The attempted infiltration of some school districts, including Miami-Dade’s, was aimed at stealing Social Security numbers and other ID info but also at trying to access state voting systems, says a cybersecurity firm.
June 18, 2017
By Kyra Gurney
The operations center at UDT, the cybersecurity company that investigated the attempted hackings.
Two months before the U.S. presidential election, international hackers slipped into the computer systems of at least four Florida school district networks in the hopes of stealing the personal data of hundreds of thousands of students.
They infected the systems with malware — malicious software — that turned off the logs recording who accessed the systems, according to UDT, the Doral based cybersecurity company that investigated the incidents. For three months, the hackers probed the systems, mapping them out and testing their defenses. At one point, they even posted photos of someone dressed as an ISIS fighter on two school district websites.
They weren’t just looking for the names of kids and valuable Social Security numbers, UDT found. The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.
Luckily, the hackers — from Morocco, not Moscow — never found one or managed to get their hands on personal data. But the attempted hacking exposed the vulnerabilities of Florida’s school district networks: vast computer systems that store sensitive information on thousands of students, and their parents, and could potentially provide a back door into other government systems. Amid the national obsession with the alleged Russian hacking during the U.S. election and the constant stream of headlines on corporate data breaches, like the ones at Target and Chipotle, experts say the dangers of cyber attacks targeting school districts are being overlooked.
School districts around the country have been hit with cyber attacks in recent years.
In 2015, for example, the computer system of a New Jersey school district was held for ransom by a foreign hacker who demanded 500 bitcoins — about $128,000 — to hand control of the system back to school administrators, according to the technology news site FedScoop.
In a separate incident that year, three high school seniors in New York were accused of hacking into their school’s computer system to change grades and schedules.
And in Florida, state standardized testing was interrupted in 2015 when hackers overwhelmed a testing vendor’s server with traffic, making computer screens go blank. Students in Florida, like their peers in other states, have also broken into school servers to change grades.
Verizon’s 2017 Data Breach Investigations Report, which provides a snapshot of cybersecurity incidents across the country, recorded 455 “security incidents” in the education sector last year.
There are hackers — like students seeking to change grades — who specifically target schools. But in most cases, they aren’t after a particular government agency or company, said Mike Sanchez, chief information security officer at UDT. “Unless they have a real motivation to bring you down, they’re looking for the low-hanging fruit, they’re scanning for vulnerability,” Sanchez said.
And for hackers, school networks are a gold mine.
A large school district like Miami-Dade, which was one of the districts targeted in the attempted hack last fall, handles the personal information, including Social Security numbers, of hundreds of thousands of current and former students, along with data on thousands of employees and parents.
Unlike corporations with trade secrets and data to protect, many school districts have set up systems to make connectivity easy. With free Wi-Fi in school buildings and a generation of students glued to their smartphones, there are thousands of opportunities for a hacker to gain access to a school network. Students downloading free apps on their phones or hopping from one school computer to the next can spread a computer virus faster than the flu during flu season.
“There’s always this want to have open access and it is a learning environment so some things that corporate America does just by rule we wouldn’t apply in an education environment,” said Paul Smith, the Miami-Dade school district’s director of data security. “We’re talking hundreds of thousands of devices on our network. That’s one of the challenges that we face.”
And the data school districts handle is particularly valuable to cyber criminals.
“If you’re trying to steal identities or cobble together identities, if you can get a person’s name, date of birth, home address, you’re starting to get a fairly complete record,” said Michael Kaiser, the executive director of the National Cyber Security Alliance. “Think of the things school districts have — it’s more than many businesses.”
Students’ Social Security numbers are particularly valuable, said Yair Levy, a professor at Nova Southeastern University who researches cybersecurity.
“High school kids, almost all of them have a very clean slate when it comes to credit scoring. So they’re trying to gain access to a large volume of teenagers’ [information] that can help them down the road,” he said. “These guys have time. They’re willing to wait a year, two years before they can actually monetize that data.”
And on the dark web, these Social Security numbers sell for $25 to $35 a piece, Sanchez said. The information from just one school could easily be worth more than $10,000.
HACKERS DRESSED AS ISIS FIGHTERS
That appears to have been one of the principal motivations for the hackers who sent malware to Florida school districts last fall — the promise of thousands of untarnished Social Security numbers.
The attacks began with an email message containing an image that, once clicked, activated a code that sent malware into the system.
The malware went undetected for several months as the hackers conducted reconnaissance, according to UDT.
Then in November, a photo of someone who appeared to be one of the hackers dressed as an ISIS fighter went up on a school district website. It stayed there for about 24 hours. The following month, the same photo flickered onto another school district’s website.
The districts contacted UDT, and in early December the company discovered the malware.
What they found was troubling.
