Cyber Threat Actor: Two unidentified students
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
3 incidents |
|---|
Profile
The threat actor is referenced in open sources as two unidentified students or simply as a student, with all known activity located within the United States. The actor’s targeting has been limited to the education sector, specifically public school districts in Missouri, Michigan and Minnesota. Observed objectives include altering academic records to improve grades, attempting to obtain fraudulent lunch refunds, and exfiltrating personal data such as names, Social Security numbers and addresses. In the Bloomfield Hills High School case the actors changed grades and attendance records while trying to refund lunch purchases, indicating a financially motivated component. In the South Washington County incident the actor downloaded a large dataset of personal information encompassing more than fifteen thousand individuals, though forensic analysis and a sworn statement confirmed that the data was not shared, copied or misused. No evidence has been presented linking the actor to espionage, disruption or any broader ideological goal, and the actors have not claimed responsibility for any activity beyond the school‑environment intrusions.
The actor’s tactics consistently involve exploiting known vulnerabilities in school‑managed information systems to gain initial access, without any mention of malware, custom tooling or persistent footholds. At Bloomfield Hills the actors used a vulnerability in the MISTAR Student Information System portal to modify records and attempt lunch refunds, while at South Washington County they leveraged a server weakness to copy data onto an external drive that was later examined by investigators. The Fort Zumwalt breach similarly involved a student gaining unauthorized access to a district server, after which the individual voluntarily reported the intrusion to school officials, prompting an internal investigation. No public reports associate the actor with a state sponsor, criminal consortium or any organized hacking group; the individuals are described solely as students acting independently within their respective school environments. Representative operations include the 2018 Bloomfield Hills grade‑and‑lunch‑refund hack, the 2017 South Washington County personal‑data exfiltration affecting over fifteen thousand records, and the 2020 Fort Zumwalt server intrusion that was self‑reported and led to a district‑wide security review. These incidents illustrate a pattern of low‑complexity, opportunity‑driven intrusions focused on school systems for personal gain or academic advantage, with no indication of sustained campaigns or external direction.
