Jackson County Public Schools in western North Carolina kept students home Tuesday after a weekend DDoS cyberattack crippled its network and disabled phones and Wi-Fi, although officials say there is no evidence any student or staff data was breached.
District leaders said the trouble began Saturday as what looked like routine internet outages, before technicians realized the disruptions were a “reflection” distributed denial-of-service, or DDoS, attack on the district firewall.
“It first presented as just network errors,” Chief Technology Officer Greg Stewart told WLOS. “But what we were able to finally determine is that we had what’s known as a reflection DDoS attack on our firewall, an external attack where information overwhelms the firewall and cripples the network.”
By late Sunday, logs showed the outage was part of a coordinated wave of traffic hitting the system from IP addresses in Russia and China, Stewart said. He and Superintendent Dana Ayers said they believe the district was used as a “bus stop” or pass-through in a larger campaign, not the primary target.
A DDoS attack floods online systems with traffic so legitimate requests cannot get through. In many enterprise environments, large-scale DDoS attacks are handled upstream by internet service providers or specialized scrubbing services, so a full internal network shutdown and school closure tied to a DDoS event is an unusual response once malicious traffic is filtered.
In this case, district officials say the attack jammed the firewall and forced a shutdown of network-dependent services across all schools. To complete repairs and “ensure full security,” Jackson County Public Schools shut down its entire network Tuesday, leaving internet, Wi-Fi, phones and most internal systems unavailable and turning the day into an optional workday for staff.
Schools remained open Monday because camera and door-access systems were still functioning, Ayers said. After hours, however, technicians had to take those systems offline to repair the damage, which left campuses without normal phone, camera and electronic door controls if students returned Tuesday.
“Once you take those offline, then you don’t have the security of the phones, the cameras, the doors,” Ayers said. “We were safe during the day Monday, but we couldn’t bring students in today without those systems in place.” Every school has a single hardline emergency phone, but Ayers said that was not sufficient for buildings with hundreds of students.
In a Facebook update late Tuesday, the district said its technology team had completed the necessary work and that the network was “up and functioning normally.” The post said “no JCPS data was compromised” and that the district had taken “all necessary steps to prevent a recurrence.” Officials said shutting down the entire network left phones, internet, internal systems and “safety communication tools” unavailable, making it impossible to reliably contact classrooms, reach emergency services or communicate with families.
Jackson County students were already scheduled to be out of school Wednesday through Friday for the Thanksgiving holiday. With Tuesday’s closure added, district officials say students will return after the break on Monday, Dec. 1, once security platforms and communications systems are fully restored.
Officials have repeatedly stressed there is no evidence of a data breach. “Nothing was compromised,” Stewart said. “No user accounts, no student data, no staff data. The attackers weren’t able to gain entry.” The district says its firewall and network segmentation kept attackers from moving into internal systems, even as the DDoS traffic disrupted operations.
Stewart said IT staff worked through the weekend and overnight to diagnose and contain the attack, with some employees canceling vacation time. “They’ve been working through the night,” he told WLOS. “Everything we had in place worked exactly the way it was supposed to.”
Jackson County Public Schools serves roughly 3,500 to 3,700 students across nine schools in the Blue Ridge Mountains, with its central offices in Sylva and more than 500 staff members.
Western North Carolina schools have dealt with disruptive cyber incidents before. In 2020, nearby Haywood County Schools closed for days after a ransomware attack that shut down remote learning and later led officials to confirm a data breach involving staff and student information.
State lawmakers have since pushed for stronger cybersecurity in K-12 systems, citing ransomware incidents in several public school units as a reason to migrate financial and administrative systems to more secure, cloud-based platforms.
Jackson County now joins a growing list of North Carolina communities hit by disruptive cyber events. Earlier this year, Bertie County Schools in eastern North Carolina battled a Qilin ransomware attack that shut down phones and internet, while Catawba County saw its website knocked offline for days amid an unconfirmed Qilin claim. The towns of Waxhaw and Thomasville have launched investigations into cyberattacks on municipal systems, and Winston-Salem spent weeks recovering from a late-2024 incident that crippled online payments and other city services. Investigators have also examined intentional fiber cuts behind a major internet outage in Moore County and a cyber incident that forced Pinehurst Radiology to close indefinitely, highlighting how schools, local governments, health care providers and infrastructure operators across the state are facing overlapping digital threats.
District leaders in Jackson County say they will continue monitoring systems as students return after the holiday. “We’re clean, and we’re ready to begin school as soon as we’re scheduled to have kids back,” Stewart said.
