CTA "mud" Actively Leaking K-12 Directories on Breach Forums

A cyber threat actor (CTA) on “Breach Forums” known by the username “mud” has been leaking K-12 entities’ student/faculty directories as part of a self-titled campaign called “Project District.”

Insight into mud's Leaks

We assess with moderate confidence that the user is credible due to active posts on previous threads relating to data leaks and doxing dating back to April of 2022. The mud actor claims to have gained access to the leaked directories through compromised faculty accounts.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) verified that at least one of the leaks does contain student/faculty data claimed by the CTA including but not limited to:

  • Full names,
  • Ages,
  • Genders,
  • Grades,
  • Student IDs, and
  • Primary guardian full names/phone numbers.

CTA "mud" Actively Leaking K-12 Directories on Breach Forums thumbnail

Figure 1: “mud’s” post describing “Project District and soliciting contributions. Contact information has been redacted.

MITRE ATT&CK Patterns Observed

  • ID: T1078 – Valid Accounts
  • ID: T1005 – Data from Local System

Additional Directory Leaks Likely

We assess that mud is likely to continue soliciting and sharing breached data due to the user’s stated intent, credible reputation on the forum, and history of distributing compromised individual data for doxing purposes. We assess that CTAs could use the leaked data for:

We also assess with moderate confidence that this activity is likely to inspire further directory leaks, as the CTA maintains a thread on the forum soliciting additional data from K-12 students, acting as witting insiders, and other CTAs.

How to Defend Your K-12 Org Against Directory Leaks

Administrators can protect their K-12 organizations against Project District and similar campaigns by regularly reviewing faculty accounts for abnormal activity and disabling any accounts provisioned for former faculty members. Additionally, they need to work with IT and Security to prevent a directory leak from occurring in the first place. They can do this by developing organizational contingency plans for responding to instances of compromised and leaked personally identifiable information (PII), including those involving doxing. They can also use the CIS Critical Security Controls (CIS Controls) to implement multi-factor authentication, especially for externally exposed applications, remote network access, and administrative access.