Cyberattacks on federal research agency tried to beat the clock: documents

The federal research council’s Network Time Protocol service was hit with two denial-of-service attacks last year, records obtained under the Access to Information Act show.

An internal research council memo points to “the Chinese” as instigators in at least one attempt to meddle with the institution’s precision time functions.

Word of these attacks emerged less than a year after the research council experienced a crippling cyber-intrusion that prompted a months-long shutdown of the leading scientific agency’s information-technology system.

In a rare public admonition, Canada blamed the July 2014 intrusion on a highly sophisticated Chinese state-sponsored actor, but Beijing denied involvement and accused Canada of making irresponsible accusations.

“The Chinese government consistently opposes criminal activities of all forms aimed at sabotaging the Internet and computer networks,” China’s foreign ministry said at the time.

Even so, the research council has now linked China to cyber-mischief involving its sophisticated time system.

A Questions and Answers memo the research council prepared after the July cyber-intrusion asks, “Is this incident related to the NRC time signal incident (with the Chinese) which occurred some time ago?”

The document provides no additional details on the Chinese connection. Spokesmen for the research council and Shared Services Canada, the government’s central computer services hub, refused to elaborate.

However, council spokesman Guillaume Berube did say in a statement that denial-of-service attacks – in which a server is bombarded with nuisance traffic aimed at overloading it – are “a common occurrence” in today’s cyber-environment.

Scientists in the research council’s Frequency and Time group are effectively Canada’s official timekeepers, relying on cesium atomic clocks accurate to a few millionths of a second per year. The extreme precision is valued in activities including navigation, radio astronomy, voltage measurement and electronics manufacturing, the council says.

The council’s Network Time Protocol (NTP) service allows members of the public to set their computer’s clock to research council time.

Heavily censored email messages show the attack on the NTP service became apparent Jan. 3, 2014, when a duty officer at Shared Services Canada noticed something was amiss.

A flurry of emails followed over the next several days.

On Jan. 13, Bill Hoger, a technical officer in the Frequency and Time group, wrote colleagues to say it “appears that the attack is over, the incoming traffic levels have returned to normal levels as of some time yesterday.”

In late 2013 and into the new year, there were reports NTP-related attacks worldwide – indicating the Canadian incidents were part of a bigger wave.

A second, multi-day assault on the research council’s NTP service took place last August, the emails reveal.

“Clients of the Network Time Protocol service were informed and there were no complaints,” the research council’s Berube said in his statement.

“No data was lost in the attacks and there was no penetration of NRC’s servers or operational environment. IT fixes have been implemented to prevent future attacks and disruptions to servers.”

Berube referred specific questions about the denial-of-service attacks to Shared Services Canada spokesman Ted Francis.

Francis refused to provide answers, saying the agency doesn’t discuss “security incidents.”