Since the advent of remote learning prompted by the pandemic, K-12 public school districts across the nation have become a favored target for cyberattackers. New Jersey is no exception.
Between January 2020 and August 2021, at least 85 school districts in the Garden State have reported cyber incidents, including disruptions to their digital networks and data systems, resulting in confusion, school closures, community alerts and financial threats, requiring the involvement of local and federal authorities. That number is likely higher though, since districts are not yet required to report incidents to authorities.
“As we have seen over the past year and half with the pandemic, our attack surface has increased. More and more of us are online. So, whether we are going remote, learning from home, or the school system is providing more remote learning opportunities with ingress into their networks by students and administrators and teachers, there are more points of attack,” said Michael T. Geraghty, New Jersey’s chief information security officer. “The bigger the attack surface, the more opportunity that bad actors can try and gain access.”
Geraghty, who also serves as the director of the state’s Cybersecurity and Communications Integration Cell, said he expects cyber disturbances to continue as society increasingly depends on technology for everything from security cameras to intelligent traffic systems, water filtration plants, hospital functions, cars and now, schooling.
“Cybersecurity incidents are not going to go away,” Geraghty said. “Everything is connected to the internet and obviously everything can be attacked.”
Cyber invasions are on the rise and New Jersey school officials need to look no further than within their own state. Two districts in the leafy suburbs of affluent Somerset County were victims of cyberattacks, resulting in the closing of schools and the canceling of a school board meeting in April, according to a news report.
Another report from Microsoft Security Intelligence, which monitors real-time global cyberthreats for nearly 98.6 million devices, indicates that the education industry, by far, endured the most reported enterprise malware incidents over a 30-day period this summer.
Education sector cyberthreats surpassed business and professional services, retail and consumer goods, financial services and insurance, health care and pharmaceuticals, aerospace/automobiles/heavy industries, gas/chemicals/oil/mining, and high tech/information technology.
“When we went to remote learning and went to Zoom, and because it was brand new to lots of schools, they (school districts) were not securing themselves and people could enter the classrooms and participate in the sessions and use foul language and post derogatory pictures,” Geraghty said.
Those unfortunate events would not be a surprise to the Joint Cybersecurity Advisory, consisting of the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center, which concluded in a December 2020 report indicating that cyber actors were fiercely preying on K-12 distance learning education systems to purposely cause disruptions and steal data.
In its report summary, the federal organizations found that the percentage of reported K-12 school ransomware incidents increased at the beginning of the 2020 school year by 57%, in comparison to 28% of all reported ransomware incidents in the previous seven-months. Ransomware is when malware or a virus infects a system and encrypts data, making a network unavailable to its authorized users, as the attackers try to extort a ransom payment. Of course, paying ransomware does not guarantee that files will be recovered.
Hackers interfered with live video classroom sessions and harassed students and teachers by showing pornography and/or violent or racist images, and participated in doxing, the searching and online publishing of personal data with malicious intent, according to the advisory. False web domains designed to mimic legitimate sites, perhaps by changing a letter in the spelling, were among the hacker methods used to disguise their attempts to gather information and spark network viruses.
Former New Jersey Gov. Chris Christie created the NJCCIC in 2015 by executive order to protect the executive branch and to serve as the state’s cybersecurity hub to share threat intelligence, best practices and incident reporting. The agency is charged with helping to protect the economic and personal well-being of New Jersey residents, businesses and school systems.
A component organization within the New Jersey Office of Homeland Security and Preparedness, the NJCCIC also works with the New Jersey State Police, the FBI and other federal agencies. It provides public school districts and other government entities with free support, digital vulnerability assessment tools and assistance with cyberthreats and crimes.
In some cases, if the NJCCIC receives intelligence that a school district may be targeted, it reaches out to officials with steps to prevent ransomware or identity theft from occurring.
Since May 2020, the organization located 16,000 school district emails that have been compromised in the “dark web,” where hackers trade and sell information, and notified school authorities.
Who are the Attackers? “The threat actor can have any motivation imaginable out there,” Geraghty said.
Nation-states such as North Korea, professional cybercriminals and organized crime groups across the world in places such as Russia and Eastern Europe, are all doing this for money. Teenagers and others domestically may perpetuate “denial of service attacks” to overwhelm a school system’s internet connection so no one could use legitimate services.
