Cyber Incident Victim: SchoolDesk
Date:
Nov 2017
Location:
United States of America
Summary
Pro-ISIS hackers compromised approximately 800 U.S. school and district websites hosted by SchoolDesk, defacing them with images of Saddam Hussein, Arabic religious text resembling ISIS propaganda, and an English-language message endorsing the terrorist group. The attackers injected a malicious file that redirected visitors to an iFramed YouTube page featuring an Arabic audio message and unknown writing. The web hosting company promptly took affected sites offline, initiated an investigation with a security firm, and advised password resets for administrators and staff. While school districts in multiple states experienced disruptions, internal systems and data remained unaffected as the breach was confined to the hosting provider's servers. A group calling itself Team System Dz claimed responsibility for the intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 6, 2017, approximately 800 U.S. school and district websites hosted by Atlanta-based SchoolDesk were compromised in a coordinated cyberattack. The incident began around 4:00 AM EST when hackers injected a small file into the root directory of one SchoolDesk-hosted website, redirecting visitors to an iFramed YouTube page. This page displayed a black background featuring an image of former Iraqi leader Saddam Hussein alongside the Shahada—the Islamic creed stating "There is no god but Allah" and "Mohammed is the Messenger of God"—written in Arabic. Below this, the attackers placed an English-language message proclaiming "I love Islamic State," accompanied by a recruitment video containing audible Arabic narration and unidentified text. The pro-ISIS hacking group Team System Dz claimed responsibility for the defacement, having previously targeted government websites including Ohio Governor John Kasich's site earlier that year. SchoolDesk detected the compromise and immediately took all affected websites offline to contain the incident while initiating an investigation.
SchoolDesk's technical team identified the file injection as the attack vector and partnered with a cybersecurity firm to determine how the breach occurred and implement preventive measures. The company notified administrators of all impacted websites—which included school districts across Virginia, Connecticut, Louisiana, and New Jersey—to reset their passwords as a precaution. While the defacement disrupted public access to educational sites, internal school computer systems and data remained unaffected, as confirmed by the Bloomfield School District whose website was offline from approximately 6:00 AM to 7:00 AM before restoration. SchoolDesk maintained that the compromise was limited to their server infrastructure located in Atlanta, Georgia, and Florida, with no evidence of deeper network penetration beyond the website redirects. The company's public statement emphasized containment through rapid takedown of compromised sites while continuing forensic analysis to identify security gaps exploited by the attackers.