Tucson Unified School District officials continued investigating Tuesday but refused to disclose information about a “cybersecurity incident” that caused an outage of the district’s internet and network services Monday morning.
But Margaret Chaney, president of the Tucson Education Association, said teachers were notified Monday evening that internet and network access would likely not be restored on Tuesday.
She said she believes some of the employee information stored in the district’s network includes phone numbers, addresses, Social Security numbers, and certification and disciplinary records. She added that more sensitive material, like student medical records, are likely stored in different servers.
“I’m not so concerned about that because I know that the district is well aware of the issues that are ongoing with that ... and they’re doing whatever they can to keep that safe, I’m sure,” Chaney said.
TUSD administrators declined to respond to questions about the nature of the incident and whether student or employee data was breached. The district also declined to answer a question about the kind of data stored in its network services.
District leaders sent parents an email Monday evening stating classes would continue on regular schedules Tuesday, but administrators would not confirm whether the services were still down on Tuesday.
“At this time there are no new updates,” Superintendent Gabriel Trujillo told the Arizona Daily Star in an emailed statement Tuesday. “For the moment under the direction of legal counsel, we are unable to comment further.”
“We hope to have a more detailed update for the public and the media, inclusive of the information your questions seek, very soon,” Trujillo said in his emailed statement.
The Tucson Police Department confirmed it was assisting in the investigation but referred all questions to TUSD.
Lower student attendance
Chaney said the lack of internet and network access resulted in lower student attendance in some sites and some teachers adjusting their Tuesday lesson plans to manage without certain resources and programs.
“Unfortunately, I do believe that a lot of the resources are now all online and so that creates some barriers here and there, I think, for certain subjects,” she said, noting that substitute teachers would likely have a more difficult time delivering lesson plans without the access to the online resources that teachers leave for them.
But, she said teachers are resourceful and creative, and would be able to adjust their classroom activities as the district works on resolving the issue.
Royal ransomware image, demand
On Monday, some TUSD students were circulating a photo on social media of a message that schools throughout the district allegedly received through school printers. The message in the photo stated the district’s systems “were hit by Royal ransomware.”
Royal, according to the Australian Cyber Security Centre (ACSC), is a “ransomware variant that is being used by cybercriminals to conduct ransomware attacks against multiple sectors and organizations worldwide.”
Once the attackers hack into the victim’s network, ACSC states, they encrypt the victim’s data, lock the network in an unusable format, and demand a ransom to return access to the sensitive files.
ACSC says Royal ransomware was first detected in September 2022 and is likely associated with Russian-speaking criminals. It adds that Royal has targeted critical Australian infrastructures, including an educational institution in 2022.
Royal, according to ACSC, communicates with its victims by sending a ransom note to printers in the victim’s network and storing a file in place of all files that have been encrypted in that network. This note then informs the victims how to communicate with Royal to deliver ransom.
The message in the photo circulating on social media after the TUSD incident stated network data had been encrypted and copied and could be published online for anyone to see.
To prevent that from happening, the note states, the victim can pay a “modest royalty” to have Royal decrypt the files, restore the data and keep the information confidential.
The Justice Department says it has dismantled an international ransomware network that "targeted more than 1500 victims around the world since June of 2021. "Last summer, FBI agents from the Tampa division, with the support of prosecutors in the Criminal Division's Computer Crime and Intellectual Property section and the middle District of Florida infiltrated the Hive network and began disrupting Hive's attempts to extort victims," said Attorney General Merrick Garland. "Our continued investigative efforts led us to two back end computer service, servers located in Los Angeles that were used by Hive to store the network's critical information. Last night, pursuant to a court order, we seized those servers." The Hive Ransomware Group used a double extortion model to hold digital systems hostage and demand ransom. "First, they infiltrated a victim's system and stole sensitive data. Next, the affiliates deployed malicious software, encrypting the victim's system, rendering it unusable," said Garland. "Finally, they demanded a ransom payment in exchange for a system decryption key and a promise not to publish any stolen data." But investigators over seven months were able to offer over 1300 victims around the world keys to decrypt their infected networks, preventing at least $130 million in ransom payments and cutting off Hive's operations.