“It takes a lot of work to identify who they are. And, if the attacks are coming from overseas, it takes even more work and more cooperation with foreign governments to bring those offenders to justice,” said Geraghty.
Perpetrators found guilty are subject to computer crime statutes in New Jersey and on the federal level. Depending on the severity of the damage, the offenses could be considered a felony and may include fines, jail or prison.
“When I went to school, to get out of an exam, you would pull the fire alarm. Today, you would launch a cyberattack against your school and shut it down so you wouldn’t have to do that, and teenagers can do that,” Geraghty said.
Ransomware Escalating Nationally, last school year, more than 1,600 ransomware attacks interrupted learning in institutions of higher education, as well as public school districts located in Fairfax County, Virginia., Hartford, Connecticut , and Fort Worth, Texas. Personal data maintained by seven districts was published, as reported by The Associated Press in an April 2021 report.
In March, Florida’s Broward County Public Schools, the nation’s sixth largest, with more than 270,000 students and an annual budget of about $4 billion, had its computer system hacked by a criminal gang that encrypted its data and then demanded $40 million in cryptocurrency as ransom or it threatened to wipe out district files. A brief district system shutdown followed, while classes remained in session. Although the district issued a statement saying that it had been working with cyber experts to probe the threat and had no intention of paying the ransom, after two weeks of negotiations it offered to pay $500,000, the AP report stated.
Cybercriminals are savvy and know when schools systems are most vulnerable — the days leading up to vacations, holidays and other breaks. Even when schools are not in session, there are cases reported like unemployment claims being made fraudulently in the names of some teachers and administrators.
It is not just large, or metro-area school districts, that are at risk.
In Duanesburg, New York, a municipality of about 6,100 people, the school district faced the attempted theft of $3.8 million, between Dec. 18 and Dec. 22 a few years ago. The district’s bank reached out to find out if the transfers were authorized, after two overseas transactions already occurred.
With the help of the FBI and other authorities, the district recovered $2.5 million, as discussed in a recent public presentation by the Multi-State Information Sharing & Analysis Center. The MS-ISAC has partnerships with all 50 states, six territories and tribal governments. In New Jersey, the organization works with 272 members, including 56 municipalities and 75 K-12 districts. Its largest, and booming sector is its nearly 2,500 public districts nationwide.
No Boundaries Years ago, stealing from a school would have involved intruders mounting a physical attack. No more.
“You’re not flying in from Russia or any place else. But, with the internet, there are no geographic boundaries. It’s locally ubiquitous. Time zones don’t matter and distance doesn’t matter, so it allows anybody from anywhere to attack any system anywhere that system is,” Geraghty said. “Schools always say, ‘We don’t have anything of value. Why would cybercriminals attack us?’ For a cybercriminal, it’s not how valuable you are, it’s how vulnerable you are. If they are vulnerable, they’ll be attacked. And, successfully attacked.”
Ransom demands also have escalated, according to experts. Today the ransoms are in the hundreds of thousands of dollars — and sometimes in the millions.
While most public school districts have insurance or joint insurance, and the cyber insurer will pay ransom, the NJCICC, the FBI and law enforcement agencies discourage paying ransom because it motivates attackers to strike again.
“You’re validating their business model and more people will get involved as a means to make money,” Geraghty said.
Credential Compromise Why hack into a system when you have someone’s username and password and can just log in as them?
“People are too lax when it comes to strong passwords,” Geraghty warned.
The NJCICC issues alerts, advisories and warnings by the industry on behalf of the FBI and the state Office of Homeland Security and sends them out to 11,500 registered members. School districts are encouraged to sign up online cybernj.gov.
Since public schools and government offices are considered “critical infrastructure,” that means threats reported to the NJCCIC are kept confidential. However, cases can become public when police reports are made or through community and media reports. NJCCIC keeps the information anonymous and shares how an unnamed district has been exploited and how it recovered to assist other districts in avoiding similar situations.
Geraghty noted that the main concern of NJCCIC is the health and safety of the students and school employees. “We want to make other school districts in the area aware of the threats that are out there and how to prevent themselves from becoming a victim,” he said.