March 27, 2023 By Jonathan Reed 4 min read

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks.

The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase.

In a recent warning, the nation’s top security agencies said the ransomware group Vice Society is disproportionately targeting schools. In response to these types of threats, CISA has released new guidelines for K-12 entities to deter cyberattacks. Will it be enough to protect our schools?

A rising wave of cyberattacks against schools

It seems as if a month doesn’t go by without hearing about a major cyber incident affecting schools. Here are some more notable incidents:

  • Albuquerque Public Schools closed their schools in January 2022 due to a cyberattack that compromised the student information system. The schools used this system to take attendance, contact families in emergencies and assure that authorized adults picked up students from school.
  • In September 2022, the Los Angeles Unified School District sounded alarms and engaged in urgent talks with the White House and the National Security Council. The district discovered ransomware which led to mandated password changes for 540,000 students and 70,000 district employees.
  • Classes were canceled for 30,000 students in Des Moines, Iowa, in January 2023 due to a possible ransomware attack. Taking the district’s servers and internet network offline affected classes, bus routing and food and nutrition systems, as well as access to important student documents.
  • Over 19,000 students in a West Virginia school district got the day off after a cyberattack in February 2023. The Berkeley County Schools suffered a network outage which affected IT operations across the school system. Attackers may also have stolen student personal data.

“We have seen widespread credit abuse, identity theft, even tax fraud,” said Doug Levin, national director for K12 Security Information eXchange (K12 SIX). K12 SIX is a national non-profit organization dedicated to protecting the U.S. K-12 community — including school districts, charter schools, private schools and regional and state education agencies — from emerging cybersecurity threats.

So far, K12 SIX has publicly reported more than 1,600 cyberattacks since 2016. During these incidents, children’s personal information is most at risk.

Vice society is the main perpetrator

According to a CISA alert, the FBI, CISA and the MS-ISAC observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. The Vice Society hacking group emerged in the summer of 2021. The group made its mark by exploiting internet-facing applications, typically obtaining initial access through stolen credentials.

Vice Society is by far the most active group targeting schools:

Rather than relying on a singular, unique form of ransomware, the Vice Society actors deploy various versions, such as Hello Kitty/Five Hands and Zeppelin, with the potential to use others in the future.

Before unleashing their ransomware, Vice Society meticulously scans networks for opportunities to expand their access and collect valuable data. They are known to execute double extortion schemes where they threaten to publicly release sensitive information unless the victim pays up.

The group’s toolkit is well-stocked, making use of SystemBC, PowerShell Empire and Cobalt Strike for lateral movement. Vice Society also uses “living off the land” techniques that take advantage of legitimate Windows Management Instrumentation (WMI) services and manipulate shared content.

Federal government response to school cyberattacks

In January 2023, CISA took a significant step to assist U.S. schools’ cybersecurity. CISA released a comprehensive report and toolkit aimed at K-12 institutions to help safeguard against the ever-growing number of cyber threats, including ransomware.

Titled “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” the report provides a roadmap for K-12 schools and school districts to tackle systemic cybersecurity risks. The report also offers a closer look at the current threat landscape specific to the K-12 community.

With easy-to-follow recommendations and resources, school leaders can take action to boost their cybersecurity efforts and ensure the safety of their students’ sensitive information.

By providing K-12 institutions with the tools and knowledge to defend against cyber threats, CISA is setting the stage for a safer, more secure educational experience for students across the country.

How schools can thwart cyberattacks

According to the new CISA report, K–12 entities should begin with a small number of prioritized actions, such as:

  • Deploying multifactor authentication (MFA)
  • Mitigating known exploited vulnerabilities
  • Implementing and testing backups
  • Regularly exercising an incident response plan
  • Implementing a strong cybersecurity training program.

From there, K–12 entities should move forward to adopt CISA’s Cybersecurity Performance Goals (CPGs). Ultimately, schools should build an enterprise cybersecurity plan aligned with the NIST Cybersecurity Framework (CSF).

Who’s going to pay for school cybersecurity?

While the CISA guidelines make perfect sense, how will cash-strapped school districts pay to upgrade their security? Here, CISA also has some ideas, such as:

  • Working with state planning committees to leverage the State and Local Cybersecurity Grant Program (SLCGP)
  • Using free or low-cost services to make near-term improvements in resource-constrained environments
  • Expecting and calling for technology providers to enable strong security controls by default at no additional charge
  • Minimizing the burden of security by migrating IT services to more secure cloud versions.

Is school cybersecurity easier said than done?

It’s encouraging to see the federal government step up to help K-12 entities improve their security posture. However, if even multinational corporations can’t fend off many attacks, what chance do school districts have? This same question also applies to local government agencies and small-to-medium-sized businesses.

Certainly, there are no easy answers to the growing rate of attacks. Undoubtedly, it will require an effort that involves close collaboration between the public and private sectors and law enforcement. As cyber threats increasingly encroach upon our everyday lives, what will be our response?

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today