Recently, the hacking group TheDarkOverlord has been targeting K12 schools; gaining access to networks, stealing data and attempting to extort money. In response to the hacking and extortion threats, the U.S. Department of Education has issued an advisory to K12 schools and has provided advice to help educational institutions mitigate risk and protect their networks from attack.
The attacks on schools by TheDarkOverlord in recent weeks have seen the threats escalate. Previous attacks have seen organizations threatened with the publication of sensitive data. The latest attacks have included more serious threats, not just against the hacked entity, but also threats to parents of students whose data has been stolen. Some parents have also received threats of violence against their children as have schools.
While some healthcare organizations – and law enforcement agencies – have said the threats of violence and attacks on the schools are not credible, the hacking and extortion threats are of great concern. Threats of violence aside, the publication of sensitive information can be highly damaging for schools and their students.
Once a school has been attacked and data has been stolen, schools have two options: Ignore the threats and report the incidents to law enforcement and deal with the consequences, or pay the ransom demand. Law enforcement strongly advises against the latter.
What schools must do is take steps to prevent attacks from occurring, which means addressing the vulnerabilities that are being exploited. It is not possible to reduce risk to zero, but it is possible to make it much harder for access to school networks and data to be gained.
In the U.S. Department of Education advisory, Kathleen Styles confirmed what law enforcement agencies have been saying, that so far, any threats of violence have not been credible and no physical attacks on schools have taken place. However, she did explain the importance of taking proactive steps to improve cybersecurity defenses to mitigate the risk of these hacking and extortion threats.
So far, confirmed attacks have taken place in three states, and each of those attacks have occurred as a result of schools having weak security. Access to data has been gained by exploiting unaddressed known vulnerabilities in software, through phishing attacks on staff and via malicious software.
The U.S. Department of Education has advised all K12 schools to take the following precautions. The same precautions should be taken by all educational institutions, including higher education establishments.
- Conduct security audits (risk assessments) to identify vulnerabilities that could potentially be exploited, and address any vulnerabilities that are discovered – such as making sure patches are applied and vulnerable systems are secured.
- Make sure audit logs are created and regularly checked to identify any suspicious activity. Prompt detection of an attack can limit the harm caused.
- Tran staff and students on data security best practices.
- Conduct phishing awareness exercises and advise staff and students of the risk of social engineering attacks. Show them how to identify and report a phishing email.
- Conduct a review to make sure all systems containing sensitive data cannot be accessed from outside the organization.
If attacked, it is essential that law enforcement is notified immediately. The Department of Education should also be contacted so it can disseminate the indicators of compromise to prevent other schools and school districts from being attacked.