The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

‘Back to school’ is also ‘back to cyberattacks’ for some districts

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Friends, we have a Neil Gaiman vs. Elon Musk feud.

Below: New surveillance video shows how election deniers visited a Georgia elections office, and an Israeli official’s former house cleaner gets sentenced for allegedly offering to sell information to Iranian hackers. First:

Hackers like to strike schools, which often lack resources to defend themselves

A ransomware attack over the weekend on the United States’ second biggest school district, in Los Angeles, marks the 50th publicly known ransomware attack on a U.S. school or university this year, year, by at least one count.

It serves as an especially sizable reminder that the “back-to-school” season is one of hackers’ favorite times to strike a set of targets that are less capable of defending themselves than most, with attacks that can put sensitive student information in jeopardy and cost cash-strapped schools a lot of money.

  • “There are groups that understand there are certain times of the school year they could have more leverage and they might also be able to benefit from IT staff that are more distracted,” Doug Levin, national director of the nonprofit K12 Security Information eXchange, told me. 
  • “So back to school time is absolutely one of those times,” he said, noting that information technology professionals at school districts are usually dealing with a crush of emails and tech requests around holidays when students are returning.

It’s likely to be a busy September for schools across the globe, warned one ransomware expert, Recorded Future’s senior security architect Allan Liska

What happened

Los Angeles Unified School District, which enrolls more than 640,000 students from kindergarten to 12th grade, said Tuesday it discovered the incident over the weekend.

The district said the attack didn’t prevent schools from opening, nor did it hamper a range of other services. However, one high school in the district said access to technology like email could be affected. At a news conference Tuesday, Los Angeles Unified Superintendent Alberto Carvalho wouldn't identify which hacking group made the attack, citing FBI and Los Angeles police guidance. He said, “We've received no demand at this point” from the hackers and would only say that the hackers “had access to some degree of data.”

Federal agencies jumped in “to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies,” the district said.

Indeed, the attack galvanized a White House-led federal response featuring the FBI, Education Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Later Tuesday, CISA, the FBI and the Multi-State Information Sharing and Analysis Center (a federally funded organization also known as MS-ISAC that helps local governments, including schools, on cybersecurity) also issued a warning about a ransomware group named Vice Society targeting the education sector. Vice Society has targeted at least 10 schools in the United States and five in the U.K. over the past year and a half, Randy Rose, senior director of operations and intelligence at the Center for Internet Security, which runs MS-ISAC, told me.

The numbers

The number of publicly reported ransomware incidents at U.S. universities and school districts appears to be down so far this year compared with 2021, although the number of total schools those incidents affected is already higher than last year. 

The decline in the total number of incidents is probably a deceptive figure, Levin said, since the covid-19 pandemic drove up the number of attacks on schools as hackers took advantage of the rise in online schooling. School districts led by elected government officials are also more reluctant than before to publicly disclose cyber incidents lest facing furor from voters.

“Nobody wants to be the bearer of bad news,” Levin said.

Whatever choice school districts make when a ransomware attack hits, it’s going to be expensive. Downtime from ransomware attacks alone cost schools and colleges approximately $3.6 billion in 2021, according to security firm Comparitech. The highest ransom paid jumped from $220,000 in 2021 to $2 million in 2022, according to Rose. MS-ISAC discourages paying ransoms, since it doesn’t guarantee recovery of victim files, as does the FBI. 

Hackers attack schools because:

  • Local governments devote large swaths of their budgets to education, perhaps making them able to pay higher ransoms.
  • Despite that fact, many schools tend to be understaffed in the cybersecurity department, making them more vulnerable. Not every school district has the White House’s ear for soliciting help.
  • Even without credit scores or bank passwords, student data can become a rich source of other kinds of cybercrime.
The federal policy response

The Government Accountability Office last year faulted a muddled federal response to providing cybersecurity assistance to schools. Senators responded by insisting that the Education Department update a decade-old document on school threats that mostly didn’t address cybersecurity. It was in the “nascent stages” of doing so as of March.

CISA has issued alerts and advice to schools on cybersecurity, and under a law President Biden signed last year must review risks to K-12 schools, develop security guidelines for them and write an online tool kit to help them implement it.

