Cyber Security Expert Sheds Light on Hackers’ Motives, Strategy

New details on the high-profile international cyber criminals threatening the Flathead Valley

By Dillon Tabish
Students and community members arrive at Columbia Falls High School for a community meeting on Sept. 18, 2017, as law enforcement officials and school administrators address concerns about recent cyber threats. Greg Lindstrom | Flathead Beacon

When Zuly Gonzalez received a phone call from Montana asking about a cyber hacker known as the Dark Overlord, she unfortunately knew what to expect.

Gonzalez, the co-founder and CEO of Maryland-based cyber security firm Light Point Security, has become all too familiar with the notorious international cyber criminal, or group of cyber criminals.

In a conversation with the Beacon Tuesday morning about the recent cyber extortion case threatening Columbia Falls and the surrounding Flathead Valley, it only took a few questions before Gonzalez recognized the tactics.

“This is their MO,” she said. “This is what they do and what they did in the past with Netflix and others … It fits their way of doing business.”

A hacking organization calling itself TheDarkOverlord Solutions has been threatening schools and families in the Flathead Valley over the last week, first by sending vile electronic messages to school officials and then by contacting families in Columbia Falls specifically with graphic death threats. The group successfully infiltrated the Columbia Falls school district server and stole personal information, as well as addresses and medical records, for past and present students, staff and parents, according to law enforcement.

More than 30 schools across the valley closed for three days, and numerous activities and events were canceled through the weekend, before classes resumed Tuesday under heightened security.

Authorities, including the FBI, have been working around the clock investigating what they are calling a highly sophisticated cyber incident, and on Monday night Flathead County Sheriff Chuck Curry released a ransom letter that was sent to the Columbia Falls school board and superintendent. The group is seeking payment via bitcoin, a cryptocurrency and digital payment, to end the threats and prevent the release of personal information. Authorities are strongly advising people to not pay the ransom or engage in conversations with the hackers.

Gonzalez, a former cyber security specialist for the National Security Agency, echoes law enforcement’s advice, discouraging anyone from following the criminals’ orders.

“If we prove that we’ll pay a ransom … they know that and will come to attack us over and over again,” she said. “Once you pay the money and prove you’re willing to give in, you have an even bigger target on your back.”

“Obviously you never trust criminals,” she added. “And in this case, (the Dark Overlord) has proven that even if you give them money, there’s no guarantee that they will honor their word.”

The Dark Overlord is well-known in the cyber community and is becoming a familiar name in the mainstream consciousness due to several prominent breaches. The identity and location of the organization remains a mystery, though law enforcement is confident they operate overseas. Their actions are sinister in nature and increasingly problematic.

Last year the organization hacked Netflix by breaking into a server and stealing episodes of a popular show and threatening to release the episodes early unless payments were made. A firm associated with Netflix paid, but the hackers still released the episodes.

Other similar instances of breached servers have popped up across the country at an alarming rate. The Dark Overlord is purportedly responsible for hacking into several high-profile health care institutions in recent years and stealing millions of hospital records and Social Security numbers. The hackers then try to sell the information back to individuals or institutions.

Defending against hackers remains as complicated as ever. Sometimes hackers can infiltrate a personal computer by sending malicious attachments or links that download viruses and ransomware onto a computer, compromising everything inside.

But highly skilled hacking organizations like the Dark Overlord tend to seek bigger targets, such as servers, that contain large amounts of valuable information.

“Ransomware is becoming more and more commonplace,” Gonzalez said. “It’s become popular because people are paying the ransom, and it’s become a very lucrative tool for cyber criminals. That’s because the amount of money that the criminals usually ask for is low enough that people are willing to consider paying the money and get the info back and move on with their lives.”

Gonzalez acknowledged that the Flathead Valley incident is unique to a degree compared to the Dark Overlord’s past behavior. If, in fact, the recent threats are from the well-known hacking organization, it’s the first time death threats have been made as part of the extortion, Gonzalez said.

“As far as I know, I’ve never heard of them actually threatening anybody’s lives, especially children,” she said. “So this is a first that I’ve heard. Usually these groups aren’t really designed to do that type of stuff.”

Gonzalez said it is very rare, if not unheard of, for hacking organizations to carry out violent threats, especially since most of these cyber criminals are not in the U.S.

“They’re not in the U.S. They don’t go around killing folks. They’re trying to steal information and make money from that,” she said.

But as a parent, she said she completely understands any fear someone might have resulting from the threats.

“It’s a horrible position to be in,” she said.

So why did the international hackers target this relatively obscure corner of Montana?

“The reality is they probably didn’t target the school at all,” Gonzalez said. “The way these folks work, they’re just out looking for stuff on the web, things they can exploit, and when they find something they go after it.”

Gonzalez predicts the hackers sent out ransomware en masse and somehow found a local vulnerability.

“It’s usually not a purposeful, planned attack,” she said. “They’re just looking for low-hanging fruit, and if you’re not protected and don’t have the right defense in place, they will go after you.”

For more information about cyber security measures, visit www.lightpointsecurity.com.

Stay Connected with the Daily Roundup.

Sign up for our newsletter and get the best of the Beacon delivered every day to your inbox.