A cybercriminal syndicate calling itself the Vice Society has claimed credit for the ransomware attack on schools in Los Angeles and says it captured sensitive data, according to published reports on two technology news sites and in tweets from a senior The Bharat Express News technology reporter.
Alberto Carvalho declined to name the hackers, but said Friday that their identities were known to police before the attack. He said the hackers contacted LA Unified without making a specific demand for dollars — and later extended their TBEN to negotiate with the district about restoring its systems and data. He didn’t elaborate on it.
The scope of the breach is far-reaching and still being assessed, and the hackers had likely been investigating the school system for weeks, Carvalho said. They were likely targeting the four-day Labor Day weekend before their attack, he said, as a time when there’s less vigilance about operations.
Hackers reached but did not have time to disable the student information system. It is not yet known whether they have collected any data, Carvalho said.
“We don’t have an answer to that,” Carvalho said Friday during a press conference at a school in Cypress Park. “That really still falls within the domain of active research.”
Federal authorities issued a warning this week pointed to Vice Society actors as major culprits in recent attacks on educational institutions without confirming who targeted the Los Angeles Unified School District. The authorities that sent the alert are directly involved in the investigation.
Federal law enforcement agencies, including the FBI and Cybersecurity and Infrastructure Security Agency, declined to comment on the Vice Society’s alleged role on Friday.
An emailed response to The Bharat Express News reporter Frank Bajak from someone who claimed to be a member of the group took responsibility and also said, “We’re not a political organization, so everything is just for money and fun =).”
The statements were made in response to a question posed by Bajak through the hackers’ dark website using an email identified by federal authorities as belonging to the syndicate.
“I’m pretty sure I corresponded with a Vice Society representative,” Bajak said in an email exchange with The Times. “I did not ask to see evidence of the data theft. The rep said that would come.”
In their response, the hackers claimed that they had obtained confidential data. Another tech news site, BleepingComputer, reported that the claims had also been made to them.
School district officials have said they: doesn’t know how much student information — test scores, grades, class schedules, disciplinary records, disability reports — was stolen, but acknowledged that hackers infiltrated the district’s online student management system.
New details came out Friday.
Before systems were blocked, the hackers managed to change large numbers of passwords, prompting officials to have all students, parents and employees change their passwords this week, Carvalho said.
Then the damage in some servers delayed the recovery process more than expected. Carvalho said at the start of the week that campuses could open with minor disruptions on Tuesday after the Labor Day holiday. On Friday, Carvalho acknowledged that the week had been a difficult one for students, faculty and other staff who struggled to access learning materials, district records and online tools they need to work. He said he hoped most normal operations would be restored by the end of the day.
The week was particularly difficult for students in virtual academies, who are learning online. But major ongoing problems were reported by counselors and those who help students with disabilities, among others.
Besides, the hackers infiltrated the bus system’s servers and officials are trying to determine if there is significant damage there. The attackers managed to encrypt the system used to bid and manage construction projects. There isn’t a lot of confidential data out there, Carvalho said, but “I don’t want to minimize the impact in any way. I mean, it’s a significant, a significant impact.”
He was also talking about a late 2020 internal audit that indicated LA Unified was vulnerable to cyber-attacks.
“My first assignment, which is underway at the moment, is basically: understand that report and ask the hard questions of why some, if not the majority, [of] these measures… not followed,” he said.
Carvalho stressed that the outcome could have been worse.
When the break-in was discovered at 10:30 p.m. Saturday, the LA school district quickly shut down all computer systems in a counter move. That response may have prevented hackers from completely shutting down LA Unified from its own computer systems. If that element of the attack had succeeded, the recovery could have taken months and cost tens of millions of dollars — either in repairs or ransom or both, experts said.
But that’s only part of a ransomware attack.
“Ransomware groups typically snoop through networks and steal sensitive data before launching their file-encrypting malware,” he wrote. Jeremy Kirko, security and technology executive editor for Information Security Media Group, in an article for Data Breach Today. “That way, if they don’t pay for a decryption key, victims could be threatened with releasing those files.”
Kirk was one of the journalists to whom Vice Society took credit for the LAUSD cyber attack.
Vice Society uses a dark web site to post confidential information when hacked private and public entities refuse to pay, experts told The Times. This information can then be used by other malicious parties for identity theft and other illegal purposes.
The federal warning warned school systems to beware of “Actors of the Vice Society” in light of activities “identified by FBI investigations in September 2022…disproportionately attacking the education sector with ransomware attacks.”
“Vice Society is an intrusion, exfiltration and extortion hacking group that first appeared in the summer of 2021,” the warning from the FBI and other agencies said. The hackers have used software developed by others with quixotic names – Hello Kitty/Five Hands and Zeppelin – to disguise their malicious purpose.
The group enters a system by exploiting vulnerabilities and illegally obtained credentials.
“Vice Society actors have encrypted data on target systems or on large numbers of systems on a network to disrupt the availability of system and network resources,” the warning reads. “Vice Society actors run a script to change victim email account passwords.”
The theft of data – and the threat of disclosure is public – offers a second chance at ransom.
“Vice Society actors are known for double extortion,” the warning reads.
Kirk, who is based in Australia, noted that he received an “Early Friday Sydney time” email response in which a Vice Society representative took credit for the attack.
Kirk said in an interview that he communicated with the group via email. Vice Society maintains a website, with contact details. . He said he is very confident that he has reached the group; whether it lied to him about carrying out the attack, he said, is impossible for him to determine.
The Bharat Express News reporter Bajak had a similar encounter.
“The gang Vice Society claimed responsibility in an email to me after initially objecting,” bajak tweeted Thursday night.
Bajak added: “The Vice Society email writer said the syndicate stole data…Wouldn’t say what or how much.”
The release of the federal warning this week seems more than a coincidence for Brett Callow, threat analyst for cybersecurity firm Emsisoft.
“Given the timing of the joint advice and the Vice Society’s long track record of attacks on the education sector, it seems likely that they are indeed behind it,” he said.
Experts said Vice Society actors typically operate abroad, such as Russia, which has no history of arresting or extraditing cybercriminals targeting other countries. Carvalho previously said there are indications that the hack originated abroad.