Malware Causing Disruptions in Pierce County Schools

An unspecified malware event at Clover Park School District in Washington is causing technical problems and apparently resulted in district files surfacing on the dark web, though the extent of the intrusion is unclear.

Malware
(TNS) — The Clover Park School District is in the middle of a "malware event" that is disrupting its computer systems.

Some files tied to the Lakewood-area school district have been found on the dark web, but the district has not described the extent of the event or whether it is a ransomware attack. The district intends to notify authorities.

"CPSD is currently experiencing technical difficulties and temporary disruptions to certain computer systems due to a malware event," district spokesperson Leanna Albrecht said. "Upon discovery, we immediately responded to secure our systems and commence an investigation into the nature and scope of the event."

The term "malware" includes any software intentionally designed to cause damage to a computer, server or computer network like computer viruses, worms, ransomware and spyware.

The district has sought help from cybersecurity specialists. The event began May 26.

"We have substantial resources dedicated to this process, and our investigation into the event is ongoing," Albrecht said.

Federal authorities will be notified of the system outage, an email to district families said.

"We will respond to and cooperate with any investigation that may be launched, and we will comply with any requests from law enforcement authorities," the email said.

The district launched a temporary website at cpsd.cloverpark.k12.wa.us.

"The district was already working on a website redesign to launch this fall and will keep this temporary website until the new website is launched," Albrecht said.

Albrecht did not respond to questions of which systems were compromised, whether it was a ransomware attack and if money was demanded by hackers.

Albrecht did not immediately respond to questions about whether the district has spent money in retrieving data from the event. The News Tribune has submitted a public records request for details surrounding the event.

"We are actively investigating the full nature and scope of the system outage and will provide relevant updates as the investigation progresses," she said.

The Clover Park School District is the fourth largest school district in Pierce County, with 24 schools and more than 13,000 students.

On the dark web, screenshots of administrative-leave letters, student performance results and a photo of children have been released and have been listed as Clover Park School District data. The district's data was listed alongside data from seven other entities, which also appear to have been hit by a hacker group called Grief, according to webpages viewed by The News Tribune. The dark web consists of hidden websites untraceable through a conventional search engine and uses encryption software to provide anonymity for users.

A number of publications specializing in cybersecurity on June 1 identified Grief as a new player in hacking and ransomware schemes, along with another group calling itself Prometheus.

Information shared with The News Tribune and verified by two outside experts shows that beyond the local school district, Grief also successfully penetrated a number of Mexican government servers, corporate entities and local governments like St. Clair County, Illinois.

St. Clair County officials told the Belleville News-Democrat that the county disabled its website. The county's information technology director said the website was taken down due to a "system issue, and the cause of the issue hasn't been identified yet," the Belleville News-Democrat reported on Wednesday.

Superintendent Ray Banner said in a weekly update on May 27 that the district is facing technical issues.

"We are working with third-party cybersecurity specialists to safely and securely restore the impacted systems with full functionality as quickly as possible," he said in a YouTube video. "Protecting the privacy of our staff and students is our priority. We are investigating the root cause of the issue and will keep you informed."

Clover Park's spokesperson said schools operations have not been affected. The district is in a hybrid learning model, alternating in-person instruction with online instruction. Some students are participating in full virtual learning.

"We appreciate the patience, discretion, and understanding of our staff, students and families as we quickly work to resolve these tech issues," Albrecht said.

Brett Callow is with software company Emsisoft, which provides malware protection. Callow told The News Tribune hackers can worm into an organization's network, steal data and then encrypt the system. The organization needs to pay the hackers to unlock the information.

"The problem is once the attackers gain access, they become the new admins. They can disable whatever security access is running," he said.

If the attack is considered a ransomware attack, Callow said, paying money is a "pinky promise" from criminals that the data will be destroyed and not released. Sometimes, hackers will copy the data and encrypt it.

"Unsurprisingly, there is evidence that multiple organizations have been extorted for a second time using the same set of data," Callow said.

Ransomware attacks affect private and public entities.

Callow said the attacks are getting bigger and having more impact.

Last month, the Colonial Pipeline that carries oil from Houston, Texas to Linden, New Jersey was hit by a ransomware cyber-attack.The pipeline carries 2.5 million barrels a day, or about 45 percent of the East Coast's supply of diesel, petrol and jet fuel, according to national news reports.

The White House said Tuesday that a ransomware attack on one of the country's largest meat producers, JBS, was orchestrated by a Russia-based criminal organization.

McClatchy's Kevin Hall and Ben Wieder contributed to this story.

©2021 The News Tribune (Tacoma, Wash.). Distributed by Tribune Content Agency, LLC.