We’ve heard a lot about Russians attackers attempting to hack the US election, but another hacking group also allegedly wanted to interfere with the election; they attempted to pivot from compromised school districts to state voting systems.
The Miami Herald reported that MoRo, a group of hackers based in Morocco, penetrated “at least four Florida school district networks” and purportedly searched for a way “to slip into other sensitive government systems, including state voting systems.”
According to United Data Technologies (UDT), the firm which investigated the breaches “incidents,” the hackers successfully phished people working in the school districts, tricking them into clicking on an image in email which allowed malware into the system. The article does note that the hackers also targeted an unnamed Florida city network with a similar attack.
After the school district systems were infected with malware, the hacking group “turned off the logs recording who accessed the systems.” UDT analysts had a hard time figuring out for sure what all the hackers had done. Turning off the logs was called a “sophisticated maneuver” that UDT “had never seen before.” (Silly me, I thought disabling logging was fairly common if a hacker doesn’t wanted busted immediately.)
Despite the lack of logs, UDT determined the hackers were in the system for three months, “mapping them out and testing their defenses. At one point, they even posted photos of someone dressed as an ISIS fighter on two school district websites.”
At first, the hackers had purportedly hoped to steal the personal information of “hundreds of thousands of students.” Miami-Dade, which is the largest school district in Florida, was the only one of the four compromised school districts which was named.
Yet it wasn’t just sensitive student information the hackers could have accessed. The article points out that Miami-Dade, which is the fourth largest school district in the US, also “handles the personal information, including Social Security numbers, of hundreds of thousands of current and former students, along with data on thousands of employees and parents.”
Before you get worked up, the article claims the hacking group failed to steal student information or access voting systems. In fact, the hacking is referred to as “attempted” seven different times. Yet, if the hackers remained inside the systems for at least three months, that seems to be more than an “attempted” hack. Attempted, perhaps, pertains to stealing the personal information of hundreds of thousands of students and then selling the Social Security numbers on the dark web.
Even though the hackers put “ISIS-inspired photos on a school district website,” Miami-Dade “didn’t find any evidence of malware or access to its computer systems.” Paul Smith, Miami-Dade’s school district director of data security, said, “I would say if anything it was an attempted hack. But it was raised up to law enforcement and we did go through all the systems.”
The article says the attack started in the fall. In November, “a photo of someone who appeared to be one of the hackers dressed as an ISIS fighter went up on a school district website. It stayed there for about 24 hours. The following month, the same photo flickered onto another school district’s website.” There are no details about the type of malware or even how it was ascertained that the photo might be of one of the hackers.
UDT claimed that the hackers wanted more than kids’ names and Social Security numbers; mapping the network revealed that the school district systems had some connections to “different county and city systems.” The Moroccan hackers were allegedly searching for a backdoor to other government systems.
Michael Kaiser, the executive director of the National Cyber Security Alliance, told the Miami Herald that is “very common” for a school district network to be “attached to other networks in the town or city or even the state, depending on how the network is set up.”
Attackers would love to steal the login for a system admin who has credentials to access other government networks, Kaiser explained, or to gain access to the admin’s email account and use it to phish government employees.
UDT claimed the hackers bragged about their exploits online, saying they were attempting “to get into voting systems hosted by Diebold voting platforms. They wanted to bring down what they thought were state voting systems.” This, however, happened in December – which is about a month too late to hack the vote.
Regarding the hack, or “attempted” hack as it is continually referred to by the Miami Herald, “UDT contacted the FBI and re-engineered the malware so it was no longer a threat. The analysts found no evidence that any data had been taken. The FBI declined to comment on the incidents or on cybercrimes in general.”
The point of the “hack attacks” article, it seems, was to raise awareness of how vulnerable Florida school districts are to cyber thugs. Raising overall security awareness for school districts seems like a wise thing, considering that another phishing scam in Florida resulted in compromising the financial information of more than 7,700 Manatee County School District employees. A school district employee received an email which appeared to be from the school superintendent and handed over the requested W2s of all the district’s employees.