Cyber Incident Victim: Hillsdale County Intermediate School District
Date:
Nov 2022
Location:
United States of America
Summary
A ransomware attack disrupted operations at Hillsdale County Intermediate School District and neighboring Jackson County schools, forcing a three-day closure affecting all public schools. Systems were proactively taken offline after detection to contain the damage, with essential services restored after coordinated efforts involving cybersecurity experts and law enforcement, though limited technology access persisted upon reopening. The FBI and Michigan Cyber Command Center investigated the incident, which aligned with broader targeting of under-resourced school districts by threat actors like Vice Society—known for exploiting credentials or vulnerable applications to exfiltrate data before deploying ransomware. The attack caused significant operational and financial strain, reflecting systemic vulnerabilities in educational institutions facing such threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A ransomware attack targeting public schools in Jackson and Hillsdale counties, Michigan, was detected over the weekend of November 12-13, 2022, prompting proactive system shutdowns to contain the damage. Jackson County Intermediate School District Superintendent Kevin Oxley confirmed the incident forced a three-day closure of all schools starting Monday, November 14, with students and staff instructed to avoid using district-issued devices. The attack crippled operational systems, preventing normal school functions. Cybersecurity experts, technology personnel, and law enforcement agencies including the FBI and Michigan Cyber Command Center worked continuously to restore services. By Wednesday, November 16, essential systems were partially recovered, enabling schools to reopen on November 17 with limited technology access. Superintendent Oxley acknowledged ongoing restoration efforts for non-critical systems while emphasizing the nationwide targeting of under-resourced school districts by ransomware actors. No ransomware group claimed responsibility for the attack during the initial response period.
The incident disrupted educational operations for thousands of students across both counties, with full technological capabilities remaining unavailable upon reopening. Investigators did not publicly identify initial access vectors or specific compromised systems, though cybersecurity professionals noted the involvement of multiple agencies in forensic analysis. AttackIQ CTO Stephan Chenette contextualized the attack within broader patterns of education sector targeting, citing Vice Society’s documented activities against U.S. school systems using credential compromise and application exploits to exfiltrate data before ransomware deployment. Financial and operational repercussions for the districts were anticipated due to recovery costs and potential data loss, though specific monetary impacts were not quantified in initial reports. The districts prioritized restoring educational operations while maintaining limited technology access as investigators continued system remediation and threat analysis.