Hackers went to e-school

A failure occurred in the work of the digital infrastructure of the capital, due to which the Moscow Electronic School (MES) service was unavailable for several days. Officially, officials are talking about technical work that began on September 17th. Kommersant’s sources in the cybersecurity market specify that city hall services were attacked by hacker groups. But the attackers, as it turned out, rendered a service to the Moscow authorities: as part of the system check after the attacks on the infrastructure, illegal miners were discovered.

Since September 17, the MES service has been unavailable to parents and students due to a failure. A Kommersant source close to the Moscow Department of Education and Science confirmed that the problem affected almost all schools: “The download of homework and grades did not work, the mobile version of services did not work.” According to him, by the evening of September 20, most of the problems had been resolved.

Kommersant talked to parents from different parts of Moscow. The problem was confirmed in the Northern, North-Eastern administrative district, in the South-East. According to ten interviewed parents, homework and assessment services were not available all weekend, students and parents also could not log into the system under their accounts. By the evening of September 20, access to accounts was restored, but was not available for enrolling in circles and additional services.

On September 17, DIT warned users that technical work would be carried out on the resources. “Difficulties are caused by planned technical work of city services, specialists are working to eliminate them and restore the stable operation of the system,” says the Teacher’s MES Telegram channel (the link to it is published on the MES website in the “for employees” section). “Kommersant” sent a request to DIT with a request to clarify the cause of the failure, but there, as well as in the Department of Education and Science of Moscow, they did not answer.

Kommersant’s interlocutors in the information security market say that service failures are not related to technical work, but to a massive DDoS attack on the DIT infrastructure, as well as an attack by encryption viruses: “Now two servers are encrypted.” According to one of Kommersant’s sources, two different hacker groups were involved, but their motivation is unknown.

But, one of Kommersant’s interlocutors adds, the attack helped to find an unexpected vulnerability: “As part of the technical work to fix the problems, experts revealed that the DIT infrastructure and computing power were illegally used by cryptocurrency miners.” Cryptocurrency mining software could not “lay down” the infrastructure, it works in the background, consuming only computing resources, explains Pavel Kulakov, CEO of the data center and cloud provider Oxygen. The fact that such software works, according to him, is easy to overlook: “Large data centers are designed with a margin of computing power, and mining software consumes a small part.”

The MES has had major failures before. There were massive complaints about the operation of the platform back in 2017, when DIT switched MES to new software. In the fall of 2020, on the first day of distance learning in metropolitan schools amid the pandemic, due to the heavy load on the infrastructure, teachers had to conduct lessons on Zoom (see Kommersant dated October 19, 2020). A new failure, notes one of Kommersant’s sources, who is familiar with the technical details, would not have been a surprise for the mayor’s office if additional means of protection had been used in advance and vulnerability testing had been carried out: “The number of DDoS attacks in the Russian Federation since spring has shown record levels ( see also interview with the CEO of Group-IB in Russia and the CIS Valery Baulin), the public sector should take this into account.”

Tatyana Isakova, Timofey Kornev