By Canadian Security
In February of this year cyber attackers from China allegedly hacked into both the Finance Department and the Treasury Board of Canada which caused quite a media frenzy. Rather than going into the details of the attack let me try to provide some insight into the attacks.
By Canadian Security
When I was working for one of Ontario’s large nuclear power facilities as the person responsible for the Information Systems’ security, I was approached by members of the Canadian Intelligence Service (CSIS) who were conducting an investigation into possible terrorist threats against that nuclear facility. During the course of the investigation, I took the opportunity to ask one of the CSIS agents what data I should be protecting the most. Initially I thought that it would have been engineering drawings of the plant or our physical security response plan to a terrorist threat. Both of these of course would be extremely valuable to someone planning an attack against the facility. He indicated to me that the most important data we had was the reactor simulation data. I
was surprised at his answer. “That has nothing to do with terrorism,” I responded. “Besides”, I continued, “China has 13 nuclear power reactors with more than 25 under construction.” The agent’s response was enlightening, “They have more reactors, but we run them better. Any information they can get to help them is always of use.”
In February of 2010 I was called in to investigate a security breach in a very large Canadian company. One of their servers was compromised and subsequently used to launch the attack against the company. What was interesting about this attack is that the firewall rule set had been changed just prior to the attack allowing one of their servers to be exposed and compromised. Was the firewall rule change done remotely or was it done by someone on the inside?
Clearly the attack was from China, but I was never able to answer the question on how the firewall rule was changed which allowed the attack to be successful. It was clear that the attacker from China was not running a script. There was actually a person on the other end typing commands in, viewing the results and continuing their attack. They were sophisticated and knowledgeable. Now I cannot speak to the motive or person behind the attack, outside of its origin, but the words of the CSIS agent still ring in my ears. “China does lots of things, but we do them better”. Knowledge and information is valuable.
This brings us to the attacks on the Finance Department and the Treasury Board of Canada. CBC termed the attack “unprecedented” in that hackers hijacked the “online identities” of top bureaucrats and then sent documents infected with a virus to employees throughout the departments. The hackers are believed to have accessed classified information.
This is actually quite a brilliant attack. We are always taught to only open up attachments in email sent to us by people we trust. If you receive something from a top bureaucrat, then you would clearly believe the information to be from a trustworthy source, especially since it’s on the “Government” network. Logically you would open the attachment. I have no personal knowledge of the attack on the two government agencies, but what I can tell you is that if the attackers had control of some of the emails of the top bureaucrats then there is no question in my mind that sensitive and confidential information was compromised. It would be a simple matter to then use the email system itself to send out that information to the attacker.
Upon learning of the attack, Canadian cyber security officials shut down Internet access at the two departments as they scrambled to prevent hackers from stealing more information via the Internet, it added. This too makes sense as there would be thousands, if not tens of thousands of possible compromises. The cleanup task would be monumental. The fact that the system was down for over a month speaks volumes to the depth and severity of the compromise. Information must have been streaming out causing officials to shut down the system in its entirety. This would have been the only way to ensure that the compromise was contained and eradicated before being allowed to come back online. Those of us on the outside will never know the depth to which information was compromised, but my intuition tells me that it was likely the most severe breach of information we have had in the Canadian Government to date.
Chinese espionage has become a “major problem” for Canada and other countries, a senior government official told CTV. In January 2010, Google said it had fallen victim to attacks by China-based cyber spies apparently intent on hacking into the Gmail accounts of Chinese human rights activists. The attack touched off a huge battle with Beijing on censorship.
After the attacks of 9/11 we have been conditioned to think that attacks from outside of our borders are always linked to terrorism. I can tell you from my experience that the number one reason for a cyber attack, or cyber security breach is not related to terrorism, but to the theft of information. As we have all learned through our years, information is power and has a value. Let this be a wake up call to every organization out there. Put the right equipment and policies in place to prevent data from leaking out of your environment and above all, make sure you have adequate employee training and screening programs, because at the end of the day, employees are and continue to be your weakest link.