Screen grab of Blacksuit website on the Dark Web
“Media Statement from Richland-Bean Blossom Community School Corporation“Media Statement from Richland-Bean Blossom Community School Corporation
July 15, 2024
Recently, Richland-Bean Blossom Community School Corporation was alerted that an unauthorized third-party actor had claimed to have allegedly accessed our network without authorization and taken certain information housed on our network.
Upon discovery, we immediately initiated an internal investigation, collaborated with law enforcement, and engaged third-party forensic specialists to investigate this matter.
Based on our findings to date, we are confident that the claims by the third-party bad actor are false.
Although our investigation remains ongoing, currently, there is no evidence to indicate that our network was accessed without authorization, and our operations remain normal.
To that end, there is also no evidence to suggest the unauthorized access or exfiltration of RBB data.
Additionally, as a part of our investigation, we have deployed an aggressive Endpoint Detection and Response software, Sentinel One, to continuously monitor our environment and ensure our systems are secure.
To date, Sentinel One has not identified any previous or ongoing suspicious activity that would suggest unauthorized access or a compromise of our network.
Finally, a preliminary review of the data that the third-party actor claimed to have taken from our network appears to belong to another organization and does not appear to belong to RBB or any of RBB’s affiliates.
As our investigation remains ongoing, we are unable to provide additional information at this time. We will provide additional information and updates if our investigation identifies additional useful information.
The security of our students, employees, and partners information is of the utmost importance.
Please note that we maintain robust security and protection measures and provide comprehensive training to our staff on technology safety protocols to ensure a secure environment.
FAQ
What happened?
On or around July 1, 2024, RBB became aware that an unauthorized actor allegedly accessed our information. Upon discovery, we immediately began working with our IT staff, third-party computer specialists, and law enforcement to conduct an investigation to determine how this incident occurred.
At this time, our investigation remains ongoing, we are unable to provide additional details at this time. However, based on information to date, there is no evidence to indicate that our data was accessed, our systems were compromised, and our operations remain normal. Notably, our investigation has determined that the taken information does not belong to RBB or any of RBB’s affiliates.
What did RBB do after learning of this incident?
Upon learning of this incident, RBB moved quickly and are taking all necessary steps to address this incident. This includes working with our IT staff and third-party computer specialists to investigate this incident and securely restore full operability. We also notified law enforcement of this event and we are cooperating with their investigation. RBB took great care to ensure the investigation was undertaken completely and thoughtfully, which required time to gather the relevant data for analysis.
When did the incident occur?
On or around July 1, 2024, RBB became aware that an unauthorized actor allegedly accessed our information.
What systems were impacted / how many systems were impacted?
As our investigation into this matter is in its early stages and is ongoing, we are unable to provide further details at this time.
However, based on information to date, there is no evidence to indicate that our systems were compromised, and our operations remain as normal.
Has student/employee information been impacted by the incident?
As our investigation into this matter is ongoing, we are unable to provide additional details at this time.
However, based on information to date, there is no evidence to indicate that our information was impacted, or our systems were compromised.. Notably, our investigation has determined that the taken information does not belong to RBB or any of RBB’s affiliates.
Was this a ransomware attack?
In order to protect the integrity of the investigation, we are unable to share additional details at this time.
However, based on information to date, there is no evidence to indicate that our systems were compromised by any form of cyber attack.
Did you pay a ransom?
No. There is no evidence to indicate that our systems were compromised by any form of cyber attack.
Who is responsible for this incident?
In order to protect the integrity of the investigation, we are unable to share additional details at this time.
However, this incident is believed to be the work of cyber criminals who targeted at a different entity. There is no evidence to indicate that our systems were compromised by any form of cyber attack.
What is the RBB’s IT security protocols?
For our own security, we are unable to comment on our specific IT security protocols.
Do you have adequate network security in place?
Appropriate security measures are in place at all locations. We are limited in what we can share based on the ongoing safety and security of our staff, students, and facilities.
Did you notify law enforcement?
RBB has reported this matter to federal law enforcement and is cooperating with its investigation.
What is RBB doing to address this? What is being done to ensure that this does not happen again?
Please be assured that we are taking all necessary steps to address this incident including working with our IT staff and third-party computer specialists to investigate this incident. We also notified law enforcement of this event and we are cooperating with their investigation.
However, based on information to date, there is no evidence to indicate that our data was accessed, our systems were compromised, and our operations remain normal.
Notably, our investigation determines that the taken information does not belong to RBB or any of RBB’s affiliates.”
—
Staff report
Bloomington, Indiana — July 12, 2024
BlackSuit, the suspected Russian hacking group that recently shut down Monroe County government computer systems, has now claimed responsibility for hacking the Richland-Bean Blossom Community School Corporation (RBB) in Monroe County, Indiana. The group announced the breach of “Edgewood Schools” and shared the RBB phone number on the dark web, stating that they have stolen a significant amount of data from the school’s computer system.
The hacking group uses malware to infiltrate systems and then demands a ransom to prevent the release of the stolen information. If the targeted entity refuses to pay, the hackers threaten to make the information available for free on the dark web. This tactic is a form of blackmail that has become increasingly common in cyberattacks.
A white hat cybersecurity expert alerted the community about the attack, indicating that RBB did not pay the ransom. As a result, nearly 42 gigabytes of data purportedly from RBB are now being offered for free on the dark web. However, neither the Bloomingtonian nor the cybersecurity expert has accessed or downloaded the information due to ethical considerations and security precautions. The zip file likely contains malware that could compromise the computer of anyone who downloads it and may include sensitive information about students.
Attempts to contact school officials at the RBB administration building were unsuccessful, as calls went to voicemail. The cybersecurity expert who notified the Bloomingtonian has also reached out to the Indiana Department of Education, the Indiana Secretary of Education’s Office, and the US Cyber Emergency Response Team.
This incident follows a similar hack that recently disrupted computer systems for car dealerships across the United States. The precise affiliation of BlackSuit remains unclear, but there are concerns that they could be part of a Russian or Belarusian criminal organization or military, employing asymmetric warfare techniques against U.S. citizens and businesses. Russia, currently under U.S. sanctions because of the war against Ukraine, has been working with North Korea (famous for making part of the country’s GDP by waging cyber attacks), but has its own reputation for hacking, and even using cyber tech to interfere in elections. Russian President Vladimir Putin has made numerous threats against the United States for helping Ukraine.
https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/russia
Notably, according to https://www.sentinelone.com/anthology/blacksuit/ , they do *exclude* targeting of “Commonwealth of Independent States” , which includes many of the former USSR states. https://en.wikipedia.org/wiki/Commonwealth_of_Independent_States
This post was originally published on the 3rd party site mentioned in the title of this this site