TUSD’S Cyber Shutdown: District discovers how hackers infiltrated its system

The district wasn’t ready for sophisticated attack by experienced cybercriminals
Published: Apr. 17, 2023 at 7:54 PM MST|Updated: Apr. 18, 2023 at 9:57 AM MST
Email This Link
Share on Pinterest
Share on LinkedIn

TUCSON, Ariz. (13 News) - Tucson Unified is still trying to fully recover from a ransomware attack in late January. The question swirling around now is whether the district did enough to help prevent it.

TUSD has learned how cybercriminals got into the system which is an issue that dates back years.

Ransomware attacks in the education sector have ramped up in the last few years, and the feds have sent warnings to districts and schools to tighten security.

Did TUSD heed those warnings?

The forensics team determined hackers used a current employee’s account to access the district’s system.

13 News Investigates discovered the district was far from being prepared for what was to come as a “brutal attack” on TUSD’s system.

The damage was done by “Royal” who the feds report is an operation that “appears to have experienced hackers.”

Royal’s ransomware surfaced late last year, only months before TUSD’s crippling attack.

Cybersecurity experts say hackers are growing more sophisticated by the minute and the education sector is now a top target.

Victor Wieczorek of Guidepoint Security said, “To be honest, education systems have been understaffed and underfunded in terms of IT and cybersecurity for much longer than the COVID pandemic. But of course, that just exacerbated a huge issue there.”

TUSD had received a warning in 2018 before COVID hit, by a way of a performance audit done by the Auditor General’s office.

The audit showed TUSD that it lacked “adequate computer controls.” It stated, “The poor controls exposed the district to an increased risk of unauthorized access to sensitive information and data loss.”

The audit found staffers who left TUSD still had access to the district’s network and systems. TUSD “lacked a contingency plan” and a Disaster Recovery Plan if the system failed. The district also had weak password requirements.

Wieczorek said, “And so things like that, technical debt that builds up over time, increases the overall opportunity for an adversary to take advantage of it.”

So what’s happened since then?

During a follow up in 2020, the district reported all of it had been taken care of, and passwords had been strengthened.

However, district leaders learned the hard way that the fixes fell short and the group of experienced hackers out-skilled them.

The feds and cybersecurity operations sent out warnings, reports and recommendations. They pointed out that districts and schools should be training staff at all levels against more sophisticated cyber threats.

Long-time staffers told 13 News Investigates that the district missed the mark on password security.

When 13 News Investigates asked a staffer if there had been any training, the staffer responded “None whatsoever. Only just recently where they told us to create a new password because of the cyberattack.”

13 News Investigates asked Technical Services Executive Director Rabih Hamadeh to explain the breakdown. He said the district has enforced password security since 2019.

“What sometimes happens in any organization that has 40,000 plus students and 8,000 employees, external and internal, is sometimes we do have some gaps,” said Hamadeh.

Hamadeh estimated about 20 percent. He said, “So the system is there, but enforcing the system sometimes can be a challenge and we have to do a lot of communication and manual follow-up.”

Those gaps enable cybercriminals to infiltrate critical systems to steal sensitive information and demand a ransom.

Wieczorek said, “We also need to ensure that these recommendations stay up to date with what the attackers are doing.”

The feds recommend implementing multi-factor authentication (MFA) as a first step in impactful security measures. The district sent an MFA notification to staff on that topic about a week after the attack.

“MFA is a required additional layer of security to protect your account when you connect to a TUSD network.”

Three days later staff had been told the district had a new security software and they needed to create new passwords that were at least 8 characters.

”Wieczorek said, “And we’re seeing now in today’s day and age that even eight characters aren’t cutting it.”

13 News Investigates told Hamadeh that having eight characters for a password is outdated and that it has to even be strengthened by more than eight characters.

Hamadeh said “No, of course, eight characters must be minimum. What we would like to have and implement is one for students and one for staff. What we’re trying to implement now is 15 characters.”

The district ran into a glitch after it got the student password change app working again three weeks after the attack.

The next day it went down and the team notified the staff then that it was working to restore the function.