When Superintendent Steve Bradshaw first received a threatening text message in mid-September, he didn’t know it was coming from a hacker trying to exploit his Montana school district.
But soon, students and other schools around Flathead County were receiving threatening messages, too. More than 30 schools in the district shutdown for three days.
“The messages weren’t pleasant messages,” Bradshaw said. “They were ‘splatter kids’ blood in the hallways,’ and things like that.”
The U.S. Department of Education is now warning teachers, parents, and K-12 education staff of a cyberthreat targeting school districts across the country.
So far, at least three states have been targeted by the extortion attempt from hackers asking schools to give them money or the group will release stolen private records, according to the department.
“In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received,” the department wrote in an advisory this week.
Bradshaw, the superintendent of schools in Columbia Falls, Montana said a hacking group broke into multiple school servers and stole personal information on students and possibly staff. He said after the threatening messages came, hackers asked for ransom.
In a ransom note sent to a number of Columbia Falls school district members and released by the county’s sheriff’s department, the hacking group called the Dark Overlord threatened the district and demanded up to $150,000 in bitcoin to destroy the stolen private data.
The threatening letter talked about use of force, mentioned the name “Sandy Hook,” the elementary school in Connecticut where 20 small children and six adults were shot dead, and said victims would suffer financial and reputational damage.
Law enforcement said they did not believe the threats and determined the attackers were located outside of the U.S.
“We feel this is important to allow our community to understand that the threats were not real, and were simply a tactic used by the cyber extortionists to facilitate their demand for money,” the Flathead County Sheriff’s Office said in a Facebook post last month.
Bradshaw said the district is not paying the ransom, and he is still receiving threatening messages.
The same hackers also targeted the Johnson Community School District in Iowa earlier this month, and the district canceled all classes on October 3. According to local media reports, the hackers also sent threatening text messages to children and their parents.
The hacking group previously attempted to extort Netflix after hacking its production studio, Larson Studios. The group released episodes of Orange is the New Black online last spring.
It’s unclear why the Dark Overlord began targeting schools but someone from the hacking group told the Daily Beast they are “escalating the intensity of our strategy in response to the FBI’s persistence in persuading clients away from us.”
The Department of Education says the hackers are probably targeting districts “with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data.” It advises districts to conduct security audits and patch vulnerable systems, train staff on data security best practices, and review sensitive data to make sure no outside actors can access it.
According to May Kavaney, the chief operating officer of the Global Cyber Alliance, school environments often don’t have a lot of technology resources dedicated to security, but have some of the richest personal information on people, including social security numbers, birth dates, and, potentially, medical and financial information.
“If bad actors can access student [personal data], that information can be exploited for the purpose of fraud and committing crimes for years before it is detected,” Kavaney says. “It’s often only upon application for a job, or application for financial aid to attend college that students find out that their social security number has been used fraudulently — they may have poor credit due to false applications against their history, or worse, find that crime has been committed in their name.”
Bradshaw says the ordeal has been stressful and troubling. Because the district hasn’t paid the hackers, they’re still threatening to release the data online. But, he said, the response from law enforcement and the Flathead County community has been positive.
“We still got people in this country that believe in one another, and it’s been easier to get through than you would have thought,” Bradshaw said. “People care about people in this state.”