Cyber Incident Victim: Miami-Dade County Public Schools
Date:
Nov 2016
Location:
United States of America
Summary
A Moroccan hacking group known as MoRo targeted multiple Florida school districts, including Miami-Dade County Public Schools, in a coordinated cyberattack aimed at stealing student Social Security numbers for identity theft and attempting to access election systems. The attackers deployed malware via email attachments, disabling system logs to conceal their activities while conducting reconnaissance over several months. They posted images resembling ISIS fighters on district websites as a form of bragging but failed to exfiltrate data or breach voting infrastructure. Cybersecurity investigators found no evidence of data compromise but confirmed the hackers sought to exploit school networks as potential gateways to other government systems. The incident underscored vulnerabilities in educational networks storing sensitive student and employee information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In fall 2016, prior to the U.S. presidential election, Moroccan hackers operating under the name MoRo targeted at least four Florida school district networks, including Miami-Dade County Public Schools. The attack began with phishing emails containing malicious images that deployed malware when clicked. This malware disabled system logs designed to record user access and activities, concealing the hackers’ reconnaissance efforts for approximately three months. During this period, the attackers mapped network infrastructure, probed defenses, and unsuccessfully attempted to access sensitive student and employee data, including Social Security numbers. In November 2016, the hackers posted a photo of an individual dressed as an ISIS fighter on two school district websites, with the image remaining visible for about 24 hours on one site before reappearing on another district’s website the following month. United Data Technologies (UDT), a Doral-based cybersecurity firm, was engaged by affected districts and discovered the malware in early December 2016. Forensic analysis revealed no evidence of data exfiltration but confirmed the hackers’ persistent efforts to exploit school systems as potential gateways to other government networks, including voting infrastructure hosted by Diebold platforms.
The investigation determined the attackers sought student Social Security numbers for identity theft purposes, valuing these records at $25-$35 each on dark web markets due to minors’ clean credit histories. UDT neutralized the malware by re-engineering its code and notified the FBI, though the agency declined public comment. Miami-Dade officials confirmed their systems displayed one ISIS-related image but found no evidence of malware infiltration or data compromise, classifying the event as an attempted intrusion. The incident exposed systemic vulnerabilities in school networks, which store extensive personal data on students, parents, and employees while maintaining less restrictive access controls than corporate environments. Miami-Dade’s network alone contained hundreds of thousands of devices, with inherent challenges in securing open educational access points like student Wi-Fi and shared computers. While the Moroccan group failed to achieve its objectives, the breach highlighted risks of interconnected government systems, as school network compromises could theoretically enable lateral movement into more sensitive agencies. No financial losses or data misuse were documented, but the event underscored the attractiveness of educational institutions as cybercrime targets due to their vast repositories of underprotected personal information.