Cyberattack Disrupts US Educational Institutions Amid Final Exams
A significant cyberattack impacted schools and universities across the United States on Thursday, coinciding with student final exams. The online learning platform, Canvas, which is widely used in educational settings, experienced substantial disruptions as students prepared for crucial assessments.
Instructure, the parent company of Canvas, announced that the platform was restored by Friday morning after a proactive response to unauthorized activity within their network. The company had temporarily taken Canvas offline in response to the incident. Importantly, this threat actor is linked to a previously disclosed data breach affecting Instructure. According to the company’s assessment, compromised data included usernames, email addresses, student identification numbers, and platform communications. However, there were no indications that sensitive data such as passwords, dates of birth, government identifiers, or financial information were at risk.
The ransomware group ShinyHunters claimed responsibility for the breach, asserting on their dark web site that they had accessed data pertaining to 275 million individuals affiliated with 8,800 educational institutions. The timing of the breach created chaos, as students attempting to log into Canvas encountered ransom demands instead of access to their exams. Reports indicate that Instructure had previously declined the group’s demands, leading to a recommendation for individual schools to negotiate independently.
In the wake of the attack, many institutions scrambled to mitigate the impact on their academic calendars. The University of Illinois opted to postpone all final exams and assignments scheduled for the upcoming weekend, while the University of Massachusetts Dartmouth adjusted timelines for their assessments. The University of California system also mandated that all campuses redirect their efforts, highlighting the widespread ramifications of the cyber incident.
This attack on Canvas underscores a broader trend of vulnerability among online education platforms. In a related instance last year, PowerSchool, another prominent provider of cloud-based educational software, revealed a data breach that exposed years’ worth of personal information, further emphasizing the sector’s cyber risk exposure.
ShinyHunters has established itself as a persistent threat actor over the years. Its previous exploits include significant data breaches affecting major companies, such as the successful breach of the cloud provider Snowflake, which resulted in a cascade of security incidents affecting its clients, including large organizations.
From a cybersecurity perspective, this incident exemplifies multiple tactics outlined in the MITRE ATT&CK framework. Initial access might have been achieved through methods such as phishing or exploiting vulnerabilities in remote desktop protocols. Additionally, persistence could have been maintained through backdoors, while the privilege escalation phase would allow attackers to navigate deeper into the network to exfiltrate sensitive information.
As educational institutions increasingly depend on technology for critical operations, incidents like the one affecting Canvas serve as sobering reminders of the evolving threat landscape. Stakeholders must remain vigilant and proactive in implementing robust cybersecurity measures to protect sensitive data and ensure operational continuity.