Over a two month period, Canada faced 25 attacks from sophisticated malware designed to target its critical infrastructure. Power plants, electrical grids, aviation software — a variety of government-run systems were facing assault from Advanced Persistent Threat (APT) technology, likely dispatched by foreign governments both hostile and friendly.
In access to information documents, obtained by VICE News, Public Safety Canada describes these "Advanced Persistent Threat" groups as "sophisticated threat actors with significant resources who pursue objectives over an extended period of time and attempt to maintain presence on the targeted network" and are most likely "a nation state" given the "level of intent and capabilities of these actors".
APT attacks, in other words, are hacks designed to surreptitiously gain backdoor access to a system in order to lay dormant for long periods of time, usually undetected, to collect data.
There were 25 incidents involving "hosts affected with APT-related malware," according to reports obtained from the Canadian Cyber Incident Response Centre (CCIRC), the federal agency tasked with keeping tabs on cyber threats to the public and private sector. All of the threats came from "the Information and Communications Technologies (ICT) sector," with connections to Canada's major public infrastructure.
Critical infrastructure, which is increasingly automated and online, entails public systems like the electrical grid, nuclear power plants, water filtration stations and financial institutions. It's been said that, should hackers successfully leverage one of those exploitations, it could result in a "Cyber Pearl Harbor."
A report from the country's main intelligence service, the Canadian Security and Intelligence Service (CSIS), says the threat posed by these hacks are "very real" and that they could "affect water supply, energy and utilities, manufacturing, Internet communications technology or even gravely affect institutions such as schools and hospitals."
Public Safety Canada remained tight lipped when asked about any Canadian critical infrastructure being exploited by hackers in the employ of hostile nations.
"While we do not comment on specific or potential threats against Canadian critical infrastructure interests, I can say that the CCIRC is focused on protecting vital systems outside of the federal government, including critical infrastructure, against cyber incidents," Mylène Croteau, a spokesperson for Public Safety Canada, told VICE News.
Other sources familiar with cyber attacks on critical infrastructure by nation states told VICE News the reported CCIRC numbers are unsurprising.
It's clear suspected nation states have not only aimed their hacking missions at Canadian critical infrastructure, but specifically the ICT sector made up of software, computer and telecommunications companies supporting those major industries in an effort to exploit them indirectly.
"The relatively high number of notifications to the ICT sector is mainly because most critical infrastructure operators rely upon the services of an ICT organization and is not indicative of the state of security within the ICT sector itself," the report states.
CCIRC also recorded direct targeting of Canadian infrastructure, including phishing email campaigns against the "transportation sector, specifically those in aviation and rail", and exploitation attempts against the energy and utilities sector, as well financial institutions.
"You're a bad guy, you have two choices. You can go through the front end with all the equipment and the firewalls and security teams monitoring. Or you could go after some small vendor that does not have a security team."
"It's more and more rare that a nation state go after the end target, they'll more target the supply chain," says Robert Masse, a national partner at Deloitte focusing on cyber security. "You're a bad guy, you have two choices. You can go through the front end with all the equipment and the firewalls and security teams monitoring. Or you could go after some small vendor that does not have a security team, but has remote access to the HVAC system, the telephone system, the lighting system — which in turn has an IP connection to the rest of the infrastructure."
Masse did say that once hostile actors access those networks it's still difficult to jump into more secure networks, especially as some industrial control systems learn to combat hacking threats and improve cybersecurity.
The documents also showed an APT group was routing their activities through Canadian technology as a way to cloak their identity.
"CCIRC received a report from an international [Computer Security Incident Response Team] that multiple Canadian routers had been compromised and were likely under the control of an APT group," says the document. The routers were reportedly being used as a "communications link between the threat actor and their infrastructure, increasing their anonymity and operational security."
Another incident forced CCIRC to circulate a threat profile of a campaign targeting "numerous Canadian Critical Infrastructure organizations with a variant of the Dyre malware" — malicious code that ended up exploiting banks all over the world.
These sorts of attacks on critical infrastructure have become increasingly common in recent years.
It's widely believed the USB sticks were planted with the virus, which besides having several valuable zero-day exploits — software or hardware security flaws that go un-detected — targeted the physical Siemens controllers of the nuclear centrifuges.
While it is known Canada has always been a traditional espionage target of Russia, and at least China and Iran have deployed APT styled teams against Canadian assets, one expert in cybersecurity says the threat is commonplace to critical infrastructure.
"Nation states are targeting critical infrastructure in a variety of countries and Canada being targeted wouldn't be a surprise."
"Nation states are targeting critical infrastructure in a variety of countries and Canada being targeted wouldn't be a surprise," says Masse
He explained that attacks on critical infrastructure don't bear the markings of hacktivists, who don't have the sophistication or resources for such an operation, and he largely ruled out organized crime groups because there is often little financial gain in those types of targets.
"The theory behind these attacks is that (nation states) are mapping out infrastructure so that if something were to occur and an attack needed to happen they would be reasonably successful in disabling certain parts of the infrastructure. Like in any type of military operation, reconnaissance is one of the first phases," he says.
The hyperbolic warning of a "Cyber Pearl Harbor" came from a 2012 address to business executives in New York City by then-Secretary of Defense Leon Panetta.
"They could contaminate the water supply in major cities or shut down the power grid across large parts of the country."
"An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches," Panetta said at the time. "They could contaminate the water supply in major cities or shut down the power grid across large parts of the country."
Whether fear mongering or not, there is reason to believe these types of attacks are possible. One ex-cyber warfare operator in the US military said nation states have multiple reasons for compromising enemy critical infrastructure.
"There's a lot of motivations," says Robert M. Lee, who recently left his job as a Cyber Warfare Operations Officer in the US Air Force and is a co-founder of Dragos Security, which specializes in critical infrastructure security. "The first of which is getting access to field ops, private information, electronic properties, project maps and things that would be required to know what the country is working on. And then the second reason is to gain access for the purpose of doing something in the future. But usually those (types of incidents) are much more rare."
M. Lee explained those aren't as threatening to North American critical infrastructure assets, because a hostile actor would only act on such an attack if there were a hot geopolitical conflict.
"As an example, BlackEngery 2 targeted infrastructure in the US and Canada… but nothing happened," says M. Lee. Oppositely, he pointed out that the same malware looks like it targeted a Ukrainian power station and the results were devastating.
In December 2015, suspected Russian hackers disabled a power station in western Ukraine — which is hundreds of kilometers from where Russian backed rebels fighting the central government are located — disabling it and causing a mass outage to thousands of customers. The attack is now considered a sobering, watershed moment in cyber warfare not unlike Stuxnet.
The previous Conservative government led by Stephen Harper earmarked $142.6 million over five years to be spent on cybersecurity. There are rumblings early in the new government's mandate that Justin Trudeau's administration also intends to take cyber security very seriously.
Follow Ben Makuch on Twitter: @BMakuch