Let’s Talk Cyber Threats

This report contains selected cyber-security information from 19th to 31st August 2023.

Synopsis

1. This Cyber Intelligence Report addresses the ‘National Cyber Threat Assessment 2023-2024’ by looking at what that report did not cover. This starts with how much is being stolen. Spoiler – we don’t know. We have a quick look at the hacking profiles of Russia, China and North Korea. We address the most Canadian questions: ‘Why?’ and ‘Why Us?. My conclusion, the government is right for once, this is going to hurt.

2. Russia vs Ukraine cyberwar. Russia appears to be committed to the following ongoing ‘Course of Action’ for its cyber forces:

Russian cyber forces, including allied and supporting hackers, continue to launch campaigns against Ukrainian targets, including perceived Ukrainian allies. Targeting Includes infrastructure, political, and media organizations as well as targets of opportunity. The number, scope and quality of Russian cyber attacks continue to increase.

Let’s Talk Cyber Threat

3. This week the Canadian Centre for Cyber Security, part of Canada’s Communications Security Establishment (CSE), released the ‘National Cyber Threat Assessment’ 2023-2024.1 The report focused on ‘cybercrime’ with few details and very little on states and state-based actors. Media coverage ranged from indifference from the CBC2 to a fairly good look by Global News.3 I received a phone call from QR 107 Calgary to talk about the report. Not surprisingly, Ted Henley, host of ‘The Drive’4 first question was: ‘Is the cyber threat really that bad?’ My answer: “It’s much worse.”

4. According to an R.C.M.P. Officer interviewed by Global News as part of their coverage, the R.C.M.P. estimated that only 5 to 10 percent of cyber crimes are reported in Canada. This amounted to $530 million CAD in 2022.5 That suggests criminals harvested at least $5.3 billion CAD from Canadian organizations before the increases in cybercrime we have seen in 2023.

5. The ‘National Cyber Threat Assessment’ said that the threat was ‘cyber criminals’ principally based out of four countries: China, Russia, North Korea and Iraq. This at best an incomplete assessment. The ‘National Cyber Threat Assessment’ says nothing about the military hacker teams, state-based threats nor the depth of the cyber campaigns being run.

Russia

6. Russia’s war against Ukraine has forced Russia to use its cyber resources overtly. This has allowed us to learn about their cyber organization and practices in detail.6 We know who the government military teams are because members occasionally break operational security allowing Western cyber security personnel to identify them. They are officers, often with computer science degrees.

8. Russia also provides ‘safe haven’ for criminal hackers – as long as they don’t hack targets inside Russia. Several dozen groups of hackers are resident in Russia (and satellite countries). Some of those groups have announced their ‘patriotic support’ for President Putin and Russia. Most of the top notorious hacker groups reside in Russia and are supporting the war against Ukraine. A recent article suggested that 4 of the top 7 most dangerous hacker groups in 2023 are ‘Russia based’.7

9. Each of the different Russian hacker groups has different objectives. For example, there is speculation that the teams assigned to attack Canadian Energy companies are instructed to penetrate the companies undetected until President Putin needs them to destroy an oil pipeline or an electrical grid. Other teams harvest information, disrupt supply chains, embarrass organizations by disrupting their online operations, and discredit firms using ransomware. As the Canadian government provides an increasing amount of support to Ukraine, Russian hackers are more often being directed to hack Canadian targets.

China

10. Like Russia, China has both formal and informal structures for its hackers.8 Again like Russia, China’s government hackers are military officers.9 There are hacking organizations at various levels responding to strategic requirements (supporting polit-bureau demands), national level (supporting the CCP), and even regional level teams (responding to regional governance). There are also government/university/business cooperative hacking teams. China has its own criminal hackers as well as its own ‘patriotic hackers’.

11. China’s hackers operate differently, usually covertly if possible. Firstly China concentrates on acquiring Intellectual property or IP. Many Chinese hacker groups concentrate on the Apple/Mac environment. China identifies more vulnerabilities in the Apple/Mac environment than any other country as well as producing most of the world’s Apple malware. Lastly, China simply has more hackers than any other country.

12. China also invests in accessing the critical infrastructure of other countries. For example, in May Microsoft identified that Chinese hackers had penetrated into telecommunications and networks on U.S. bases on Guam.10 When the indicators of compromise were published, it was discovered that China had penetrated many U.S. bases globally. Further, it was discovered that critical infrastructure such as water systems supporting U.S. bases in the continental U.S. had also been compromised.11

13. China has a long history of stealing IP from Canada, reaching back to NORTEL. The Alberta Council of Technologies warns technology-based start-up businesses to be careful to protect their IP. Their private warning is that talking to the wrong person will see the technology patented and in production on mainland China in six months.12

North Korea

14. North Korea specializes in robbing banks, all kinds of banks and all kinds of currencies, notably crypto-currencies. Currently the FBI is attempting to intercept $40 million USD in stolen Bitcoin before North Korea can ‘cash out’.13 North Korea is capable of more as demonstrated when they hacked a Russian missile engineering firm.14 That would appear to be the exception. Most of North Korea’s hackers are military officers with computer training (usually Chinese trained).

Why?

15. Why do hackers hack? Its profitable, very profitable for the skilled actors. The Cl0p Ransomware group is still processing the results of their MOVEit hack. During writing the best estimate was 1011 organizations hacked (so far) and 49.0 – 53.9 million individuals compromised.15 Its generally agreed in the Cyber Security community that the Cl0p Ransomware group will gross more than $100 million USD from the MOVEit hack.

16. Why do hackers hack us (Canadians)? The short answer is we are easy (undefended) targets and we pay ransoms. The Federal government rarely says anything about cyber security. There is a Canadian Centre for Cyber Security16, but it doesn’t advertise. If you go to their website you can find ‘guidance’ (if you do this it will reduce your risk), as well as advisories. The advisories warn of vulnerabilities that would allow hackers to access all manner of systems. That’s it. There is no government ‘effort’ to warn you of the threat.

17. The Canadian news media has not picked up on the ‘cyber threat’. When there is a major event such as the ransomware attack on the ‘Empire Group’ (or Sobey’s) there was minimal follow-up reporting. There were few reports of: shortages, impacts on consumers, how staff were adapting, how supply chains were being rebuilt, etc. The effect on Canadians is a dangerous lack of awareness of hacking, its severity and the potential consequences.

Conclusion

18. Obviously there is a great more happening than is covered in the 40 page ‘National Cyber Threat Assessment’. I have not touched: on election interference, influence operations, and a variety of other topics. The government is right about one thing: cyberattacks are going to get a lot worse, soon and will remain that way. The government has done nothing to prepare us and this will probably hurt – a lot.