Cyber Intelligence Report :
Canadian Companies Get Hacked
Cyber-security information from 29th October to 10th November 2022.
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release – November 10, 2022
Cyber Intelligence Report
Canadian Companies Get Hacked
This report contains selected cyber-security information from 29th October to 10th November 2022.
1. WFCU Credit Union, Empire Company and Maple Leaf Foods were hacked, suggesting serious problems with the Canadian approach to cyber-security. Microsoft is reporting that some governments have increased the amount of hacking they are doing – especially on critical infrastructure. China has been stockpiling vulnerabilities. Lastly, Canadian Prime Minister is now aware of Chinese interference in Canadian elections.
2. WFCU Credit Union: On Friday [28th October], WFCU posted an alert to members stating “we have detected many weak Personal Access Codes (PAC), indicating some online banking accounts could be easily compromised.”Over the Halloween weekend WFCU Credit Union serving Wessex and Essex Counties in Ontario, “discovered unauthorized activity on some of its members’ accounts.” “Further investigation led us to believe that this unauthorized activity was being caused by bad actors preying on weak passwords and getting access, unauthorized access, into some of our members’ accounts,” WFCU president and CEO Eddie Francis said. WFCU took steps to close all access to “weak password protected accounts” by locking those accounts from online access.
3. According to the WFCU website, members who had their accounts locked must: “Adhere to industry standard complex password rules” … and “monitor their accounts for signs of unusual activity and ensure they sign up for security alerts on their online banking account.” Analysts Comment: The instructions leave me wondering why “industry standard complex password rules” were not being enforced and why members have to sign up for security alerts. I recognize that Credit Unions are not the same as charter banks however this makes me wonder how good Canadian banking security is.
4. Empire Company: On 7th November The Empire Company said: “an “information technology systems issue” was causing some of its pharmacies to experience difficulty fulfilling prescriptions. Signs posted at some stores also said the gift card and Scene points systems were down.” The company has not released any further information about the issues, and did not respond to questions posed by media. Empire Company owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, Needs and other grocery outlets.
5. Comments from cyber security specialists were blunt: “This is totally embarrassing for a company, saying I was held hostage and I had to pay a fine,” Robert Hudema with the Ted Rogers School of Management at Toronto Metropolitan University said. “A lot of companies are reluctant to spend money on things that are equivalent to fire extinguishers or alarms or things like that to prevent bad things from happening, and as a consequence, bad things happen.” Carmi Levy, an independent technology analyst said: “If you admit that you were hit by a ransomware attack, then you admit that you didn’t invest enough in cybersecurity and you didn’t take your clients’ and stakeholders’ data seriously enough. And nobody wants to admit that — it’s like the modern-day equivalent of the Scarlet Letter.”
6. Maple Leaf Foods: On Sunday 6th November Maple Leaf Foods reported it was “experiencing a system outage linked to a cybersecurity incident.” One source reported that the hack was reported on Friday 4th November, “just hours after that happened.” When the company’s statement and the IT World Canada reporting is combined the incident becomes much clearer:
A. “Upon learning of the incident, Maple Leaf Foods took immediate action and engaged cybersecurity and recovery experts,” the company said in a statement. Analysis Comment: I translate that ‘corporate speak’ as confirmation that Maple Leaf Foods was ‘hacked’ and suffered data loss.
B. “The company is executing its business continuity plans as it works to restore the impacted systems; however, it expects that full resolution of the outage will take time and result in some operational and service disruptions.” Analysis Comment: This infers that Maple Leaf Foods was hit by a ransomware attack. The logic is that ransomware attacks lock companies out of their own files, hence executing business continuity plans is a big indicator.
C. “a Maple Leaf spokesperson said in an email Monday morning that the outage is creating some operational and service disruptions that vary by business unit, plant, and site.” Analysis Comment: This infers the hack was discovered before the hackers could access and encrypt all systems. This happens to hackers when they break into complex corporate networks. Another possibility is that the attackers are not top-tier hackers, and made some mistakes.
