In early 2016, Recorded Future analysts observed a threat actor selling stolen healthcare databases containing patient records on an anonymous hacking forum. The actor, who used the moniker “thedarkoverlord,” would soon make a name outside of the cybersecurity community for extorting high-profile targets and publicly demanding ransom payments to stop the release of confidential data. The group would also slowly release stolen documents—a playbook that has since been copied by a wide range of ransomware purveyors.
In recent years, the group breached multiple healthcare companies and sold data belonging to hundreds of thousands of patients on the dark web. They expanded into attacks on other industries, and caused a stir in 2017 when the group released what was then the upcoming season of the Netflix series “Orange Is the New Black”—the hacker posted on a now-suspended Twitter account that it shared the episodes after the streaming service failed to meet its ransom demands. More recently, the group released several batches of stolen files related to litigation around the 9/11 attacks in an effort to pressure victims into paying a ransom.
Many of the tactics that thedarkoverlord pioneered have since been embraced by the broader cybercriminal community. Ransomware attacks against hospitals that once seemed brazen are now so widespread that a handful of incidents can be reported in a single day. Additionally, cybercriminals are getting more aggressive with their extortion techniques, with at least one in recent months targeting individuals in a breached healthcare database and threatening to release their mental health history if a demand isn’t paid.
Although one UK national was sentenced to five years in prison in September for his role as a participant in the “computer hacking collective known as The Dark Overlord,” according to the Justice Department , little is known about the group’s size and inner workings.
In August 2016, Recorded Future reached out to thedarkoverlord via an encrypted Jabber session asking for additional information about the actor’s methods and intentions. Thedarkoverlord agreed to a 90-minute interview in exchange for an honorarium . Recorded Future used the interview internally for its own intelligence-gathering purposes, but has decided to now make it publicly available given the rise in cyber extortion and attacks against healthcare organizations. The conversation below has been lightly edited for length and clarity.
Thedarkoverlord: Ask away, young padawan.
Recorded Future: Is your nickname inspired by Harry Potter? What originally prompted you to target healthcare records?
TDO: The nickname is not inspired by anything other than a random name generator. Healthcare sector is one of many sectors under attack. Each sector has been given a unique profile and nickname. The illusion is that it is very targeted, when in reality it is one of many sectors under attack. We enjoy and entertain a wide hunting field.
RF: “We?” Are you part of a group?
TDO: The more members a hive possesses, the more processing power and possibilities the hive has.
RF: How do you compromise health care data besides RDP vulnerabilities? Could you describe your high-level workflow for identifying vulnerable targets?
TDO: Do you remember the Dropbox hack a few months back?
The more members a hive possesses, the more processing power and possibilities the hive has.”— A member of The Dark Overlord hacking group in a 2016 interview.
RF: Vaguely. Seventy million credentials or similar.
TDO: I will give you an example of a common approach to lead generation we use. We will compile a large database of email addresses and domain names of known companies and use data points available to sort them into categories. We will then use other services we or others have compromised (such as Dropbox) and crawl the databases for matching email addresses and proceed with password reuse attacks or other low-level and uncomplicated attacks to gain leads. When we find viable leads we then proceed to move into high-level vectors of attacks.
RF: So your targets are relatively easy opportunities?
TDO: They are not necessarily “easy opportunities.” We choose to approach from a vector that allows a more unique infiltration approach. We collect a lot of information on a wide range of businesses and organized entities. We will post process this data to determine what sort of attack surface we have. An example of such would be confirming whether a business hosts their domain on site or not and using web vulnerabilities to get access to their LAN. Oftentimes, this is not a possibility so we often use embedded exploits and use common SE attacks from their trusted email systems. For instance, if we find a corporate email address in the compromised Yahoo database, chances are the same password for that email address is being used for something in their corporate network as well.
RF: So generally you use existing credentials to access a remote application or even a remote network and subsequently deploy local exploits for privilege escalation?
