Montana school district hit by foreign hacking collective

The group threatened to release sensitive student data if the district didn’t pay a ransom.

  • Eli Francovich The Spokesman-Review, Spokane, Wash.
  • Wednesday, November 8, 2017 9:28am
  • Northwest

By Eli Francovich / The Spokesman-Review

“I will tell the moral Without any fuss; Those who lead the young astray, Always suffer thus.”

That was the text message Steve Bradshaw received one Tuesday night in early September. The school district superintendent in Flathead County, Montana, didn’t recognize the number. However, his wife told him the words were from a poem titled “Mother Tabbyskins.”

Hours later, he received another, blunter text message.

“One of them (text messages) basically said you’re not going to see me coming,” Bradshaw said.

What Bradshaw didn’t know then was the text messages were part of a multipronged cyberattack, conducted by an infamous foreign hacking collective, aimed at forcing money from a small Montana school district.

And, in a year when hackers infiltrated and stole from multinational corporations like Equifax and Netflix, the Montana hack illustrates the unique vulnerability of much smaller organizations — schools.

The reality that the attacks can originate anonymously from anywhere in the world is particularly unsettling, said Travis Hanson, superintendent of the Deer Park School District in Spokane.

“It’s like you’re fighting a phantom,” he said. “You don’t know where they’re coming from.”

Extreme case but common methods

Over the course of several hours, Flathead-area teachers, administrators, parents and students received threats similar to Bradshaw. Those threats prompted authorities to cancel school across the county, according to reports from the Flathead Beacon. The four-day closure impacted more than 15,000 students across 30 schools.

Then, the hackers, who claimed to be affiliated with the Dark Overlord Solutions, the group responsible for an April hack of Netflix, sent the district a ransom note, which the Flathead Beacon made available online. In it, the group, threatened to release sensitive student data, including student discipline reports and grades if the district didn’t pay a ransom.

The district declined to pay the money, Bradshaw said. And, so far, there have been no repercussions. Now, Bradshaw said, the district is trying to determine what records the hackers actually got.

“I don’t think that we’ll ever be 100 percent sure,” he said. “The security firm we hired is not finding any footprints that they left.”

Bradshaw believes the hackers gained access to the district’s servers through a computer that was accessing the schools servers from off-site.

Once in the district’s servers, the hackers gained access to a variety of sensitive data.

“From that server they were able to get to other servers, and on top of it they were able to get to my computer which had access to everything in the district.”

School servers and networks are particularly vulnerable because a number of people likely have some type of administrative access which makes it easier to infiltrate.

According to a Verizon’s 2016 Data Breach Investigations Report, educational institutions reported the sixth most cases of “security incidents” for all tracked industries nationwide.

And, Bradshaw said that at his school district the IT departments developed organically. Often those working in the system didn’t necessarily have formal IT training.

“Like most school districts we have people who are teachers and just got interested in technology,” Bradshaw said.

Spokane-area response

While Spokane-area schools haven’t experienced anything as severe as the Montana hack, school officials and information technology directors said in recent interviews they remain vigilant.

“The things I read say that education is one of the next areas that is being targeted,” said Clay Gehring, the director of technology services for Spokane Public Schools.

Most often those attacks come in the form of phishing scams. People email district employees asking them to click on links, or provide personnel information. Those emails are often disguised as internal human resources communications or friend-to-friend emails.

“They use phishing as an avenue to get in the door,” Gehring said. “It’s the path of least resistance.”

For that reason, Gehring focuses heavily on education. He’ll even simulate a phishing attack, sending school employees anonymous emails asking them to follow certain links. If they do they’re redirected to a web page explaining the dangers of phishing and how to spot fake emails.

More brazenly this year a would-be hacker forged Superintendent Shelley Redinger’s signature on a district purchase order and requested $10,000 in cash from the district’s chief financial officer. The forgery was caught when the administrator saw that the email requesting the money was sent from an iPhone, Redinger said. Redinger does not own an iPhone.

For a district like Spokane Public Schools, the state’s second-largest, cybersecurity is an expected cost of doing business. But, for smaller school districts it can be a burdensome, if not prohibitive cost.

Increasingly those smaller districts are turning to security cooperatives — groupings of school districts sharing resources to keep their data secure.

“I think that is clearly one of the most significant challenges that we face right now,” said Hanson, the superintendent of Deer Park Schools.

Cooperative security

Many of those agreements are overseen by Educational Service District 101. The district, which covers northeast Washington, provide services to 65 public schools and Spokane’s two charter schools. They provide internet services and security.

Additionally, there is a statewide system that helps small districts store sensitive information. That data is backed up at the ESD 101 offices in Spokane, said Jerry McDermott, assistant superintendent. Of the state’s 295 districts, 280 store their sensitive data with educational services districts.

That sort of arrangement, keeping sensitive data separate from school servers, can minimize the damage if a system is infiltrated.

