Teen Hacker Charged with Paralysing U.S. Schools in Embarrassingly Simple Cyberattack

Teen Hacker Charged with Paralysing U.S. Schools in Embarrassingly Simple Cyberattack
Photo: Dean Mouhtaropoulos, Getty Images

A Florida teenager allegedly used an embarrassingly simple program to launch a series of DDoS attacks that helped shut down one of the nation’s largest school districts for its first three days of virtual classes, the Miami Herald reported this week.

On Thursday, school administrators in Miami-Dade County announced that a 16-year-old student at South Miami Senior High School was one of the hackers behind technical difficulties that paralysed the district’s computer network and left students seeing error messages when trying to log on for the new school year. Law enforcement officials said they found evidence of more than a dozen DDoS attacks in total, and they are still investigating whether other parties were involved.

“The student admitted to orchestrating eight Distributed Denial-of-Service cyberattacks, designed to overwhelm district networks,” the district said in a statement. More than 345,000 students attend public schools in Miami-Dade County, making it the fourth-largest district in the U.S.

Even more embarrassing still, the student admitted that he broke the network using a decade-old, open-source tool that most bare-bones firewall software can catch, the Herald reported Saturday.

The application’s called LOIC, which stands for Low Orbit Ion Cannon. Developed by 4Chan-affiliated hackers, it basically did for DDoS attacks what Microsoft Word did for word processors by streamlining the process into an easy-to-download program that even an idiot can’t mess up. No hacking experience needed, just point, click, and boom! You’re on your way to committing a felony. LOIC makes it easy to coordinate thousands of anonymous users to overwhelm servers by submitting tons of garbage requests en masse. Barrett Lyon, the CEO of cybersecurity firm Netography, said in an interview with the Herald that it’s essentially the “modern-day equivalent” of pulling a school’s fire alarm.

In the past, the hacktivist group Anonymous used LOIC to launch Operation Payback, a series of DDoS attacks that took down sites belonging to PayPal, MasterCard, and a slew of other companies, government agencies, and politicians in retaliation for the shutdown of the Pirate Bay file-sharing site and censorship of Wikileaks. That was back in the early 2010s, though, and cybersecurity standards have changed a lot since then, leading many to question why the district’s online learning platform, My School Online, wasn’t able to withstand such an unsophisticated attack.

The incident’s brought K12, the for-profit education tech company behind My School Online, under intense scrutiny from both parents and authorities. That concern only worsened when it came to light this week that the district’s $US15 ($21) million contract with K12 hasn’t yet been fully executed, as it’s missing a signature of approval from district Superintendent Alberto Carvalho. A spokesperson for the district told the New York Times that the money hadn’t yet changed hands.

With the covid-19 pandemic pushing classrooms across the nation online, school districts are depending on cybersecurity safeguards more than ever before. Thankfully, Carvalho has said that hackers weren’t able to penetrate the district’s servers or access student data, per CBS Miami.

Local authorities, with assistance from the FBI, the Secret Service, and Florida Department of Law Enforcement, traced the cyberattacks on Miami-Dade schools to IP addresses in Russia, Ukraine, China, Iraq, and other countries, the Herald reports.

The student purportedly confessed to the attacks but did not name a motive when police visited him Thursday after tracing the IP address associated with one of the attacks to his home. Authorities said he’s been charged as a juvenile offender with computer use in an attempt to defraud, a felony offence, and interference with an educational institution, which is a misdemeanour. Comcast, the district’s internet provider, was also served a subpoena earlier this week. A court hearing is scheduled for October 8, and the FBI is assisting in the ongoing investigation.