Lumberton ISD cyberattacked, personal information stolen

Global hackers that took aim at a foreign government have also claimed responsibility for a data breach at Lumberton ISD, according to an email sent to an East Texas newspaper. Wanting to warn the local school district’s stakeholders about the compromised intel, staff from the out-of-town daily reached out to The Examiner with the news on June 26.

Rhysida, an international hacking group cited by Chilean cybersecurity firm CronUp as the perpetrators of a May 27 “security incident” that impacted the systems of the Chilean Army, is also the mastermind behind a stolen information cyberattack at Stephen F. Austin State University (SFASU) earlier in June, according to an email sent to The Daily Sentinel in Nacogdoches claiming responsibility for the attacks that were discovered on June 12 and 13. 

In the correspondence, Rhysida also claims they took information from Lumberton Independent School District.

Sentinel Managing Editor Josh Edwards contacted The Examiner about the email and the cyberattack on Lumberton ISD.

“These hackers are a very new organization and emerged in late-May,” Edwards advised. “They’re most famous for hacking, stealing and (selling) documents from the Chilean military.”

According to Edwards, shortly after the SFASU attack, the managing editor received an email from Rhysida that stated SFASU was lying by saying they “didn’t believe any data was compromised.”

“‘We downloaded about 1.2 terabytes of data from their (SFA) network, including SQL databases,’” Edwards quoted Rhysida from the email. “‘Here’s an attachment that proves to you that we stole data.’

“It’s basically a press release from an international gang.”

Edwards offered more details: “They said in the email they plan to auction off the data on their website, which is on the dark web that uses a special browser.”

Edwards said he replied to the email and asked Rhysida to send information regarding when the data from SFA would go up for auction. At about 8:17 p.m. on June 24, Edwards said, he received an email that he would be informed about the auction. Edwards was also informed of another data breach.

“The same day we attacked SFASU, we also attacked the Lumberton Independent School District,” the email continued. “They are withholding information about the attack. We downloaded 300 gigabytes of amazing personal documents and the proof is attached.”  

According to Edwards, the email from Rhysida contained attachments showing W-9 files, Social Security cards, Texas Driver licenses, passports, a substitute teacher’s application form, spread sheets that appear to contain Social Security numbers of students or employees, a vendor form with a Social Security number and tax identification number, and addresses from Lumberton ISD. 

Edwards said it was his intent to keep the confidential data confidential – except to share with the Lumberton ISD Information Technology (IT) Department, per the newspaper’s attorneys.

In short succession, The Examiner contacted Lumberton ISD Superintendent Dr. Tony Tipton to share information received concerning the cyberattack.

According to a press statement later released by LISD officials on June 26, Lumberton ISD discovered a cybersecurity incident that impacted some of their network operations as far back as June 13. Rhysida was thought to only have become active in May, but releases from targeted data dumps have not revealed when the data was culled from the rightful sources.

“We immediately launched an investigation and are working actively and diligently with the assistance of retained experts to remediate and restore operations as quickly as possible, as well as identify the nature and scope of information that may have been involved,” the district disseminated in response to Edwards sounding the alarm as to the breach at SFASU. “Please know that the privacy of students and employees is of the utmost importance to us, and we are committed to satisfying any resulting regulatory and legal obligations.”

LISD Superintendent Dr. Tony Tipton confirmed for The Examiner that he had indeed been in touch with Edwards, as well as district officials and those potentially affected by the data breach. 

“We have been on a conference call with all our folks involved in this situation,” Tipton said. “The information that Josh (Edwards) provided for us was extremely helpful. It was information we did not know. 

“I’m shocked on the way that it happened, that they would communicate with someone like that. It’s a very interesting, but disturbing, situation those folks put us in.”

The Rhysida ransomware gang has reportedly published 30% of all the data they claim to have stolen from the Chilean Army’s network, approximately 360,000 Chilean Army documents, and since, have added at least eight victims to its dark web data leak site, publishing all the stolen files for five of them.

Edwards agrees with security experts in that there doesn’t seem to be a pattern with how Rhysida chooses victims. And, although no one has pinpointed Rhysida’s point of origin in the world, as of yet, Edwards said that the spyware company reps have communicated in English without using a translator, mostly speaking in phrases he considered to sound Eastern European, “possibly Romanian.”

“Whether it has something to do with the specific networks they are targeting, or just scatter, shooting around to see what they can get into,” Edwards pondered, “this isn’t one of those type of attacks. As far as I can tell, where you’re looking out for weird email attachments, spoofed email addresses or whatever, they are attacking it directly through the website.”

The Texas Tribune reported June 20 that more than a week after SFASU was hit with a cyberattack, university leaders are still working to fully restore email and other online services.

University spokesperson Graham Garner confirmed the Federal Bureau of Investigation (FBI) is looking into the incident but did not provide any additional details. In a statement, a spokesperson for the FBI Dallas field office confirmed the investigation but declined to provide more information about the investigation.

While SFASU has restored access to the internet and it’s online teaching portal, students and faculty said the hack has caused serious disruptions, especially for students taking summer courses.

Rhysida and similar groups commonly uses ransomware – a type of virus that holds computer files hostage while hackers ask for a payment as a form of extortion – according to cybersecurity experts.

“We don’t know what their endgame was,” LISD’s Tipton said. “We learn all this information on how this stuff starts, and how they watch your media, watch your email, and do all these thing that look like they’re spying on you for what you know.”

If you are the victim of online or internet-enabled crime, file a report with the Internet Crime Complaint Center (IC3) as soon as possible. Crime reports are used for investigative and intelligence purposes. 

Rapid reporting can also help support the recovery of lost funds. Visit ic3.gov for more information, including tips and information about current crime trends.

If you or your organization is the victim of a network intrusion, data breach, or ransomware attack, contact the Houston FBI field office at (713) 693-500 or report it at tips.fbi.gov.