Los Angeles school system changes timeline of ransomware attack

The Los Angeles Unified School District changed the official timeline of last year’s ransomware attack last week, more than four months after the incident was first made public.

The district is changing the scope of its high-profile data breach after an investigation showed the initial point of the breach occurred more than a month earlier than previously reported.

The threat actor accessed and extracted files on its servers between July 31 and September 3, 2022, the district said in a data breach notice filed last week with the California Department of Justice.

The violation did not occur, as the district initially claimed, over Labor Day weekend. The new details indicate that the ransomware group breached district systems and remained undetected for a month.

“Breaches often go undetected for so long simply because the victim organization is not well protected,” Michela Menting, research director at ABI Research, said by email.

Threat actors must find a weak point, while victim organizations must invest in cybersecurity professionals and tools, and develop a comprehensive plan for prevention, detection, and response.

“All of these factors combine to make it especially difficult to respond in a timely and efficient manner to threats,” Menting said. “Organizations need money, time and resources for cybersecurity, something that public sectors lack even more than private ones.”

These challenges are particularly vexing in education, where IT systems and infrastructure are designed to be open and available to teachers and students.

“Due to the open nature of the infrastructure, there is increased risk,” Lorri Janssen-Anessi, BlueVoyant’s director of external cyber assessments, said by email.

Without the right resources, organizations often don’t have complete visibility into their infrastructure or ecosystem of providers and this makes it difficult to identify threats or compromises in a timely manner, Janssen-Anessi said.

Details emerge about a high-profile ransomware attack

The cyber attack on the Los Angeles school system, for which the Vice Society later claimed responsibility, was the highest profile and most damaging cyber incident in the education sector last year.

Vice Society stole approximately 500 gigabytes of data and posted around 250,000 files on the dark web, some containing social security numbers, contracts, W-9 tax forms, invoices and passports, according to data observed by threat researchers at Check Point.

District officials in Los Angeles said there was no response to the ransom demand.

It’s not uncommon for the timeline of a cyberattack to change upon further investigation, and the same is true for the scope of the compromise.

LAUSD said its investigation is ongoing, but on Jan. 9 it identified labor compliance documents and certified payroll records involving contractors who worked on Facilities Services Division projects. The files contained names, addresses and Social Security numbers of contractor and subcontractor employees, the district said in the data breach notice.

“Initial schedules are often a hasty analysis based on partial data,” Andrew Hay, chief operating officer at Lares Consulting, an information security consultancy, said by email.

“Only after the incident analysis is complete can an accurate schedule be established. Hindsight, as they say, is 20/20,” Hay said.

Establishing an accurate timeline is key, but post-breach investigations are complex and many factors can delay the veracity of pertinent details.

“The longer a threat actor can sit on the infrastructure, the more havoc they can wreak,” Janssen-Anessi said.

“Timeliness is important after a violation and optimally knowing as soon as possible should be the goal,” Janssen-Anessi said. “Unfortunately, most of the time, that’s not the case. Cyberattacks are complicated, and threat actors continually hone their skills to refine each attack.”