War in Ukraine may be thousands of miles away, but state-sponsored cybercrime is likely to put US schools at risk.
Following western backlash against the Russian invasion of Ukraine in February, the infamous ransomware gang Conti has vowed to use its “full capacity to deliver retaliatory measures” against US organizations, including public institutions like schools. In a series of leaks (likely from disgruntled individuals connected to the gang) which followed this statement, Conti also gave the world a window into how it will conduct this campaign of retribution — by finding and weaponizing victims’ personally identifiable information (PII).
Leaked chat logs from inside the Conti gang show that a big part of the group's strategy for gaining access to victim networks involves using PII to phish victims or crack passwords bought from data brokers. SignalHire and ZoomInfo, two leading US data brokers, are mentioned explicitly by Conti members.
For US schools, securing this threat vector will become critically important, not least because the risk of falling victim to a ransomware attack from a group like Conti is growing at a terrifying pace.
Digitization and Geopolitics Have Increased Ransomware Risk for Schools
Conti, who operate more like a legitimate enterprise (think salaried staff and continuous security R&D) than a criminal gang, have a history of targeting school districts. Last April, the group paralyzed IT systems within the Broward County Public Schools in Florida, the nation's sixth-largest district. Broward County administrators were then presented with a $40 million ransom request.
The size of the ransom demand by Conti bewildered a school district official whose first reply to the group was to ask if the gang had included “extra zeros in that number by mistake?” Regardless of whether Broward County paid the ransom, repairing the damage is likely to have incurred sustainable costs by itself — cleaning up after another Conti attack in 2021 has cost the Irish Health Service over $100 million to date.
Conti isn’t the only Russia-based cybercrime group either. Dozens of other groups with names like “Fancy Bear” also operate from inside Russia, likely with the encouragement of their government.
For US school districts, many of whom are already familiar with both the short and long-term devastations that ransomware can cause, these ideologically motivated and highly capable adversaries couldn't come at a worse time. The legacy of the COVID-19 pandemic has left schools more exposed to cyber-attacks than ever. From Google Classroom to BrainCert, educators now rely on a bewildering array of digital tools, most of which remain in use even as remote learning subsides.
Since 2020, school administrators have also digitized a significant number of records, moving things like student grades and permission forms onto the cloud. All of this makes it easier for attackers to disrupt operations through both ransomware and DDoS attacks. The latter is when threat actors send an overwhelming volume of web traffic to targeted servers, effectively shutting them down.
Through the eyes of threat actors targeting schools, every connected laptop or tablet used by a student or staff member is a potential attack vector. Insecure devices, which are typically connected to a variety of home and educational networks, are ripe with exploitable vulnerabilities. At the same time, the growing volumes of staff and student personal data that schools collect and process digitally also make them more tempting targets.
For threat actors like Conti, whose eponymous ransomware is capable of freezing systems and stealing information simultaneously, a double payout from hacking schools is also on the menu. Not only can they demand a ransom, but they can sell copies of stolen student and staff personal records on the dark web, too.
Protection Is Not Just About Technology
Making school districts indigestible to Russian cybercrime gangs has a major technological element. Network endpoints (i.e., take-home devices and classroom computers) need to be hardened and equipped with effective antivirus solutions.
However, with school IT teams historically overstretched and endpoint numbers soaring, school districts also need to double down on the human side of cybersecurity.
In a typical school district ransomware attack, the starting point is likely to be when an employee or student inadvertently clicks on a malicious link or opens a phishing email. The Conti leaks make it clear that phishing emails are no longer just randomly sent to school faculty or students. Instead, this Russian gang (and others too) start attacks by performing in-depth reconnaissance to get as much information about potential targets as possible.
Defending against this threat requires a two-pronged approach from school districts:
- Carry out regular anti-phishing training. Phishing awareness training ultimately needs to become part of the curriculum in every school district. Everyone within the educational system needs to be taught to take a skeptical approach to emails, particularly those that request personal information or come with unexpected attachments.
- Prioritize staff PII security. The Conti leaks make clear that successful cyber-attacks rely on conducting research on victims through sources like data brokers. School districts should take steps to prioritize the monitoring and removal of exposed staff PII online.
With the geopolitical environment painting a target on US school districts for Russian cybercriminals, proactive defence is critical.
About the author
Rob Shavell is CEO of DeleteMe, The Online Privacy Company. Rob has been quoted as a privacy expert in the Wall Street Journal, New York Times, The Telegraph, NPR, ABC, NBC, and Fox. Rob is a vocal proponent of privacy legislation reform, including the California Privacy Rights Act (CPRA).
