No one knows who is behind the hacker collective, but hospitals must be prepared to fight these self-described “savage creatures.”
The first tweet that the Dark Overlord sent to a small chiropractor in Poughkeepsie, New York, read: “We’re watching you. Make the right choise [sic].”
By the next day, it was too late for choices. The hacker group had publicly named the practice and claimed to possess all its patient information. The chiropractor, the hackers said, had “rejected our most handsome proposition.”
The pattern is typical of the Dark Overlord: Choose a vulnerable target, steal its data, announce the theft, and demand payment via Bitcoin. If the victim does not pay, the group threatens to release the information or sell it on dark web exchanges, the anonymous underbelly of the internet.
A mythology has come to surround the group, which perpetuates the lore, sometimes by tweeting ominous religious passages. In one extortion letter, it claimed responsibility for “some of the most serious breaches and security violations in the last year.”
The Dark Overlord punches above its weight through strong branding, a focus on terrorizing its victims, and a deliberate press strategy. Although relatively small compared to the $4 billion in global damages wreaked by the WannaCry ransomware attack, its successes show why healthcare organizations of every size must ready their cyber defenses.
The electonic theft of medical records, including health and financial data, appeals to hackers. Among all industries, healthcare suffered the second largest number of data breaches in 2016, according to Symantec’s Internet Security Threat Report. (Strict reporting rules may have affected the ranking.) Last year, healthcare organizations reported roughly 130 breaches that burned as many as 3.3 million people.
The average cost of a data breach is $7.4 million, including customer loss and the costs of notification and remediation, according to an international study of 419 companies across all sectors. Medical information is especially attractive to thieves, experts said, because of its long shelf life and high value. “The chance of being able to run fraudulent activity around them is higher,” said Waylon Krush, CISSP, CISA, who is CEO of the security company Lunarline.
Patient records fetch better prices than other personal information does, experts noted. It is “high payoff,” Krush said. “[Hackers can] try to get to prescription drugs or trick the government into paying for different healthcare activity may not have happened.” He mentioned a long-running, lucrative Medicare scam in which fraudsters used member information to get the government to pay for unnecessary powered wheelchairs.
Money-making schemes go beyond fraudulent billing, said Stan Banash, MBA, chief information security officer at Children’s Hospital of Orange County in Orange, California. “If [a hacker] has medical records for famous people, you can sell those because there’s always someone willing to buy dirt—medical conditions people find embarrassing and don’t want public. There’s a possibility for extortion,” he said.
If a credit card number is stolen, Banash pointed out, credit card companies and banks can kill the card and issue a new one. “It’s not the same with a medical record. If you have a genetic condition, you can’t change that,” he said.
The person or person behind the Dark Overlord are unknown, but its victims sometimes tend toward the higher profile. They include Hollywood production studios and public school districts—and healthcare institutions, on which the group first cut its teeth. Its targets range in size from a California eye doctor to large clinics and insurers.
Healthcare Analytics News™ attempted to contact several targets but did not receive responses.
The Dark Overlord reached national notoriety in December 2016, when the group broke into the server of a Hollywood postproduction studio and nabbed 10 unreleased episodes of the Netflix series Orange Is the New Black. Hackers demanded $50,000 in Bitcoin for their return. The group’s largest healthcare job, meanwhile, may be its haul of 9.3 million patient records from what it called “a large insurance healthcare organization in the United States.” After the company refused to pay, the Dark Overlord offered the records for sale on a dark web marketplace.
To pressure healthcare hacking victims, the Dark Overlord has promised to embarrass famous patients. After attacking a London-based plastic surgeon, the group threatened to release before and after photos of patients, which allegedly included British royals and celebrities. In November 2016, the group threatened to release the records of college and professional athletes who attended an orthopedic clinic in Atlanta, Georgia.
The Dark Overlord’s method of getting payouts for patient data is more personal than that of other cyberattackers. In a ransomware attack, a malicious actor breaks into a network and locks the victim’s data, and then offers a key to unlock it—in exchange for payment. Interaction between attackers and targets can be as brief as transmitting the ransom and, depending on the reliability of the hacker, receiving a decryption code.
