Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks.

The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase.

In a recent warning, the nation’s top security agencies said the ransomware group Vice Society is disproportionately targeting schools. In response to these types of threats, CISA has released new guidelines for K-12 entities to deter cyberattacks. Will it be enough to protect our schools?

A rising wave of cyberattacks against schools

It seems as if a month doesn’t go by without hearing about a major cyber incident affecting schools. Here are some more notable incidents:

• Albuquerque Public Schools closed their schools in January 2022 due to a cyberattack that compromised the student information system. The schools used this system to take attendance, contact families in emergencies and assure that authorized adults picked up students from school.
• In September 2022, the Los Angeles Unified School District sounded alarms and engaged in urgent talks with the White House and the National Security Council. The district discovered ransomware which led to mandated password changes for 540,000 students and 70,000 district employees.
• Classes were canceled for 30,000 students in Des Moines, Iowa, in January 2023 due to a possible ransomware attack. Taking the district’s servers and internet network offline affected classes, bus routing and food and nutrition systems, as well as access to important student documents.
• Over 19,000 students in a West Virginia school district got the day off after a cyberattack in February 2023. The Berkeley County Schools suffered a network outage which affected IT operations across the school system. Attackers may also have stolen student personal data.

“We have seen widespread credit abuse, identity theft, even tax fraud,” said Doug Levin, national director for K12 Security Information eXchange (K12 SIX). K12 SIX is a national non-profit organization dedicated to protecting the U.S. K-12 community — including school districts, charter schools, private schools and regional and state education agencies — from emerging cybersecurity threats.

So far, K12 SIX has publicly reported more than 1,600 cyberattacks since 2016. During these incidents, children’s personal information is most at risk.

Vice society is the main perpetrator

According to a CISA alert, the FBI, CISA and the MS-ISAC observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. The Vice Society hacking group emerged in the summer of 2021. The group made its mark by exploiting internet-facing applications, typically obtaining initial access through stolen credentials.

Vice Society is by far the most active group targeting schools:

Rather than relying on a singular, unique form of ransomware, the Vice Society actors deploy various versions, such as Hello Kitty/Five Hands and Zeppelin, with the potential to use others in the future.

Before unleashing their ransomware, Vice Society meticulously scans networks for opportunities to expand their access and collect valuable data. They are known to execute double extortion schemes where they threaten to publicly release sensitive information unless the victim pays up.

The group’s toolkit is well-stocked, making use of SystemBC, PowerShell Empire and Cobalt Strike for lateral movement. Vice Society also uses “living off the land” techniques that take advantage of legitimate Windows Management Instrumentation (WMI) services and manipulate shared content.

Federal government response to school cyberattacks

In January 2023, CISA took a significant step to assist U.S. schools’ cybersecurity. CISA released a comprehensive report and toolkit aimed at K-12 institutions to help safeguard against the ever-growing number of cyber threats, including ransomware.

Titled “Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” the report provides a roadmap for K-12 schools and school districts to tackle systemic cybersecurity risks. The report also offers a closer look at the current threat landscape specific to the K-12 community.

With easy-to-follow recommendations and resources, school leaders can take action to boost their cybersecurity efforts and ensure the safety of their students’ sensitive information.

By providing K-12 institutions with the tools and knowledge to defend against cyber threats, CISA is setting the stage for a safer, more secure educational experience for students across the country.

How schools can thwart cyberattacks

According to the new CISA report, K–12 entities should begin with a small number of prioritized actions, such as:

• Deploying multifactor authentication (MFA)
• Mitigating known exploited vulnerabilities
• Implementing and testing backups
• Regularly exercising an incident response plan
• Implementing a strong cybersecurity training program.

From there, K–12 entities should move forward to adopt CISA’s Cybersecurity Performance Goals (CPGs). Ultimately, schools should build an enterprise cybersecurity plan aligned with the NIST Cybersecurity Framework (CSF).

Who’s going to pay for school cybersecurity?

While the CISA guidelines make perfect sense, how will cash-strapped school districts pay to upgrade their security? Here, CISA also has some ideas, such as:

• Working with state planning committees to leverage the State and Local Cybersecurity Grant Program (SLCGP)
• Using free or low-cost services to make near-term improvements in resource-constrained environments
• Expecting and calling for technology providers to enable strong security controls by default at no additional charge
• Minimizing the burden of security by migrating IT services to more secure cloud versions.

Is school cybersecurity easier said than done?

It’s encouraging to see the federal government step up to help K-12 entities improve their security posture. However, if even multinational corporations can’t fend off many attacks, what chance do school districts have? This same question also applies to local government agencies and small-to-medium-sized businesses.

Certainly, there are no easy answers to the growing rate of attacks. Undoubtedly, it will require an effort that involves close collaboration between the public and private sectors and law enforcement. As cyber threats increasingly encroach upon our everyday lives, what will be our response?