Criminal syndicate claims credit for LAUSD hack; authorities won't say whether it's true

Howard Blume
·7 min read
Los Angeles, CA - September 06: Superintendent of Los Angeles Unified School District Alberto M. Carvalho, left, Los Angeles Mayor Eric Michael Garcetti, middle, and Los Angeles Police Department Chef Michel Moore, right, walk into a press conference at Edward R. Roybal Learning Center on Tuesday, Sept. 6, 2022, in Los Angeles, CA. There's been a major cyberattack on the Los Angeles Unified School District. Major problems over the weekend. (Francine Orr / Los Angeles Times)
Los Angeles Unified School District Supt. Alberto M. Carvalho, left, Los Angeles Mayor Eric Garcetti, middle, and Los Angeles Police Department Chief Michel Moore, right, walk into a news conference this week to discuss a cyberattack on the school system. (Francine Orr / Los Angeles Times)

A cybercriminal syndicate that calls itself Vice Society has taken credit for the ransomware attack on Los Angeles schools and says it has captured sensitive data, according to published reports on two technology news sites and in tweets from an Associated Press senior technology reporter.

Supt. Alberto Carvalho declined to name the hackers, but said Friday that their identity was already well-known to law enforcement before the attack. He said the hackers had contacted L.A. Unified without making a specific dollar demand — and then later extended their deadline to negotiate with the district over restoring its systems and data. He did not elaborate further.

The extent of the breach is far-reaching and still being assessed and the hackers had likely been probing the school system for weeks, Carvalho said. They probably targeted the four-day Labor Day weekend for their attack, he said, as a time when there's less watchfulness over operations.

Hackers reached but did not have time to disable the student information system. It is not known yet whether they took data, Carvalho said.

"We don't have an answer for that," Carvalho said Friday during a news conference at a school in Cypress Park. "That is truly still within the realm of active investigation.“

Federal authorities in a warning this week singled out Vice Society actors as major culprits in recent attacks on education institutions without confirming who targeted the Los Angeles Unified School District. The agencies that sent the alert are directly involved in the investigation.

Federal law enforcement authorities, including the FBI and Cybersecurity and Infrastructure Security Agency, would not comment Friday on the alleged role of Vice Society.

An emailed response to Associated Press reporter Frank Bajak from someone claiming to be a member of the group took responsibility and also said, "We are not political organization, so everything is just for money and pleasure =)."

The statements were made in response to a query Bajak made via the hackers' dark website using an email that federal authorities have listed as belonging to the syndicate.

"I am reasonably confident I was corresponding with a representative of Vice Society," Bajak said in an email exchange with The Times. "I did not ask to see evidence of the data theft. The representative said that would be forthcoming."

In their response, the hackers claimed they have obtained confidential data. Another tech news site, BleepingComputer, reported that the claims also had been made to them.

School district officials have said they do not know how much, if any, student information — test scores, grades, class schedules, disciplinary records, reports about disabilities — was stolen, but acknowledged that hackers infiltrated the district’s online student management system.

New details emerged Friday.

Before systems were blocked, the hackers managed to change large numbers of passwords, which is what prompted officials to make all students, parents and employees change passwords this week, Carvalho said.

Then, damage found in some servers slowed the recovery process more than had been expected. Early in the week, Carvalho said that campuses had been able to open on Tuesday after the Labor Day holiday with minor disruptions. On Friday, Carvalho acknowledged that the week had been difficult for students, teachers and other staff who had trouble accessing learning materials, district records and online tools they need to work. He said he was hopeful that most normal operations would be restored by the end of the day.

The week was a particularly hard for for students in virtual academies, who are learning online. But major ongoing problems were reported by counselors and those who serve students with disabilities, among others.

Moreover, the hackers infiltrated the bus system servers and officials are trying to determine if there's significant damage there. The attackers managed to encrypt the system used for bidding and managing construction projects. There's not much confidential data there, Carvalho said, but "I don't want in any way to minimize the impact. I mean, it's a significant, a significant impact."

He also talked about about an internal audit from late 2020 that said L.A. Unified was vulnerable to cyberattack.

"My first order of business, which is happening as we speak, is actually: Understand that report and ask the tough questions about why were a number, if not the majority, [of] these measures... not acted upon," he said.

Carvalho emphasized that the outcome could have been worse.

When the intrusion was discovered Saturday at 10:30 p.m., the L.A. school district, in a countermove, quickly shut down all computer systems. That response may have prevented hackers from entirely locking out L.A. Unified of its own computer systems. Had that element of the attack succeeded, recovery could have taken months and cost tens of millions of dollars — either in repairs or ransom or both, experts said.

But that's just part of a ransomware attack.

"Ransomware groups usually rummage through networks and steal sensitive data before launching their file-encrypting malware," wrote Jeremy Kirk, executive editor for security and technology for Information Security Media Group, in an article for Data Breach Today. "That way, if victims don’t pay for a decryption key, they can be threatened with the release of those files."

Kirk was one of the journalists to whom Vice Society claimed credit for the LAUSD cyberattack.

Vice Society uses a site on the dark web to post confidential information when hacked private and public entities refuse to pay up, experts told The Times. This information can then be used by other bad actors for identity theft and other illegal purposes.

The federal alert warned school systems to beware of "Vice Society actors" in light of activities "identified through FBI investigations as recently as September 2022... disproportionately targeting the education sector with ransomware attacks."

"Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021," the warning, from the FBI and other agencies, stated. The hackers have used software developed by others with quixotic names — Hello Kitty/Five Hands and Zeppelin — that mask their malicious purpose.

The group enters a system by exploiting vulnerabilities and illegally obtained login credentials.

"Vice Society actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources," the warning advised. "Vice Society actors run a script to change passwords of victims’ email accounts."

The theft of data — and the threat to release is publicly — provides a second opportunity for ransom.

"Vice Society actors are known for double extortion," the alert stated.

Kirk, who is based in Australia, noted that he received an email response "early Friday Sydney time," in which a representative of Vice Society claimed credit for the attack.

Kirk said in an interview he communicated with the group via email. Vice Society maintains a website, with contact information. . He said he has high confidence that he reached the group; whether it lied to him about carrying out the attack, he said, is impossible for him to determine.

Associated Press reporter Bajak had a similar encounter.

"The gang Vice Society claimed responsibility in an email to me after initially demurring," Bajak tweeted Thursday night.

Bajak added: "The Vice Society email writer said the syndicate is holding data stolen... Wouldn't say what or how much."

The posting this week of the federal alert seems more than a coincidence to Brett Callow, threat analyst for cybersecurity firm Emsisoft.

“Given the timing of joint advisory and Vice Society’s long track record of attacks on the education sector, it seems likely that they are indeed behind it,” he said.

Experts said Vice Society actors typically operate in foreign countries, such as Russia, that don't have a history of arresting or extraditing cybercriminals who target other nations. Carvalho said earlier that there are indications the hack could have originated abroad.

This story originally appeared in Los Angeles Times.