to stop.

Last May, working with the U.K.'s National Crime Agency and the FBI, Serbia's Ministry of Internal Affairs arrested a suspected member of the group.

Identified only as a Belgrade-based suspect born in 1980 with the initials "S.S.," authorities noted that the group had received at least $275,000 in bitcoin payments from U.S. victims (see: Noose Tightens Around Dark Overlord Hacking Group).

Following the arrest, however, as well as the arrest of a man in the U.K. with alleged ties to the group, an individual with control of The Dark Overlord's then Twitter account (@tdo_hackers) told ISMG: "We're still around."

This story has been updated with comments from Lloyd's of London, London Bridge Plastic Surgery and Silverstein Properties.

Cybercrime , Cyberwarfare / Nation-state attacks , Data Breach

Hundreds of members of the German parliament, Chancellor Angela Merkel as well as numerous local celebrities have had their personal details and other sensitive information leaked online.

See Also: Key Drivers to Enable Digital Transformation in Financial Services

The information, including financial details, contact information, memos and private chats, was leaked in December but only recently spotted.

The leak includes details for German celebrities as well as members of six of the seven main political parties in the Bundestag lower house, including the ruling center-right and center-left parties, as well as The Greens, left-wing party Die Linke and the Free Democratic Party, the BBC reported.

But there's a notable exception: No members of the far-right Alternative for Germany - AfD - saw their personal details get spilled, according to German media reports. It's not clear, however, if that's a clue to the perpetrator's identity or a false flag.

"Whoever is behind this wants to damage faith in our democracy and its institutions," says Justice Minister Katarina Barley in a statement.

It's also not clear if all of the leaked data is authentic or unaltered.

'Immense' Leak

The leaked information was made available online via tweets from a Twitter account, which has now been suspended, that linked to a platform that appeared to be based in the German city of Hamburg.

"The amount of data published is immense," says Hamburg's Data Protection Commissioner, who has been responding to the data leak by cataloging tweets that contain links to the stolen data. The commissioner has been communicating to Twitter as part of its legal request that all such information be removed.

"Even if no information relevant to public safety is concerned, the damage that may be caused by the publication of personal information to the individual concerned is nonetheless significant," the commissioner says.

BSI Investigates

Germany's Federal Office for Information Security, or BSI, is investigating the leak.

"Hacker attack on politicians: The BSI is currently intensively examining the case in close cooperation with other federal authorities," the BSI tweeted on Friday. "The National Cyber Defense Center has taken over the central coordination. According to our current information, government networks have not been targeted."

The data dump included Merkel's email address and fax number, as well as letters she wrote or which were written to her, German news agency DPA reported. One reporter who reviewed the data dump said it also appears to contain numerous private details, including sensitive information about individuals' private lives.

Officials say the data may have been obtained by hackers using stolen passwords to log into email accounts, social networks and cloud-based services (see: Credential Stuffing Attacks: How to Combat Reused Passwords).

"After an initial analysis, much evidence points toward the data being obtained through the improper use of login details to cloud services, email accounts or social networks," Minister of the Interior Horst Seehofer said in a statement on Friday, the Guardian reported. "Currently, nothing points towards the system of the parliament or government having been compromised."

Dump is Massively Mirrored

The information security researcher known as the Grugq says that whoever stole and packaged up the information appears to have done so over a significant period of time. They also went to great lengths to make it difficult to eradicate online copies of the information by mirroring the data in numerous places online, and then creating mirrors of the mirrors, according to the Grugg.

"If I had to guess, I'd say that the leak files were not produced at the same time," the Grugq says via Twitter. "The changes in layout and naming suggest that it wasn't one person in one marathon session creating these. There is variation in the archive passwords too: 123, abbreviations, variations."

At least one German media outlet published links to the stolen information, drawing a rebuke from information security experts.

"Today's German data leak presents a particularly sharp dilemma: It is highly unethical to further publicize access to all the private data of so many prominent, high-interest individuals - but the leak's rollout design is also highly resilient to takedowns," says German political scientist Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies.

Follows Alleged APT28 Attack

This isn't the first major information security mishap to occur on the BSI's watch. In 2015, the BSI shut down the parliamentary intranet after discovering it had been infected with spyware.

In February 2018, it admitted that in December 2017, it discovered that for up to a year, hackers had infiltrated the sensitive "Informationsverbund Berlin-Bonn" - IVBB - network used by Germany's Foreign Ministry and Defense Ministry, and planted malware, German public broadcaster Deutsche Welle reported.

The Russian government hacking group APT28 is suspected as being responsible for that attack. The group is also known as BlackEnergy Actors, Cyber Berkut, CyberCaliphate, Fancy Bear, Pawnstorm, Sandworm, Sednit, Sofacy, Strontium, Tsar Team and Voodoo Bear (see: Dutch and British Governments Slam Russia for Cyberattacks).

Reuters, meanwhile, reported that the BSI only learned of the new, massive data dump on Friday, shortly before it was reported by German news media.

Advent Calendar of Leaks

Some information security experts say that the dump of German politicians' personal details, memos and other potentially sensitive data has none of the hallmarks of a typical Russian information operations campaign.

For starters, the dump appeared to be designed to be an "Advent calendar" of big and little leaks, with new data being dumped every day in December up until Christmas via a Twitter account - reportedly followed by up to 18,000 people - before it was suspended.

Initially, at the beginning of December 2018, the account began leaking data for celebrities before switching to politicians on Dec. 20.

"Someone put a lot of effort into this. It doesn't make sense for a Russian op, the timing is way off," the Grugq tweets. "And they'd have been pissed that they got ignored for all of December as they were leaking. It is unusual to do an IO and just wait around until it is found."

