With new school year, federal agencies warn of increased cyberattacks

As another school year begins, children are returning to classrooms, teachers are preparing for their busy season and public administrators are ramping up oversight of educational cyberdefenses. Over the last few years, educational institutions have become focal points for cybercriminals. In a joint statement, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center warned school districts to be ready.

“Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff,” reads the advisory, which was issued Tuesday.

Already, the cybersecurity organizations are actively investigating incidents. Over the Labor Day weekend, for example, the Los Angeles Unified School District, the nation’s second largest district with more than 640,000 students, was targeted by a ransomware attack that primarily disrupted its email services. Administrators responded quickly, and the biggest setback impacting normal operations was that all students and staff had to reset their passwords and log back in, creating a bottleneck. Classes were able to resume without delay.

“The decision to resume classes and work was informed by the district’s ability to confirm that our most critical systems were viable. Our student information systems were back up and running within the first two hours of the school day,” reads a statement from the district.

The district credited “the special collaboration and the rapid deployment of resources to our school system by the Federal Bureau of Investigation,” said Superintendent Alberto Carvalho. “We know today was challenging, but the impact of this incident could have been catastrophic if our teams and partners had not responded quickly and decisively, cut off the hacker’s access immediately and worked expeditiously to restore operational capacity.”

In the face of emerging threats like that seen in Los Angeles, federal agencies recommend that administrators across the country take immediate action to mitigate the impact of ransomware by prioritizing and remediating known exploited vulnerabilities, training users to recognize and report phishing attempts, and enabling multi-factor authentication.

In particular, observers have seen an increase in attacks on schools from one particular group called Vice Society. It’s described in the joint statement as “an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin,” the advisory warns. “Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications,” or a program or service that’s accessible via the internet. 

Once inside the system, the cybercriminals are known to spend time exploring the network, identifying access opportunities, and stealing data for extortion before making themselves known. It’s a trend officials expect will continue.

“School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk,” the advisory says. “K-12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.”