Home / Blogs

Foreign Hackers Attack Canadian Government

Terry Zink

An unprecedented cyberattack on the Canadian government also targeted Defence Research and Development Canada, making it the third key department compromised by hackers, CBC News has learned.

The attack, apparently from China, also gave foreign hackers access to highly classified federal information and also forced the Finance Department and Treasury Board — the federal government's two main economic nerve centres — off the internet.

Highly placed sources tell CBC News the cyberattacks were traced back to computer servers in China.

They caution, however, that there is no way of knowing whether the hackers are Chinese, or some other nationality routing their cybercrimes through China to cover their tracks.

While there is no definitive proof, of course, that China was behind these attacks, there is a lot of circumstantial evidence that points in that direction. China (allegedly) has a long history of engaging in espionage activities in order to gain access to information. In the United States, this is sometimes referred to as cyber warfare, but I think that cyber espionage is a better choice of terms. The stealing of state secrets is a diplomatic past time. While the tools have evolved, the goals of the game has not.

The article continues:

Here's how it worked:

Sources say hackers using servers in China gained control of a number of Canadian government computers belonging to top federal officials. The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.

At the same time, the hackers sent other staff seemingly innocuous memos as attachments. The moment an attachment was opened by a recipient, a viral program was unleashed on the network. The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet.

One source involved in the investigation said spear-phishing is deadly in its simplicity: "There is nothing particularly innovative about it. It's just that it is dreadfully effective."

This is eerily similar to the Google attacks that occurred last year when a top ranking Google employee in China was sent a spear phishing attack over IM and clicked the link, which allowed the attackers access to Google's internal network. From there, several bits of code was stolen. The opening description is a little vague, however. How did the hackers using servers in China gain control of a number of Canadian government computers belonging to top federal officials? Chances are they used the same technique as before. They sent phishing messages to these federal officials and tricked them into either opening up an email (or IM message) and then their machines became infected with a piece of malware. Either that, or (more likely) they sent them messages purportedly from the IT department urging them to login and reset or verify their credentials. Once they had those logins, they could send mass distributions to the internal staff at the government with more malicious pieces of malware. Since the mail came from someone they trust, and sent internally, anti-virus scanners could be more readily bypassed. Thus, I see the timeline more like the following:

  1. Hackers research the identities of top officials in the Canadian federal government.
  2. Phishing messages "from" the IT department are sent to these officials telling them to login and reset their credentials or verify their identity.
  3. Once they have obtained these logins, phishers send messages to the general staff from (actually from, for real) these compromised accounts with malware attached, possibly containing legitimate sounding names like a spreadsheet or something.
  4. Other people in the department open these links and get their machines compromised. It is one thing to have stolen credentials for an account, it is quite another to have a stolen machine.
  5. The attackers proceed to steal information from within these compromised machines.

The article then says the following:

"There are access controls that need to be fixed; there are a whole series of minimum security issues that are not being dealt with. There are vulnerabilities. Government needs to fix them." Three years later, Fraser checked again and found not much had changed. "It is important that these things be dealt with and be fixed — the government is vulnerable to attacks."

Evidently, it still is.

This statement isn't entirely fair. The reality is that any organization could be vulnerable to this type of attack. The weakest link in the above is not the technological infrastructure but instead is the human component. So how could the Canadian government reduce their vulnerability footprint? Well, a lot of people pay a lot of money for this, but I'll give them some free advice (note: if their is anyone from the Canadian IT department reading this, I'd be willing to allow you to make a donation to the Terry Zink Retirement Fund in exchange for this simple advice):

  1. At the start of it, the government needs a good spam filter to keep phishing messages out of the inbox. It is very difficult to do this, and reputation technologies like SPF and DKIM don't do much to prevent spoofing (there are workarounds). However, a filter that is up-to-date with the latest blocklists, URL blocklists, and even some more clever technologies is a good place to start.
  2. Once the original accounts are compromised, the game is almost over. However, as a basic line of defense (or shall I say, defence), internally organizations should be scanning all email attachments even on internal mail with 2 or 3 pieces of A/V software. Yes, there are plenty of zero-day attacks but make things difficult for malware authors.
  3. Make sure software is all up-to-date. If phishing messages were not the original source of these credential thefts, then applying the latest patches (OS, web browsers, 3rd party plug ins like Flash) is crucial.
  4. One thing that isn't in email security but has been implemented by companies like Comcast is network inspection technology. By analyzing where URLs are resolving to (i.e., bad IP space), organizations can block people from browsing to malicious sites at the network layer. Comcast does it by maintaining a list of known bad IPs where domains point to bad A-records and quarantine people that way. The government could do the same. Bad A-record IP space is one thing, maintaining a database of known bad registrars and/or name servers is yet another step forward. If where the user is trying to navigate to is hosted in a bad neighborhood, then don't let them do it. Users have to click links that go somewhere; if that somewhere can be short circuited then it throws a wrench in the attackers plans. The one exception to this is a legitimate web site that has been compromised (and there are lots). That's tougher to mitigate.

So, there are some suggestions for organizations to implement to reduce their vulnerability. The last one certainly isn't easy, but I would think you'd get big bang for the buck there.

By Terry Zink, Program Manager
Follow CircleID on
Related topics: Cyberattack, Cybersecurity, Networks
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Additional techniques The Famous Brett Watson  –  Feb 18, 2011 6:59 PM PDT

There's definitely a case for multi-factor authentication here. So long as people can be fooled into divulging all their authentication credentials, phishing is going to remain dangerously effective. You need to include something the user can't effectively divulge as an authentication factor.

There's also a good case for cloud-based email here. I don't worry so much about attachments, because I get Google to render them for me. The actual attachment never makes it as far as my computer, so it's not my computer that's immediately at risk. The attachments shouldn't be downloadable at all without first running a gauntlet of AV scanners, of course.

Thanks for the overview. At last something Wout de Natris  –  Feb 19, 2011 2:16 PM PDT

Thanks for the overview. At last something like a positive note against the nothing can be done except disconnecting from the Internet choir I hear so often.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC