South Florida

Investigation into cyber attacks against Florida school tests comes up empty

Students at Carver Middle School prepare for the Florida Comprehensive Assessment Tests, which were replaced by the new Florida Standards Assessment last year. The FSAs came under cyber attack when they debuted in Spring 2015.
Students at Carver Middle School prepare for the Florida Comprehensive Assessment Tests, which were replaced by the new Florida Standards Assessment last year. The FSAs came under cyber attack when they debuted in Spring 2015. For the Miami Herald

The Florida Department of Law Enforcement has closed its investigation into cyber attacks against standardized school tests this spring, but the mystery will linger over who launched the attacks and why.

Despite help from the FBI, investigators announced Wednesday that the case was closed “due to the lack of investigative leads and the inability to identify a suspect(s).”

With more than 29,000 different Internet addresses used in the attacks, police faced a mountain of computer evidence in trying to track down the hackers. Other than a suspicious letter sent to the state’s testing vendor, American Institutes for Research, investigators had little else to go on.

“To be honest, we wouldn’t spend a lot of time investigating this, typically,” said Special Agent Eric Daniel, who supervised the agents in charge of the investigation. “The juice isn’t worth the squeeze, so to speak, because the likelihood of finding out who is actually launching the attacks is pretty slim.”

29,000 Internet addresses were used in the attack

Investigators did not release the suspicious letter Wednesday, but a summary of the investigation notes it discussed “cyber attacks or incidents that had occurred in the past.” Still, police were unable to confirm it was linked to the attacks in Florida. Daniel said the letter “just didn’t make sense.”

“Very poor English. It kind of rambled. It wasn’t a straight-up letter accepting responsibility or anything,” he said.

The investigation did confirm what Florida Department of Education officials have been stressing for months: that no student data or test items were compromised in the attack.

A close-out report of the investigation outlines some of the steps taken in the hectic days of the cyber attacks to fend off the hackers. AIR directed the company that runs its servers to block all foreign traffic, beef up firewall protections and analyze traffic patterns to block suspicious online traffic.

A month after the measures were put in place, AIR’s servers successfully thwarted another attempted attack, according to investigators.

“I am pleased that the additional safeguards were effective, and we will continue working with AIR to ensure they have all of the necessary protections to provide for a smooth testing experience this year,” Education Commissioner Pam Stewart said in a statement released Wednesday.

Students trying to take the Florida Standards Assessments for the first time in March faced blank, white screens when logging on to the test. It was soon announced that the state’s testing contractor had come under what’s known as a distributed denial of service attack, though an update to computer servers also led to other problems while students were trying to take the tests.

Miami-Dade County Public Schools Superintendent Alberto Carvalho said the district was also targeted by the same type of attack, but their security systems kept it at bay.

“Before we go into testing, we make sure all of our equipment is updated with the most recent releases, so if there are any new types of atttacks that can be detected or fought off, we make sure that we’re all up to date on that,” said Miami-Dade’s Chief Information Officer Debbie Kartcher.

In a DDoS attack, a web service is swamped with more traffic than servers can handle, effectively shutting it down. The attacks that hobbled the FSAs came from both inside and outside the United States, according to investigators.

The nature of a DDoS attack makes it difficult to pinpoint who’s responsible. The attackers can use thousands of virus-infected computers without the computer owner even knowing.

“So even if you were able to find a computer, it would lead to an innocent third party who doesn’t know what you’re talking about,” Daniel said.

In his 15 years investigating cyber crimes, Daniel said he’s only been able to crack one case: A 16-year old boy hacked a Tallahassee Internet service provider. The boy was caught only because he bragged about it online, Daniel said.

Christina Veiga: 305-376-2029, @cveiga

  Comments