7. Security Week made the following observation: “Maple Leaf is not the first large meat company to have its operations be impacted by a cyberattack. In mid 2021, JBS, the largest meat processing company in the world, was disrupted by a ransomware attack that forced an operational shutdown, just weeks after a similar incident shut down the Colonial Pipeline.”
8. Analysts Comment: Hacks of this scale [Empire Company and Maple Leaf Foods] are not easily resolved. In most cases, the organization pays the ransom. Paying the ransom does NOT guarantee that all files will be recovered. Restoring IT systems to full operation is normally a matter of weeks – NOT days. Further, it is common for a network that has been hacked to be hit a second time, especially if the organization has not rapidly patched and upgraded their security systems.
State-Based Hacking Has Increased
9. According to Microsoft’s third annual Microsoft Digital Defense Report state-based cyber attacks are increasing. Microsoft says cyberattacks targeting critical infrastructure have grown from 20 percent to 40 percent of all government attacks. The majority of those attacks are attributed to Russia however, Iran, North Korea and China have all increased their attacks on critical infrastructure.
A. Iran has launched: destructive attacks, ransomware attacks, hack and leak operations and ‘nuisance’ attacks [like the one that turned on Israeli air-raid sirens]. The most frequent target is Israel. The US and the EU are also on the target list.
B. North Korea is most notable for its attempts to hack cryptocurrency companies and cryptocurrency holdings. North Korea’s most successful hackers, the Lazarus Group have been upgraded from ‘criminal hackers’ to an ‘Advanced Persistent Threat’ and labelled a “state-sponsored hacking organization” by the F.B.I.
C. The Chinese Communist Party has approved its 14th Five-Year Plan, declaring: “informatization is entering a new phase of accelerated digitized development and building a digital China.” Historically when China listed technical development in its Five-Year Plan, one of the ways that manifested itself was in increased cyber espionage, and theft of intellectual property. China’s increased hacking activity suggests that hacking efforts to collect the best technology available are already underway.
10. China Stockpiling Zero-Days: Microsoft Digital Defense Report 2022 suggests that China is probably ‘stockpiling and deploying vulnerabilities’. This is based on observed activity and Chinese Internet regulations. In 2021 China implemented a law requiring Chinese makers of network software and hardware to “alert Beijing within two days of learning of a security vulnerability in their products.” China’s National Internet Information Office, Ministry of Industry and Information Technology, and Ministry of Public Security is in charge of coordinating and managing network security vulnerabilities. Article nine of the regulations says details of security flaws must be “kept under wraps until patches are available or special permission is granted by the government to go public.” Articles twelve to fifteen make it clear that “anyone who breaks these rules and related legislation will feel the full force of the Chinese government.”
11. Microsoft Security has made a direct link between China’s vulnerability reporting regulation that went into effect in September 2021 and a surge in zero-day attacks. Microsoft says “China’s government hacking groups have become “particularly proficient at discovering and developing zero-day exploits” after strict mandates around early vulnerability disclosure went into effect.” Microsoft urges defenders to ‘prioritize patching’ as soon as patches are available.
12. China Interfering in Canadian Elections: Global News reported that Canadian intelligence had concluded Beijing worked to undermine the democratic process by “targeting Canada with a vast campaign of foreign interference, which includes funding a clandestine network of at least 11 federal candidates running in the 2019 election.” Analysts Comment: None of this should be news. The People’s Republic has a history of hacking and other ‘interference’ in Canada, including indictments for stealing: “shipbuilding secrets (2013), satellite technology (2016), and espionage by a Toronto Permanent Resident (2017). Cyber forensic investigators, ranging from university computer security teams to cyber security firms, have provided overwhelming evidence of PRC cyber attacks.” The question is: will this election interference drive a change in Canadian Government policy? Will that policy include any cyber protection?
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact email@example.com