The hackers had been able to turn off the logs recording who entered certain computer systems and what they did while logged on. That made it difficult for the UDT analysts to know, with total certainty, what the hackers had done. It was a sophisticated maneuver that Sanchez and his team had never seen before.
UDT contacted the FBI and re-engineered the malware so it was no longer a threat. The analysts found no evidence that any data had been taken. The FBI declined to comment on the incidents or on cyber crimes in general.
Smith said Miami-Dade was one of the districts targeted in the attempted hack, but UDT would not identify the other school districts. The hackers also targeted a Florida city network with a similar attack.
In Miami-Dade’s case, Smith said, the hackers put one of the ISIS-inspired photos on a school district website, but Miami-Dade didn’t find any evidence of malware or access to its computer systems. “I would say if anything, it was an attempted hack,” Smith said. “But it was raised up to law enforcement and we did go through all the systems.”
SEARCHING FOR STATE VOTING SYSTEMS
As UDT conducted its investigation, the company learned that Social Security numbers weren’t the only thing the hackers appeared to be after.
On a site hackers use to brag about their exploits, the hackers said they were trying to get into voting systems hosted by Diebold voting platforms. They wanted to bring down what they thought were state voting systems.
But in this case, the hackers did not appear to be Russian. Instead, UDT identified them as a Morocco-based group called MoRo. UDT said there is no evidence the hackers had any connection to the Moroccan government.
The Moroccan hackers were far from the only ones trying to access election systems last fall. Russian hackers tried to break into the computer systems of at least five Florida county elections offices days before the 2016 presidential election.
By the time the Moroccan hackers posted online about voting systems, in December, the election had come and gone. The hackers never found what they were looking for. But their message was clear, Sanchez said. If they wanted to, the hackers could get into school district systems. And once they get into one government network, cybersecurity experts say, it’s easier for hackers to find a back door into others.
“That is a very common tactic,” Kaiser said. “A school district network almost likely is attached to other networks in the town or city or even the state, depending on how the network is set up.”
For example, a hacker could steal the log-in information for a system administrator who also has access to other government networks, Kaiser said, or use that person’s email account to send emails infected with malware to government employees at other agencies, tricking the recipient into believing the sender also works for the government.
“There are a lot of different techniques that they might use in that situation and getting into the network opens all of that up,” Kaiser said.
Sanchez from UDT said that in mapping out school district networks, the company has discovered connections between school computer systems and different county and city systems. The connections are easy for school districts, “caught up in the day-to-day stuff,” to miss, Sanchez said.
“Sometimes the school districts don’t have all of the right tools in place or the right knowledge to map out these networks,” he said.
It’s impossible for school districts to protect against every potential threat, experts say.
For one thing, everyone from the cafeteria worker to the school principal has access to at least some student information.
In 2014, a fired Miami-Dade schools cafeteria worker was sentenced to almost seven years in prison for stealing the personal information of hundreds of students from a school computer network and using it to commit income-tax fraud. A few years earlier, a Broward Schools employee was sentenced to five years in prison for selling teachers’ Social Security numbers and dates of birth to identity thieves.
School districts also typically have tight budget constraints, which impact their ability to hire a big enough cybersecurity team and pay for the necessary tools to protect school networks.
“Security is always a tough item in the budget because a lot of it is proactive,” Smith said. “A lot of it isn’t things that you see huge benefits or direct results from. It’s almost like insurance. You’re buying it hoping that you’re going to prevent things in the future.”
Miami-Dade has a team of six people focused just on cybersecurity, and another 20 who help with cybersecurity issues in addition to other tasks.
The district has dumped older operating systems and applications that are difficult to secure and added new tools to identify where attempted hacks are coming from, said Debbie Karcher, the district’s chief information officer. Miami-Dade has also made an effort to educate employees and students about cyber threats, Karcher said, and even offers cybersecurity programs at some high schools.
“People need to become acutely aware that their digital security is as important as their home, valuables in their home,” Karcher said. “They take great care to lock their homes, lock their cars, but then they’ll click on emails that they don’t recognize the sender, they don’t use good passwords.”
The district has also restricted the data employees have access to in order to prevent breaches like the ones carried out in the past by unscrupulous employees, Smith said.
But, like any large organization, Miami-Dade still worries about cyber attacks. “As far as breaches through our data systems, we haven’t seen evidence of that on our side,” Smith said. “That’s always a big fear. We hold every student’s [personal information].”
It’s a worry Sanchez wishes more school districts shared. To effectively prevent cyber attacks, he said, administrators first have to recognize the seriousness of the threat and prepare their employees accordingly.
“Sometimes I just scratch my head and think, ‘Are these people asking the right questions or do they just not want to know? Is it safer not to know?’ I think for me we’re messing with kids’ information. Little Johnny, by the time he finds out his credit is ruined, it’s too late.”