The keys

Video shows election deniers repeatedly visiting Georgia elections office after alleged breach

Technology consultants Doug Logan and Jeffrey Lenberg made two visits to the Coffee County, Ga., elections office, and Lenberg made an additional five visits on his own, Emma Brown and Jon Swaine report. Video obtained by The Post also shows Cathy Latham, a teacher and then-chairwoman of the county Republican Party, greeting outside data forensics experts on the day of an alleged breach. Plaintiffs in a lawsuit against Georgia authorities obtained the video in response to a subpoena to county authorities, and they provided it to The Post.

“The new video adds to the picture of the alleged breach in Coffee County on Jan. 7, 2021, and reveals for the first time the later visits by Logan and Lenberg,” Emma and Jon write. “It also provides further indications of links between various efforts to overturn the election, including what once appeared to be disparate attempts to access and copy election system data in the wake of Trump’s loss.”

Logan and Lenberg didn’t respond to requests for comment. Latham’s lawyer, Robert D. Cheeley, said she “would not and has not knowingly been involved in any impropriety in any election.” Latham “did not authorize or participate in any ballot-scanning efforts, computer imaging or any similar activity in Coffee County in January 2021,” Cheeley said.

Israeli defense minister’s house cleaner sentenced

Omri Goren will serve three years in prison as part of a plea deal with Israeli prosecutors, who say he offered to share information from Defense Minister Benny Gantz’s house with hackers working for Iran, the Times of Israel reports. Prosecutors accused Goren of offering to sell information from Gantz’s home to hackers with the Iran-linked Black Shadow group on Telegram; he reportedly offered to bug Gantz’s computer for $7,000.

Before working for Gantz, Goren had been convicted five times of committing crimes. His time working in Gantz’s home raised questions about how he was cleared by the country’s domestic security agency, the Shin Bet. Last year, the agency announced it had found failures in Goren’s screening process. The agency said it had tightened security controls and reprimanded two officials.

Early on, the Shin Bet and Goren's lawyers had said he didn't have access to national security information in his role. Goren’s attorneys argued that the case wasn’t an espionage case, and prosecutors dropped espionage charges against him as part of the plea deal. “[Goren] is not a spy and this isn’t a spying scandal,” his attorneys said after the sentencing. “This is about a man who found himself entangled in debt and identified a security breach.” Goren has admitted to many of the allegations against him; however, he has denied that he knew the hackers were Iranian.

Former Uber security executive set to go on trial for allegedly hiding 2016 breach

Joe Sullivan, a former chief security officer at Uber, is accused of not disclosing the security breach, and this week’s trial in San Francisco represents a rare prosecution of an executive for how they handled a breach, the New York Times’s Kashmir Hill and Kellen Browning report

“Prosecutors have accused Mr. Sullivan of obstructing justice and concealing a felony for not disclosing the breach or revealing it” to the Federal Trade Commission, which was investigating Uber, Hill and Browning write. “Mr. Sullivan’s spokesman said he could not discuss the case given the upcoming trial. Uber declined to comment.”

Uber fired Sullivan, a former federal prosecutor, in 2017. He most recently worked as Cloudflare’s security chief but stepped down to prepare for the trial.

Global cyberspace

Russia’s war on Ukraine deepens international cyber-defense cooperation (The Wall Street Journal)

New cyberespionage group surfaces following attacks on mostly Asian targets (CyberScoop)

Housing Agency Didn't Complete Cyber Orders From DHS, Report Says (NextGov)


  • The Federal Trade Commission hosts a public forum on commercial surveillance and data security today at 2 p.m.
  • CIA chief technology officer Nand Mulchandani and retired lieutenant general Jack Shanahan discuss software-defined warfare at a Center for Strategic and International Studies event on Wednesday at 2 p.m.
  • CSIS hosts an event on stopping misinformation and disinformation on Wednesday at 3 p.m.
  • Top officials from across the federal government speak at the Billington CyberSecurity Summit from Wednesday through Friday.
  • NSA research director Gil Herrera speaks at an event hosted by the Intelligence and National Security Alliance on Thursday at 9 a.m.
  • The Carnegie Endowment hosts a cyber-military book talk Thursday at 10 a.m.

Secure log off

Thanks for reading. See you tomorrow.