An unprecedented cyberattack on the Canadian government also targeted Defence Research and Development Canada, making it the third key department compromised by hackers, CBC News has learned.
The attack, apparently from China, also gave foreign hackers access to highly classified federal information and also forced the Finance Department and Treasury Board — the federal government's two main economic nerve centres — off the internet.
Highly placed sources tell CBC News the cyberattacks were traced back to computer servers in China.
They caution, however, that there is no way of knowing whether the hackers are Chinese, or some other nationality routing their cybercrimes through China to cover their tracks.
While there is no definitive proof, of course, that China was behind these attacks, there is a lot of circumstantial evidence that points in that direction. China (allegedly) has a long history of engaging in espionage activities in order to gain access to information. In the United States, this is sometimes referred to as cyber warfare, but I think that cyber espionage is a better choice of terms. The stealing of state secrets is a diplomatic past time. While the tools have evolved, the goals of the game has not.
The article continues:
Here's how it worked:
Sources say hackers using servers in China gained control of a number of Canadian government computers belonging to top federal officials. The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.
At the same time, the hackers sent other staff seemingly innocuous memos as attachments. The moment an attachment was opened by a recipient, a viral program was unleashed on the network. The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.
One source involved in the investigation said spear-phishing is deadly in its simplicity: "There is nothing particularly innovative about it. It's just that it is dreadfully effective."
This is eerily similar to the Google attacks that occurred last year when a top ranking Google employee in China was sent a spear phishing attack over IM and clicked the link, which allowed the attackers access to Google’s internal network. From there, several bits of code was stolen. The opening description is a little vague, however. How did the hackers using servers in China gain control of a number of Canadian government computers belonging to top federal officials? Chances are they used the same technique as before. They sent phishing messages to these federal officials and tricked them into either opening up an email (or IM message) and then their machines became infected with a piece of malware. Either that, or (more likely) they sent them messages purportedly from the IT department urging them to login and reset or verify their credentials. Once they had those logins, they could send mass distributions to the internal staff at the government with more malicious pieces of malware. Since the mail came from someone they trust, and sent internally, anti-virus scanners could be more readily bypassed. Thus, I see the timeline more like the following:
- Hackers research the identities of top officials in the Canadian federal government.
- Phishing messages “from” the IT department are sent to these officials telling them to login and reset their credentials or verify their identity.
- Once they have obtained these logins, phishers send messages to the general staff from (actually from, for real) these compromised accounts with malware attached, possibly containing legitimate sounding names like a spreadsheet or something.
- Other people in the department open these links and get their machines compromised. It is one thing to have stolen credentials for an account, it is quite another to have a stolen machine.
- The attackers proceed to steal information from within these compromised machines.
The article then says the following:
"There are access controls that need to be fixed; there are a whole series of minimum security issues that are not being dealt with. There are vulnerabilities. Government needs to fix them." Three years later, Fraser checked again and found not much had changed. "It is important that these things be dealt with and be fixed — the government is vulnerable to attacks."
Evidently, it still is.
This statement isn’t entirely fair. The reality is that any organization could be vulnerable to this type of attack. The weakest link in the above is not the technological infrastructure but instead is the human component. So how could the Canadian government reduce their vulnerability footprint? Well, a lot of people pay a lot of money for this, but I’ll give them some free advice (note: if their is anyone from the Canadian IT department reading this, I’d be willing to allow you to make a donation to the Terry Zink Retirement Fund in exchange for this simple advice):
- At the start of it, the government needs a good spam filter to keep phishing messages out of the inbox. It is very difficult to do this, and reputation technologies like SPF and DKIM don’t do much to prevent spoofing (there are workarounds). However, a filter that is up-to-date with the latest blocklists, URL blocklists, and even some more clever technologies is a good place to start.
- Once the original accounts are compromised, the game is almost over. However, as a basic line of defense (or shall I say, defence), internally organizations should be scanning all email attachments even on internal mail with 2 or 3 pieces of A/V software. Yes, there are plenty of zero-day attacks but make things difficult for malware authors.
- Make sure software is all up-to-date. If phishing messages were not the original source of these credential thefts, then applying the latest patches (OS, web browsers, 3rd party plug ins like Flash) is crucial.
- One thing that isn’t in email security but has been implemented by companies like Comcast is network inspection technology. By analyzing where URLs are resolving to (i.e., bad IP space), organizations can block people from browsing to malicious sites at the network layer. Comcast does it by maintaining a list of known bad IPs where domains point to bad A-records and quarantine people that way. The government could do the same. Bad A-record IP space is one thing, maintaining a database of known bad registrars and/or name servers is yet another step forward. If where the user is trying to navigate to is hosted in a bad neighborhood, then don’t let them do it. Users have to click links that go somewhere; if that somewhere can be short circuited then it throws a wrench in the attackers plans. The one exception to this is a legitimate web site that has been compromised (and there are lots). That’s tougher to mitigate.
So, there are some suggestions for organizations to implement to reduce their vulnerability. The last one certainly isn’t easy, but I would think you’d get big bang for the buck there.