A Canadian government network was successfully hacked and compromised by alleged Iran-based hackers as part of Tehran's response to various western cyber attacks, VICE News has learned.
The Canadian Center for Occupational Health and Safety (CCOHS), which is under the umbrella of the Ministry of Labor, had its network compromised along with accounts and password information leading up to April 2013. The attacks — which were part of a wider cyber offensive dubbed 'Operation Cleaver' — have gone unreported until now. This is the first time Canadian authorities have publicly acknowledged the government network was, in fact, hacked as a result of alleged Iranian-born operations.
CCOHS — responsible for maintaining the health and safety of government workplaces and advising agencies on how best to deal with pandemics — says it implemented proactive measures since the hack and has not been attacked since.
"CCOHS has enforced stricter security rules on our firewall, patched all servers, changed passwords, and reconfigured our network for greater segmentation," communications director Lynda Brown told VICE News in an emailed statement. Asked specifically about the Iranian hack, she said that no "critical information was taken and the compromised computers did not contain any critical or sensitive information."
According to Brown, the accounts and password information had stale network data and was not exploitable. At the time of the hack, CCOHS says it was not connected to the government of Canada's Secure Channel Network, which was almost certainly the target of the attackers, in order to launch wider compromises of government assets.
It's unclear if the CCOHS was specifically targeted for having sensitive or useful information on its servers, or if it was simply identified as a potential weak link in the government's online infrastructure.
For hacks that could result in breaches of privacy — either that of government employees, or the public — the affected department is required to report the breach to a central agency, and an independent privacy watchdog. For all hacks on government systems, the government is required to alert the Canadian Security Intelligence Service, the country's main spy agency. It's unclear whether that reporting was done in this instance.
Nevertheless, the breach — and the fact that it was never made public — raises further questions over the safety of government infrastructure, which has been undermined recently by a series of hacks linked to nation state actors.
Canada's department of public safety confirmed the involvement of Iranian hackers by quoting Justin Trudeau, a major opponent for the prime minister in the upcoming federal election, and his desire to reopen a diplomatic mission with Tehran. "Justin Trudeau announced recently that his foreign policy is to re-open a mission in Tehran, a regime which continues to be a state-sponsor of terror and leading human rights abuser," said spokesperson Jeremy Laurin, adding that the government takes cybersecurity very seriously. "Our government made significant investments (over $300 million) in a Cyber Security Strategy designed to defend against electronic threats, hacking and cyber espionage."
SCNet is the central, secure cloud housing most government agencies and networks digitally in Canada. The cyber infrastructure program began by migrating federal agencies to a shared cyber home in 2003 and has experienced various delays in its completion.
A report from Cylance, an American private company first identifying Cleaver and the wide-ranging attacks coming from Iran, says hackers originating from Tehran used sophisticated malware and phishing email campaigns to surveill targets around the world. Government agencies and private entities in the west specializing in critical infrastructure were victims, as the hackers established network access they used to glean data.
It's common for hackers to scan for vulnerabilities across a multitude of targets to identify the weakest link, which can help explain why CCOHS was targeted.
From there, the attackers can launch operations or gain access to wider, more important networks. In other words, the hack of CCOHS suggests Iran considers Canada's digital infrastructure and data viable targets. Attributing attacks to specific actors is also difficult, given the ability of hackers to use proxies and other tools to hide their IP addresses and location of attack. But Cleaver is widely linked to an Iranian hacker group.
"Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies," said the Cylance report. "The group is believed to work from Tehran, Iran, although auxiliary team members were identified in other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both publicly available, and customized tools to attack and compromise targets around the globe."
Other successful targets were identified in Canada, according to Cylance, including some in Alberta, but specifics are unknown. No victims have come forward publicly.
News of the hack on Canada's governmental infrastructure comes at a time when the US is engaging in ongoing, delicate nuclear talks with Iran and relations between Tehran and Ottawa are at their frostiest. The Harper government is steadfast in its support of Israel, Iran's biggest regional enemy, with former foreign affairs minister John Baird going so far as to call Iran the "biggest threat to global peace".
Ottawa has cut diplomatic ties with Tehran, and has even kicked in $9 million to create "open political space online." That program has resulted in substantial government of Canada funds being contributed to an online forum aimed at discussing problems with the Iranian government, and towards Psiphon, a firewall-circumventing mobile app developed in Toronto.
That Iran is targeting Canadian infrastructure might even be considered a retaliatory move, considering Ottawa's insistence in getting through Tehran's so-called "halal internet."
In December 2014, the FBI warned American defense contractors, energy, and educational institutions to be on the lookout for sophisticated Iranian hackers only days after the Cylance report was first released.
The California-based cybersecurity company said in its report that in addition to Canada, infrastructure companies and government agencies in China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States were all targeted by Iran — although the Iranian government denies those charges.
Operation Cleaver is widely believed to be a response to continuous cyber attacks and surveillance from western governments on Iranian assets. In particular, the deployment of Stuxnet, a hyper-sophisticated cyber weapon that famously destroyed Iranian nuclear centrifuges at the Natanz facility in 2009, forced Iran to beef up its capabilities and launch its own cyber attacks.