In September 2016, a group of hackers reportedly infiltrated the computer networks of at least four separate school districts in the US state of Florida, with the aim of stealing personal information and social security numbers (SSNs) from "hundreds of thousands" of students.
The cybercrime group, which allegedly has links to Morocco, was able to use malware to turn off website logs recording who was accessing the systems. According to the Miami Herald, citing the work of security firm United Data Technologies, the hackers lurked for months.
The initial attacks were launched via phishing, a technique that often hides computer viruses in email attachments and links. In this case, an email message contained a booby-trapped image which, once clicked, infected the system with stealth malware.
The hackers' actions did not immediately spark an investigation, with investigators later finding they conducted "reconnaissance" for weeks.
It was in November, after photos of an Islamic State (Isis) terrorist were posted to a number of district websites, that professionals were called.
Sources told the Miami Herald the motivation of the hackers was most likely to steal the personal information and SSNs of students, which could then be sold on dark web forums and marketplaces. Luckily, no pupil data was found to have been compromised.
"If you're trying to steal identities or cobble together identities, if you can get a person's name, date of birth, home address, you're starting to get a fairly complete record," Michael Kaiser, director of the US National Cyber Security Alliance, told the newspaper.
"Think of the things school districts have – it's more than many businesses," he added.
Late 2016 was a turbulent time in the cybersecurity world. At the time, a series of seemingly nation-state level attacks had targeted the national political system. Hacks had been recorded at a slew of election groups, including the Democratic National Committee (DNC).
In this case, United Data Technologies concluded there was no evidence the attacks were linked to that activity, which has largely been attributed to Russia's intelligence services. Instead, the firm said the cyberattacks were attributed to a MoRo, a group based in Morocco.
It has not published technical evidence to back up these claims. Additionally, the full list of school district victims remains unclear – with only one, Miami-Dade, being named to date. Interestingly, it appears the hackers may have been planning more nefarious attacks.
According to the United Data Technologies' findings cited by the Herald, the group may have been also targeting state voting systems and government networks. Most recently, Bloomberg reported that US election hacks were more widespread than previously known.
There have been numerous attacks on schools over the past 12 months, with many falling victim to ransomware – malicious computer software that locks down files and demands money for their release. One Los Angeles school paid hackers $28,000 after being infected.
"There's always this want to have open access and it is a learning environment so some things that corporate America does just by rule we wouldn't apply in an education environment," noted Paul Smith, the Miami-Dade school district's director of data security.
"We're talking hundreds of thousands of devices. That's one of the challenges that we face."
There are 74 school districts in the state of Florida.