Unlike the Dark Overlord’s victims, who seem to be intentional, ransomware targets are often random. In May 2017, the WannaCry ransomware attack affected 200,000 computers across 150 countries, temporarily crippling the United Kingdom’s National Health Service and resulting in an estimated $4 billion in losses. WannaCry was self-propagating, spreading via email as viral malware. The attack probably was not intended to target large institutions, considering the Bitcoin ransom price was about $300, according to experts.
Victims know immediately when they have fallen prey to ransomware. They find their systems locked and unusable, their screens displaying a countdown clock and an address accepting Bitcoin payments. In contrast, the Dark Overlord’s victims may not realize they have been hacked until they receive a taunting email, like this extortion note sent to one school district: “If you receive a message from us, it means you have been completely and thoroughly attacked and breached by an organised entity of creatures who are motivated only by their love for internet money,” the Dark Overlord wrote. “We are savage creatures who do not discriminate. We prefer to prey upon the likes of institutions such as your own, but not because we have anything against children, but rather for much more interesting reasons which you will soon come to understand.”
Hackers then reportedly used the seized data to send threatening text messages to parents and students, forcing the temporary closure of 8 schools.
Ryan Kazanciyan, chief security officer at the cybersecurity firm Tanium, called the Dark Overlord’s extortion attempts “less common than classic ransomware campaign or other forms of extortion, like denial of service attacks.” The Dark Overlord’s direct approach involves more unknown factors. “How do we know [the attacker has] the data? How do they know we’ll comply with demands?” Kazanciyan said. “When you think of the economics of cybercrime, you need consistency.”
Healthcare must bolster its defenses against all cyberattacks, including those from the Dark Overlord. The spike in the rate of healthcare hacks, however, might be due not to poor industry standards but, rather, to greater security awareness. “The increased popularity of ransomware has made breaches more visible,” Kazanciyan said. “Stealing and selling data on the black market can sometimes be silent.”
Krush echoed Kazanciyan’s conclusions: “Until fairly recently, most healthcare organizations didn’t even know if they experienced a breach. They weren’t investing in security and had no response capability.” Now, institutions know when they have been hit.
Healthcare must first focus its everyday efforts on solving the problem, according to Banash—and he should know. “We get attacked on a daily basis,” he said. “Our network is being probed a dozen times or more a day by people doing reconnaissance.” Aging, unsecured medical devices offer hackers a particularly dangerous window through which they can jump to other locations on the same network. Those devices can also, if locked with a ransomware attack, be crippled and unavailable for patient treatment, which happened to the British National Health Service during the WannaCry attack. Hospitals must focus on protecting these high-cost, heavy-duty devices, experts said.
In this age of consolidation, healthcare organizations may also benefit from inspecting their systems before linking arms. “One company can inherit malware and existing breaches from the other,” Kazanciyan said. “In other cases, you’re taking 2 mismanaged, insecure environments and combining them, creating something that’s even more insecure than the sum of its parts.”
The first step to strengthen cybersecurity? “An accurate and up-to-date inventory,” according to Kazanciyan. Tech specialists must maintain computing devices, operating systems, and software, keeping them updated and patched. Both the Dark Overlord and WannaCry attacks took advantage of vulnerabilities in older operating systems that their owners had not updated or addressed.
But before anything, healthcare groups must realign their budgets to support their cyber defenses. “The mind-set has been [that] every dollar put into security is being taken away from patient care, but there is a line where underinvesting in security can have a real effect on patient care,” Kazanciyan said. “Security isn’t just to check a HIPAA compliance box; it’s also to prevent catastrophic effects on patient care.”
Although the Dark Overlord's targets tend to be small practices, large organizations face the same threat and corresponding challenges, experts say. The hacking group typically exploits long-standing vulnerabilities in old systems, and more of these may exist in a bigger institution.
“Ten times the number of computers means hundreds of times the levels of risk,” Kazanciyan said. “It’s basic system management: knowing what computers are on the network, what software they’re running, how they’re allowed to communicate with each other. With large healthcare orgs, that doesn’t necessarily go away.”
And the danger posed by the Dark Overlord and any number of similar hackers is not going away, either.