Yeah, they identified themselves as ShinyHunters, and the IP they've put on the demonstration page is geocoded to Russia. Notice this is the same group responsible for the Infinite Campus hack last year.

Really, though, if you want someone to blame, Instructure is not a particularly compelling target. Let's review:

1. Iran is intentionally targeting infrastructure due to a war started by the current administration.

2. China is actively seeking corporate secrets to steal and commercialize for themselves, spurred by extreme protectionism and retaliatory tariffs.

3. North Korea is doing anything they can -- including just taking a remote job by proxy -- in order to extract any money.

4. And Russia is working with and aiding all of them, after everything else going on has forced the embargo to break.

5. All of this while completely alienating every single one of the United States' allies.

6. Meanwhile, the American DHS is currently shut down.

7. And this is after Trump cut funding and personnel for CISA severely enough they've had to end the contract with MS-ISAC, meaning all state and local entities can only remain in the organization if they foot the bill for it directly and CISA and other agencies responsible for cybersecurity are more thinly staffed than they have been in decades.

In short, the current administration systematically disassembled all the protections we have built over the last 100 years, and then placed infrastructure -- schools, in this case, but also power companies, water treatment facilities, communications companies, local governments, hospitals, food producers -- directly on the front lines of the modern geopolitical conflict.

That vast ocean that has kept us safe historically is a poor moat in the modern era.