A St. Petersburg High School junior hacked into the Pinellas County school district’s computer network this spring and shut down internet access for all 145 of the district’s schools for two days, another recent example of networks’ vulnerability to cyber attacks.
The 17-year-old was arrested on a felony computer crimes charge and expelled. The Tampa Bay Times is not naming the boy because of his age, but interviewed him and his mother this week.
The teen said he had become “fixated” on the idea of infiltrating the school district’s network after seeing an online video showcasing the vulnerability of school networks, according to a search warrant from the St. Petersburg Police Department.
He said he “instantly” regretted his actions and even tried to undo the hack.
“By the time it was done, there was no way to undo it,” he said. “If I could go back, I wouldn’t do it again.”
The hack is the latest to show how susceptible networks can be to cyber attacks. In February, someone tried to poison the city of Oldsmar’s water supply by hacking into its network and greatly increasing the amount of lye in the water. An employee noticed the attack and was able to stop it, but experts said it underscored the vulnerability of the nation’s infrastructure to cyber attacks.
And earlier this month, The Colonial Pipeline, the country’s largest gasoline pipeline that runs from Texas to New York, was knocked offline by a cyberattack, leading to gas shortages along the East Coast.
Tirthankar Ghosh, the associate director of the University of West Florida Center for Cybersecurity, said distributed denial of services attacks like the one on the school system are common and generally of low sophistication. In recent years, he said it has become a more popular form of attack, often as a way to distract IT teams while attackers unleash something more sophisticated.
“The scale of this attack, it really stood out,” Ghosh said. “A denial of service attack is pretty common but the fact that 145 schools, their networks came down, that says something.”
In general, public universities and schools have less protected networks because they tend to believe in more open connection. Private companies, on the other hand, can lock things down.
For years, Charter-Spectrum had provided distributed denial of services protection for the Pinellas school system, said spokeswoman Isabel Mascareñas. However, Spectrum representatives told the district that when they migrated to a new system in late 2020, they failed to maintain the protection. The company has since re-activated the protection, she wrote in an email, and credited the school system with $23,000 for their payment without receiving protection.
A spokesperson for Charter-Spectrum did not respond to emails requesting comment.
Looking for real-time news alerts?
Subscribe to our free Breaking News newsletter
You’re all signed up!
Want more of our free, weekly newsletters in your inbox? Let’s get started.Explore all your options
Mascareñas said the attack happened on March 22 and March 23. After the main disruption, they contacted Charter-Spectrum and had the protection system back up. On March 25, another attempt was detected and administrators were notified. That was when St. Petersburg police were called, said police department spokeswoman Yolanda Fernandez.
The school district’s director of network and telecommunications, Brian Doughty, told investigators that the attack was considered “critical” because statewide testing was occurring, according to documents St. Petersburg police filed to get a search warrant for the teen’s phone. Mascareñas, however, said no testing was happening at the time.
The teen said the hack wasn’t designed to disrupt state testing. He also said he didn’t know how seriously the hack would impact all the schools in the district, including one his little sister attended.
When the hack first occurred, Doughty searched for suspicious activity and found a user who looked up the school district’s public Internet Protocol address, which would be needed for the hack. He looked for which router was used and narrowed it down to students in a specific classroom at that time. Through that, they traced it to the student’s Samsung Galaxy phone. The student’s school computer account had also accessed the IP search three days prior, according to the search warrant.
When first interviewed by detectives, the student said he bought a Virtual Private Network from a web developer off the social media platform Discord, and that the developer accessed the school’s network. Detectives pushed the boy on inconsistencies in his statement, and he admitted he saw an online video about the fragility of school networks and became interested in the idea of infiltrating the network, according to records.
The boy had practiced a similar attack on his home network and a friend’s network, which were successful.
But when he attempted the attack on the school system, he at first was unsuccessful. On Discord, he found a man who had shared a video of him infiltrating a network.
The boy said Wednesday that he carried out the attack on the school district by taking direct instructions from that man, though he never met him in person. The attack took about two weeks of planning and practice, he said.
Fernandez, the police spokeswoman, said the man does not appear in their system and has nothing currently initiated against him. The boy’s mother said she believes the man he communicated with does not live in United States.
Ghosh said there’s numerous free materials online about how to initiate these cyberattacks, sometimes with open source software that makes it as easy as the click of a few buttons. Ghosh said in the cybersecurity community they would call the boy a “script kiddie” — someone who, most times, has curiosity but not malicious intent.
“They do it because they can, they think it’s fun, they don’t know the laws, they are not aware of the consequences,” he said.
His mother said he was expelled because of the attack but is getting his GED. Though he won’t be attending college immediately, the teen said Wednesday his dream job is to work in cybersecurity or software development.
The mother insisted Wednesday that her son treated the attack as if it were a game and that his intentions were not to cause harm to the school district or his classmates.
“It wasn’t something that was malicious. By all means, it was just something like a video game to him in his head,” his mother, 46, said. “He was just pushing it to see how smart he could go with it.”
“He’s super smart in that aspect,” she added. “If he can apply it in a positive way, that’s what he’s going to try and do.”