Cyber Incident Victim: Instituto De Educacion Secundaria Ies Emilio Canalejo Olmeda

On or around March 30, 2023, the pro-Russian cybercrime group known as Stormous claimed responsibility for a cyberattack on the Instituto De Educación Secundaria Ies Emilio Canalejo Olmeda (IESCO), a secondary education center located in Cordoba, Spain. This incident marked a reappearance of the Stormous group, which had been out of the public eye for several months prior to resuming its activities in February of the same year. The group publicly listed IESCO as a victim on its Telegram channel, utilizing this platform to announce its successful compromise of the institution's systems. As part of its claim, Stormous asserted that it had exfiltrated data from the school and had already leaked approximately fifty percent of the stolen information on its dedicated dark web leak site.

The initial leak, made available at the time of the group's announcement, contained a variety of institutional documents. The data published included folders with specific titles such as "Quality procedures," "Quality fillable documents," and "Quality information." Also among the leaked data were documents related to "2022-2023 course evaluations" and a "self-protection plan." The nature of these documents suggested the attackers had accessed internal administrative and operational files. The public reporting by DataBreaches.net, which verified the listing on the leak site, noted that it was unclear from the folder names alone whether the leaked documents contained any personal or sensitive information pertaining to the school's employees or its student body.

Concurrently with the data leak, Stormous engaged in a form of extortion by setting a deadline for the victim institution. The group's dark web leak site indicated that IESCO had been given a twelve-day period from March 30th to make contact with the attackers. This tactic is commonly employed by ransomware groups to pressure victims into paying a ransom, typically with the threat of releasing the remaining stolen data if their demands are not met. The public claim and the partial data leak served as proof of the attack and as leverage in these extortion efforts.

In the immediate aftermath of the public claim, no official notice or public statement regarding the cyber incident could be located on the official website of IESCO. Furthermore, an email inquiry sent to the institution by DataBreaches.net on March 30th did not receive a reply, indicating a potential lack of immediate public communication from the school administration or possible disruptions to its normal operations and communications channels. The absence of a public response left the full scope of the incident, including the confirmation of any data breach and its impact on students and staff, unverified by the affected organization itself.

The threat actor involved, the Stormous group, is identified as a pro-Russian ransomware operation. Their return to activity in February, followed by this attack on an educational institution, demonstrates a targeting strategy that includes the public sector and specifically educational entities. The attack on IESCO represents a continuation of a trend where critical infrastructure and public services, including schools, are targeted by cybercriminal groups for financial gain or for ideological reasons, as suggested by the group's stated political alignment.

The specific impacts of the incident on the daily operations of IESCO were not detailed in the publicly available information. However, the nature of the data leaked, which included procedural documents and course evaluations, implies that the attackers likely gained access to internal network drives or file servers containing administrative documents. The potential exposure of personal information remained an open question based solely on the initial data sample, leaving students and staff at risk until a formal assessment could be completed by the school. The psychological and operational impact on the school community, including concerns over privacy and the security of personal data, is a common consequence of such breaches, even if not explicitly detailed in the immediate reporting.

The response actions taken by IESCO were not publicly documented at the time of the reporting. There was no visible evidence of public containment measures, such as taking systems offline, nor were there any details regarding efforts to investigate the breach, assess the full extent of the data theft, or initiate recovery procedures. The lack of a public statement suggests the incident may have been in its earliest stages of response, where internal investigations and communications with relevant authorities were likely prioritized over public disclosure. The school's silence may also have been influenced by the ongoing extortion threat from the Stormous group, as victims often refrain from public comment during negotiations with attackers.

The broader context of the incident involves the operational patterns of ransomware groups. The Stormous group's use of a Telegram channel for public claims and a dark web site for data leaks is a standard double-extortion methodology employed by many such groups. The setting of a deadline is also a common pressure tactic. The group's claim of leaking only half of the exfiltrated data was intended to create urgency for the victim to comply with demands while retaining further material to leak if the deadline passed without payment. The actual amount of data stolen and the specific demands made to IESCO were not disclosed in the public claim.

This incident occurred alongside other significant cyberattacks in other regions, as reported in the same news article. These included the LockBit ransomware group leaking data from the Medellin government, which contained highly sensitive law enforcement and medical information, and an announcement by the Yucatan government in Mexico concerning a cyberattack that paralyzed several critical public services, including water bill payment and health department authorization systems. The IESCO incident is part of a wider global pattern of increasing cyberattacks targeting public sector and educational institutions.