After Deer Park received a number of threatening robo calls, Hanson said the district started blocking all anonymous phone numbers.

“If you don’t spend some of the money up front and attend to security you will probably spend it on the back end,” Hanson said.

Security experts agree.

Idan Udi Edry, the CEO of Trustifi, an email encryption and security company, urged organizations, no matter how small, to invest in cybersecurity measures. He urges school leaders to think of cybersecurity measures as a type of insurance.

Those steps can make a potential target less appealing to a would-be hacker.

“The hackers’ mindsets today is to achieve maximum results with minimum effort,” Edry said.

‘A very unsettling feeling’

Bradshaw, the superintendent in Montana, said he and his community are still dealing with the after-effects of September’s hack. The district, as required by law, is trying to figure out what information was stolen and what wasn’t. The district is required to notify impacted individuals.

Bradshaw recommends that all school districts purchase cyberinsurance. He estimates his district has spent more than $100,000 just trying to figure out how the hackers got in and what they might have taken.

And coming to terms with the fact that a person, or a group of people, can wreck havoc on a community from across the globe, is taking some time.

“It’s a very unsettling feeling,” Bradshaw said.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Northwest

Alaska Airlines aircraft sit in the airline's hangar at Seattle-Tacoma International Airport Wednesday, Jan. 10, 2024, in SeaTac, Wash. Boeing has acknowledged in a letter to Congress that it cannot find records for work done on a door panel that blew out on an Alaska Airlines flight over Oregon two months ago. Ziad Ojakli, Boeing executive vice president and chief government lobbyist, wrote to Sen. Maria Cantwell on Friday, March 8 saying, “We have looked extensively and have not found any such documentation.” (AP Photo/Lindsey Wasson)
FBI tells passengers on 737 flight they might be crime victims

Passengers received letters this week from a victim specialist from the federal agency’s Seattle office.

Skylar Meade (left) and Nicholas Umphenour.
Idaho prison gang member and accomplice caught after ambush

Pair may have killed 2 while on the run, police say. Three police officers were hospitalized with gunshot wounds after the attack at a Boise hospital.

Barbara Peraza-Garcia holds her 2-year-old daughter, Frailys, while her partner Franklin Peraza sits on their bed in their 'micro apartment' in Seattle on Monday, March 11, 2024. (AP Photo/Manuel Valdes)
Micro-apartments are back after nearly a century, as need for affordable housing soars

Boarding houses that rented single rooms to low-income, blue-collar or temporary workers were prevalent across the U.S. in the early 1900s.

Teen blamed for crash that kills woman, 3 children in Renton

Four people were hospitalized, including three with life-threatening injuries. The teenage driver said to be at fault is under guard at a hospital.

Snow is visible along the top of Mount Pilchuck from bank of the Snohomish River on Wednesday, May 10, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Washington issues statewide drought declaration, including Snohomish County

Drought is declared when there is less than 75% of normal water supply and “there is the risk of undue hardship.”

Dave Calhoun, center, on Capitol Hill in Washington, DC, on Jan. 24. (Samuel Corum / Bloomberg)
Boeing fired lobbying firm that helped it navigate 737 Max crashes

Amid congressional hearings on Boeing’s “broken safety culture,” the company has severed ties with one of D.C.’s most powerful firms.

Rosario Resort and Spa on Orcas Island (Photo provided by Empower Investing)
Orcas Island’s storied Rosario Resort finds a local owner

Founded by an Orcas Island resident, Empower Investing plans” dramatic renovations” to restore the historic resort.

People fill up various water jug and containers at the artesian well on 164th Street on Monday, April 2, 2018 in Lynnwood, Wa. (Andy Bronson / The Herald)
Washington will move to tougher limits on ‘forever chemicals’ in water

The federal EPA finalized the rules Wednesday. The state established a program targeting the hazardous chemicals in drinking water in 2021.

State: Contractor got workers off Craigslist to remove asbestos in Everett

Great North West Painting is appealing the violations and $134,500 fine levied by the state Department of Labor Industries.

Riley Wong, 7, shows his pen pal, Smudge, the picture he drew for her in addition to his letter at Pasado's Safe Haven on Friday, Feb. 19, 2021 in Monroe, Wa. (Olivia Vanni / The Herald)
Snohomish County organization rescues neglected llamas in Yakima County

Pasado’s Safe Haven planned to provide ongoing medical care and rehabilitation to four llamas in its care at its sanctuary.

Whidbey cop accused of rape quits job after internal inquiry

The report was unsparing in its allegations against John Nieder, who is set to go to trial May 6 in Skagit County Superior Court on two counts of rape in the second degree.

LA man was child rape suspect who faked his death

Coroner’s probe reveals the Los Angeles maintenance man was a Bremerton rape suspect believed to have jumped off the Tacoma Narrows Bridge.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.