Los Angeles school system shifts timeline of ransomware attack

The Los Angeles Unified School District last week shifted the official timeline of last year’s ransomware attack, more than four months after it first went public with the incident.

The district is changing the scope of its high-profile data breach after an investigation showed the initial point of intrusion occurred more than a month earlier than previously reported.

The threat actor accessed and exfiltrated files on its servers between July 31 and Sept. 3, 2022, the district said in a data breach notice filed last week with the California Department of Justice.

The breach did not, as the district initially claimed, occur over Labor Day weekend. The new details indicate the ransomware group breached the district’s systems and remained undetected for a month.

“Breaches generally go undetected for so long simply because the victim organization is not well protected,” Michela Menting, research director at ABI Research, said via email.

Threat actors have to find one weak point, whereas victim organizations have to invest in cybersecurity professionals and tools, and develop a comprehensive plan for prevention, detection and response.

“All of these factors combine to make it especially difficult to respond in a timely and efficient manner to threats,” Menting said. “Organizations need money, time and resources for cybersecurity, something which public sectors lack even more than private.”

These challenges are particularly vexing in education where IT systems and infrastructure are designed to be open and available to faculty and students.

“Due to the open nature of the infrastructure, there is an increased risk,” Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, said via email.

Without proper resources, organizations often don’t have full visibility into their infrastructure or vendor ecosystem and this makes it difficult to identify threats or compromises in a timely manner, Janssen-Anessi said.

Details emerge on high-profile ransomware attack

The cyberattack against the Los Angeles schools system, which Vice Society later claimed responsibility for, was the most high profile and damaging cyber incident in the education sector last year.

Vice Society stole roughly 500 gigabytes of data and posted about 250,000 files on the dark web, some containing Social Security numbers, contracts, W-9 tax forms, invoices and passports, according to data observed by threat researchers at Check Point.

District officials in Los Angeles said there was no response to the ransom demand.

It’s not uncommon for the timeline of a cyberattack to change upon further investigation, and the same is true for the extent of the compromise.

LAUSD said its investigation remains ongoing, but on Jan. 9 it identified labor compliance documents and certified payroll records involving contractors that worked on Facilities Services Division projects. The files contained names, addresses and Social Security numbers of contractor and subcontractor employees, the district said in the data breach notice.

“The initial timelines are often a rushed analysis based on partial data,” Andrew Hay, COO at Lares Consulting, an information security consultancy, said via email.

“Only after the incident analysis is complete can an accurate timeline be established. Hindsight, as they say, is 20/20,” Hay said.

Nailing down an accurate timeline is key but post-breach investigations are complex and many factors can delay the veracity of pertinent details.

“The longer a threat actor is able to sit on the infrastructure, the more havoc they can wreak,” Janssen-Anessi said.

“Timeliness is important subsequent to a breach, and optimally knowing as soon as possible should be the goal,” Janssen-Anessi said. “Unfortunately, more often than not, that is not the case. Cyberattacks are complicated, and threat actors are continuously honing their skills making each attack nuanced.”