TDO: That is not a general vector necessarily, but it is one of many. We have focused on identification of corporate rosters as well for furthering our surface to attacking their less secure personal machines and spreading locally when they are found in their place of business. We recently hit a large O&G [oil and gas] company using this method. If we can identify a corporate roster, we can often attack them personally through an email attack or something similar. Humans are far more relaxed in their home domains than their work domains. Very little consideration is given for personal devices in the work environment. Most of this vector is relatively automated, in terms of lead generation. We will often run large email campaigns to build a botnet and track their IP locations to determine if they work somewhere that may be worth further investigation. We prefer to use big data analysis and metadata analysis to build our portfolio.
RF: Have you ever deployed a watering hole knowing that one of your targets visits a particular website with some frequency and you can redirect them?
TDO: Many times. We sourced a vendor for compromised Cisco routers that has proven useful for this. We have many rooted environments on many Cisco routers that are useful for these MITM [man-in-the-middle] attacks.
RF: Are you using the router to redirect to your exploit site?
TDO: In some cases, it has been done. We are experimenting with creating virtual environments on specific routers and redirecting all traffic for storage. The main benefit is post analysis of unencrypted communications. Our vendor has been very helpful in providing bulk shells, but has remained vigilant in protecting their operation methods.
RF: How much does your vendor charge? Can you specify the target network or does the vendor only sell pre-existing shell access?
TDO: Price is dependent on volume. Given how many units he has available, we often request for specific IPs and he has many of them. We will send him our compiled lead IPs and he will cross-reference with his available stock. We often buy via blocks of IPs as well. A single shell is usually $20. Further pricing is really dependent on volume. Sometimes only a handful will be available in a block, other times a hundred or more. We have negotiated prices as low as $1 for each shell. We have been experimenting with real time data exfiltration through duplication and redirection.
RF: In your experience, how do the major industries like healthcare, financial services, energy, retail, and government stack up in terms of security?
TDO: Terrible. Government and healthcare are the worst, of course.
RF: Do you ever target other types of sensitive information like quarterly financial results before they are publicly released?
TDO: I cannot answer that question. That is a question in regards to a sector I cannot speak about with you.
RF: Ok. What is the average time between exploiting a database and locating a buyer for that database?
TDO: How soon can our clients come online? We have an established client base so we push product fast. It depends on if we are extorting a target or not. We will hold sales if a target is being extorted.
RF: Which industries tend to pay up?
TDO: All of them. We operate on a success ratio of about three out of five across the board. Generally, healthcare pays up the least.
RF: How long have you been in this business? Do you have a profit goal and/or timeline?
TDO: Are you asking about myself or the hive?
TDO: I can answer neither
RF: Do you believe Tor + VPN (or proxy chain) is sufficient to evade law enforcement?
TDO: I cannot answer that question either… I will say this: The only way to surely evade law enforcement is to choose your targets carefully and maintain residency in a jurisdiction that will not extradite and who is out of reach from the country whom you are attacking.
RF: Why do you sell on the Real Deal vs. another forum? Do you sell on other forums? [Editor’s Note: The Real Deal was a dark web marketplace that has subsequently shut down.]
TDO: We sell on other forums under many different pseudonyms. We often reformat products and push under obscure terms.
The only way to surely evade law enforcement is to choose your targets carefully…”— The Dark Overlord.
RF: How important is a consistent brand for sales vs. using different pseudonyms?
TDO: Our aliases all have outstanding reputations. Consistent brand has its advantages and disadvantages.
RF: Is the market for large-scale personally identifiable information growing or shrinking? Are U.S. databases the most valuable?
TDO: American and Canadian databases are most valuable. The market is growing substantially.
RF: Is the hive recruiting?
TDO: We do not openly exist. If you are a part of the collective, you were chosen.
RF: Are you available for hire if I need information from a specific database?
TDO: Most often, no. This is a great way to reveal techniques and fingerprints if the target is a honeypot. Regardless, the price would have to be very substantial. Otherwise, it is a waste of our time.