Privacy Commissioner Seeks Link Removal

The Hamburg Commissioner for Data Protection says it's been working throughout Friday to legally compel Twitter to excise all links to the stolen data from any tweets. To do so, the commissioner is working with Ireland's Data Protection Commission because Twitter's European operations are based in Ireland (see: GDPR: EU Sees More Data Breach Reports, Privacy Complaints).

But it's not clear yet if any of the links specified by Hamburg's data protection commissioner have yet been removed by Twitter or if the social networking firm will honor those requests.

"We are continuing to investigate this issue and our teams will take action where appropriate," a Twitter spokeswoman tells Information Security Media Group.

"Posting a person's private information without their permission or authorization is a direct and serious violation of the Twitter Rules," she says. "We also recently updated our rules to prohibit the distribution of any hacked material that contains private information, trade secrets or could put people in harm's way."

Breach Preparedness , Breach Response , Data Breach

Major health data breaches added to the official federal tally in 2018 impacted more than twice as many individuals as the incidents added to the list 2017. But the 2018 victim total was far less than in 2016 and 2015, when the healthcare sector was hit with a string of huge cyberattacks.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

A Jan. 3 snapshot of the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website shows 353 major health data breaches were added to the federal tally in 2018, impacting more than 13 million individuals.

Six of the 10 largest health data breaches posted to the tally in 2018 involved hacking/IT incidents.

The cumulative tally includes 2,533 breaches impacting a total of about 190 million individuals since 2009, when regulators began keeping track as a result of the HITECH Act. Commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.

Breach Trends

Of the breaches added to the tally in 2018, about 43 percent were reported as hacking/IT incidents; those incidents affected nearly 9 million individuals.

The largest of those breaches, reported in November by third-party billing vendor AccuDoc, impacted its client, North Carolina-based Atrium Health, which notified 2.65 million individuals of a cyberattack on databases hosted by the vendor (see Attack on Billing Vendor Results in Massive Breach).

That trend of hacking incidents racking up the biggest victim totals emerged nearly four years ago when health insurer Anthem Inc. reported in February 2015 a hack the previous year that exposed the protected health information of nearly 79 million individuals.

In 2015, 269 breaches impacting nearly 113.3 million individuals were added to the tally, more than any other year. Of those, the Anthem breach, as well as cyberattacks reported by several other insurers, including Premera Blue Cross (11 million victims) and Excellus BlueCross BlueShield (10 million individuals impacted) - racked up the most victims.

By comparison, in 2016, 327 breaches affecting 16.6 million individuals were added to the wall of shame, and in 2017 the tally added 359 breaches that impacted 5.1 million individuals.

"Unauthorized access/disclosure" breaches were the second most common type of breach added to the tally in 2018. About 139 such incidents impacting about 3 million individuals were posted.

In the initial years of the tally, breaches involving loss or stolen records - especially those stored on unencrypted laptops and other computing gear - racked up the biggest victim counts.

But in 2018, about 53 breaches involving losses or thefts, impacting only 726,000 individuals, were added to the tally. Of those loss/theft breaches, 35 incidents are listed as involving unencrypted electronic gear, such as laptops; those breaches affected nearly 112,000 individuals. But the largest loss/theft breach posted in 2018 involved the theft of paper/film. That incident, stemming from a break-in and fire impacting the data of about 582,000 individuals, was reported in April by the California Department of Developmental Services.

The federal tally also shows eight improper disposal breaches impacted nearly 340,000 individuals were added to the tally in 2018. The largest of those breaches, affecting 301,000 individuals, was reported by SSM Health St. Mary's Hospital in Jefferson City, Missouri.

Top 10 Health Data Breaches of 2018

Emerging Trends

Kate Borten, president of privacy and security consulting firm The Marblehead Group, predicts that the top two categories of health data breaches reported in 2018 - hackers and other unauthorized access or disclosures - are likely to continue at the top in 2019.

"The good news is that breaches that are easier to avoid are finally being reduced. It's becoming the norm for all user portables to be encrypted, so that loss and theft of devices and media don't result in breaches," she says. "And more and more organizations and their employees are careful about paper disposal."

Mark Johnson, a former healthcare CISO and shareholder at consulting firm LBMC Information Security, says he's "a little surprised" that there were not more major breaches in 2018 appearing on the wall of shame. "While 343 total, and over 13 million individuals affected, are large numbers, my work with our clients would indicate there are many more attacks ongoing against the healthcare ecosystem," he says.

"This would seem to be telling me that the healthcare industry still is struggles with identifying these attacks. So, I really would have expected more of these rather than less."

Johnson also notes that among the top 10 breaches added to the wall of shame in 2018, several involved business associates. Some 83 incidents added to the tally last year, or nearly 24 percent, involved business associates; they affected a total of 5.8 million individuals.

"This tells me that the hackers have spread their focus from just traditional healthcare entities and are now attacking the entire healthcare ecosystem," Johnson says.

If healthcare continues to get better at identifying these cyberattacks, more data breaches likely will be reported in 2019 and beyond.

"Most would see an increase in reported breaches as a bad thing; I would see it as we are getting better at recognizing the attacks, instead of what feels like under reporting. Hopefully with the 'increase' of breaches, healthcare will start to look at protecting their environments to prevent and protect critical care systems," Johnson says.

"If the healthcare sector continues to treat information security as compliance vs. cybersecurity, then we will see roughly the same number of reported breaches and we will be lulled into a false sense of security, if we haven't already. We will think, 'Well we've plateaued, it's not getting worse,' when in reality, it has gotten much worse."

Healthcare is increasingly directly delivered to patients through internet-connected devices and systems, he notes. "This makes integrity and availability of the care systems far more critical and presents far graver risks than simply exposing the data," he says. "That is why hacking is recognized as the number one risk to patient safety. "