Cybercrime Case Analysis

An analysis of hacker group TheDarkOverlord and their proposed cyberterrorism charges as it connects to cyber law and routine cybercrime classification.

Throughout the case in general this appears to be nothing more than extortion through malware, something that happens daily within an internet landscape. The clear signs of this involve the attackers demanding monetary gain in exchange for them not releasing PII data and confidential information such as email correspondence between faculty, something often done through ransomware attacks as noted by Zuly Gonzalez who was quoted at the end of the article from Naked Security (Vaas, 2017). The differing factor that gives this a cyberterrorism label is that the attackers threatened the lives of the faculty, parents, and students attending Flathead Valley Schools, something that if were to occur physically would be considered an act of terrorism. Even going as far as to compare their school district to Sandy Hook, these threats are some that can be taken seriously due to the history of attacks on our country like Sandy Hook, because of this I do believe that the attack was a form of cyberterrorism.

By removing cyberterrorism from the equation, TheDarkOverlord Solutions still violate numerous laws designed to protect against these types of attacks. For starters one must notice that school boards and school districts themselves are under direct jurisdiction from the United States government, where school board officials are selected through state elections. This would classify any school computer or server as a government machine, or in the CFAA’s case, a “protected computer.” While TheDarkOverlord Solutions does not violate any direct felony charges (mostly because they pertain to national security information) they do specifically violate numerous misdemeanor charges outlined through 1030(a)(2) and 1030(a)(3) just to name two examples (Mann). On a state scale the state of Montana does not have any law specifically designed to combat ransomware and computer extortion (as of July 2021) and therefore would have difficulty prosecuting TheDarkOverlord Solutions on that despite that being the charge this most closely represents. On a national level this is no problem, however, the state following this incident would benefit from the development of such laws (Greenberg, 2021).

Due to the extent of the captured data that TheDarkOverlord Solutions claimed to have, the first thing that comes to mind immediately is that the attackers had to have some sort of root access. This could be obtained either through an artificially created backdoor or by someone giving them the information they need. Within the malware side of things, a Trojan comes to mind as that piece of malware exists to provide an attacker with a means to access the computer and select which data they specifically want. This would give the attackers the means to acquire the data that they would then use to extort the Flathead Valley school district. The other means of acquisition that comes to mind is a simple phishing scam or other form of social engineering in which they acquire the means of server access by obtaining employee login credentials that would then give them access to the server. This theory I believe can be ruled out however due to the extent of the data collected, which is said to have ranged from email correspondence, student health records, and student/parent PII records, the extent of which would be harder to obtain through limited server access from overseas (Vaas, 2017).

I believe that while a violation of the privacy of citizens of the United States would have occurred should TheDarkOverlord Solutions have released PII data for Flathead Valley citizens, they would not have specifically violated the Privacy Act of 1974. In reviewing the amended 5 U.S.C. § 552a document within the Department of Justice, the wording of the act states that the act was designed to protect against United States governmental agencies housing and releasing PII data without the consent of the citizens affected (Privacy Act of 1974, 2021). Were this to be a rogue operator out of the NSA, the Privacy Act of 1974 would have been violated with numerous citations that could be drawn between amendments and the crimes committed. However, due to the operators involved both originating from overseas, and while also simultaneously threatening acts of terrorism, I believe that, because of the specific wording, the Privacy Act of 1974 cannot be referenced.

There exists two ways to observe this scenario, one in which the attackers are evaluated, and one in which the state is evaluated. My understanding of TheDarkOverlord Solutions tells me that based on their behavior and their handling of evidence as a means of extortion, they would not even consider releasing the information on the existence of child pornography but instead use it to blackmail the owner, however, that is not what the question is asking. If TheDarkOverlord Solutions were a grey-hat collection, they could leak the information out as a means of making it public. This would both allow the community to be aware of the actions of the owner and allow the public to take action into their own hands, but it would also allow the police under amendment four to seize it as evidence. The seizure of such evidence would not constitute a case on its own but instead be wrapped into the case against the hackers, like a normal investigation a forensic analyst would need to make sure that the files were not altered by the attackers and would need to be verified that they are originals coming from the person working within the school system. Once this has been verified it can then be admitted as evidence in building a new case against the person who originally had ownership. While I do not believe this specific evidence could be used in an open shut case against the offender, I believe that it could at least open a case against the person which would then lead to more evidence being uncovered.

References

Greenberg, P. (2021, September 8). Computer Crime Statutes. NCSL Research. Retrieved October 27, 2021, from https://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx.

Mann. Summary of Computer Fraud and Abuse Act, 18 U.S.C 1030.

Privacy Act of 1974, 5 U.S.C § 552a (2021). https://www.justice.gov/opcl/privacy-act-1974

Vaas, L. (2017, September 22). Hackers Hold Entire School District to Ransom. Naked Security. Retrieved October 27, 2021, from https://nakedsecurity.sophos.com/2017/09/21/hackers-holds-entire-school-district-to-ransom/.