[At this point, TDO shares a data table related to the “Hell” hacking forum, which had recently relaunched following rumors that its founder had been arrested.]
RF: Could you provide a few rows of data from the table?
TDO: Apparently the Hell community logged all searches on the forum as well. I have all the tables, which one do you want data from?
RF: Private messages
[TDO dumps data on private messages, including conversations about transactions, two-factor authentication, and exploits.]
TDO: It seems most did not use PGP.
RF: Why do you think most don’t even though they know the risk of unencrypted communications?
TDO: I cannot speculate about the intentions or actions of others. Hell and TRD were easy targets to exploit. These private messages are so interesting. Lots of data I am sure law enforcement would want.
RF: How do you know that law enforcement wasn’t running it in the first place?
TDO: I cannot answer that question.
RF: Given the wider adoption of EMV [a payment method involving chip cards] it appears that card-not-present fraud is the only viable path for large-scale fraud now, but CVV is a cheap commodity. Does that make your commodities more valuable?
TDO: It does.
RF: What’s the most common monetization path for large-scale PII?
TDO: It varies. Some of our clients have approved resale of our records as long as they are not being resold to a known entity who utilizes them the same way. Fraudulent insurance claims, tax refund fraud, fraudulent bank accounts for drops, opening fraudulent lines of credit, large-scale email spam campaigns, etc. Having the SSN [Social Security number] and an email address are very valuable because a victim will be more convinced when confronted with their own SSN.
RF: Do you often need to write your own tools or do off-the-shelf tools generally suffice?
TDO: We have written a variety of tools for various purposes. You are compiling all this data for an internal report?
RF: Unsure—at the moment, I’m interested in learning. Do you have a white hat day job?
TDO: To waste my life making a few dollars an hour?
RF: Why is it a waste if you enjoy it?
TDO: I cannot answer that question. “Many patients are upset and frustrated with the situation …,” Kayo Elliott, CEO of Athens Orthopedic Clinic, said in the statement. “And of course, they wish we could pay for extended credit monitoring. So do we. We truly regret that we are unable to do so, as we are not able to spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business. I recognize and am truly sorry for the position this puts our patients in.”
If only poor Kayo would have cooperated with us, he would not be in this position. I believe this is grounds for a class-action lawsuit. [Editor’s note: More information on this incident can be found here.]
RF: But if Kayo pays then he is incentivizing more of this isn’t he?
TDO: He would not be incentivizing more of this from us.
RF: Right, but he would have to trust that you won’t divulge that fact that he paid up; for all he knows you’re going to share the information with others who may decide to target him on their own.
TDO: We discussed the issue with him over the phone. He insisted on stringing us along and it has really hurt his business as a result. I cannot discuss this matter any further.
We do not openly exist. If you are a part of the collective, you were chosen.”— The Dark Overlord.
RF: If the roles were reversed would you pay?
TDO: I cannot comment on that.
RF: How did you get started? Are you self-taught?
TDO: I cannot answer that question.
RF: Does the hive have much competition?
TDO: We do not view things in terms that would define a competition. The world is a big place. We often run into footprints of other groups, but we see they often cannot profit off their adventures.
RF: Why have you given public interviews?
TDO: A few of us have given some acting as the collective. There has always been a plan with each.
RF: Doesn’t that create unnecessary law enforcement interest in the hibe, or is it worth it to build the brand?
TDO: You are misunderstanding the motives. I cannot clarify them for you.
RF: Ok. Thank you for your time today, I appreciate it. I hope we can do it again some time.
TDO: Perhaps. Our TRD account is being closed. The admin is out on injury.
RF: Can I reach you anywhere else?
TDO: No. This was a burner Jabber account made just for you.
TDO: [pastes rows apparently from a victim healthcare database]
I will leave this for you. Something to keep you busy chasing around.
[pastes additional rows of victim PII]
RF: Should I be watching for news of it in the near future?
TDO: You can chase it down if you want to. It may not make the news unless we allow it. And with the last two lines sent to you, I must be going now.