May was marred by a series of major attacks on organizations, including a Provincial government, a Canadian pharmacy chain, and high schools. The common theme here is that you are vulnerable no matter who you are. While this may seem obvious, the Government of Canada has not prioritized country-wide cybersecurity.

• State actor blamed for cyberattack on B.C. government systems

  • British Columbia announced that it had been the target of three attempts to breach its systems, and a state actor is suspected of being responsible for all three. Since the first incident was discovered on April 11, the BC government has worked closely with the Canadian Centre for Cyber Security and Microsoft.

  • The BC government has said the motivation is not known, but the premier has stated that the CIO has directed all public service employees to change their passwords “to ensure the security of government email systems.” At the very least, this indicates possibly two things: The threat actor was attempting to gain access to email, or was trying to use email access to pivot.

  • Noteworthy here is that the government has explicitly said that this attack is not related to the attack on London Drugs and the BC Libraries Co-operative. Although it is easy to say this now, but both London Drugs and the Co-operative were targeted by ransomware groups. In this case with the BC government, the government has stated the attacker had sophisticated intrusion techniques and was attempting to hide and cover its trail in doing so, which is an indicator of an advanced persistent threat (APT), which are most often state-backed groups.

    ---

• Hackers release corporate data stolen from London Drugs

  • After weeks of London Drugs conducting full spin of the cause and reasons for its cybersecurity, Lockbit forced their hand,

  • London Drugs says it was “unwilling and unable” to pay a ransom. This is a lie.

    • London Drugs was in negotiations with Lockbit, who is responsible for this attack. According to Lockbit, they demanded a $25 million ransom, but London Drugs offered approximately $7-8 million in payment instead. This prompted Lockbit to post on its website that London was a Lockbit victim. Not long after, Lockbit removed London Drugs from its leak site. While initially, I and many thought they paid, that appears not to be the case as Lockbit has released the corporate data.

    • It is important to note that this does not mean that London Drugs did not pay, they could have paid, but Lockbit still released. They’re criminals, so you can only trust them as much as any criminal. London Drugs president previously stated that there was no evidence that any information was stolen, which was likely said while negotiating with Lockbit over the ransomware. While certainly, we can expect this to be part of a strategy against Lockbit, this is also a matter of misinforming and intentionally deceiving the public about the attack. Just like London Drugs had no evidence information was stolen, we have no evidence that London Drugs did not pay.

    • The President of London Drugs should answer for intentionally misleading its customers, the general public, and its own employees, who are the primary victims of this attack.

      ---

• RFI on the Canadian Program for Cyber Security Certification

  • Public Services and Procurement Canada opened a request for information on its development of the Canadian Program for Cyber Security Certification (CPCSC). I strongly recommend that you fill out this RFI if you are involved in business selling cyber security services, especially to the government.

  • The CPCSC is Canada’s equivalent of the US Cybersecurity Maturity Model Certification. In addition, Canada and the US are in close talks to ensure that CPCSC , I and many thought they paid,

  • I plan to write a dedicated article about what this RFI has for questions as soon.

    ---

• UK 'increasingly concerned' about Russian intelligence links to hacktivists

  • UK officials are increasingly concerned about the growing connections between Russian intelligence services and proxy groups for cyberattacks, according to Anne Keast-Butler, director of GCHQ (The UK’s CSE). They stated that they are concerned about the changing relationship between the Kremlin and these proxies, noting that they are now being inspired and nurtured by Russia for non-state cyber operations. She emphasized the need for constant vigilance and collaboration to combat the global threat posed by Russia.

  • Russian intelligence services have long given Russian-based ransomware groups significant leeway in their activities as long as they do not target Russians. I have heard that this even includes ransomware groups providing bribes to intelligence officers for protection. From the sounds of the GCHQ director, it appears that this is moving from a de facto policy, to full state policy.

  • This is a great concern as it will mean that Russia is supporting these groups to target Western organizations and people. It is most often not the government who suffers, but the people who bear the brunt of these attacks. Although the Canadian government has been a victim themselves, arguably it is businesses that suffer the most in spending millions every year to recover or pay ransoms.
    

    ---

• U.S. Fears Undersea Cables Are Vulnerable to Espionage From Chinese Repair Ships

  • U.S. officials have issued warnings to telecommunications companies regarding potential vulnerabilities in undersea internet cables across the Pacific Ocean, which could be exploited by Chinese repair ships. The concern partly stems from Chinese company S.B. Submarine Systems (SBSS) allegedly obscuring the locations of its vessels from satellite and radio tracking services.

  • Over the last few years, likely the last decade, we have increasingly seen unusual events around the cutting or interference of undersea cables which carry internet and other communication traffic across the oceans. It now appears that the United States and others are increasingly being concerned about China and Russia’s targeting of these cables for sabotage and espionage.
    

    ---

• U.S. Marines and Canadian Soldiers plan to defend against cyber attacks

  • In late April, US Marines joined the Royal Montreal Regiment in Montreal, Quebec to conduct a joint training exercise Cyber Harmony 2024. We only know this because the US Marines are telling us.

    • Video B-roll: https://www.dvidshub.net/video/922503/cyber-harmony-2024-b-roll-package

      ---

• Government of Canada releases its “first” Enterprise Cyber Security Strategy

  • Most news agencies are getting this strategy completely wrong. No, this is not the first strategy for government departments. This is the first ENTERPRISE cyber security strategy.

  • This strategy covers nearly all Government of Canada networks, including Protected B and Secret networks. This may affect DND/CAF’s ability to procure Secret Cloud. Treasury Board policies already greatly limit DND/CAF’s ability to procure it in the first place, so there is a risk this strategy may reinforce these outdated policies.

  • So what’s the difference? Enterprise security is a holistic approach to securing data at all levels in a large organization, including data at rest and in transit. Cyber security is a much more narrowly focused activity on the protection of digital assets.

    • In some ways, you can look at this similar to the difference between cyber and information security

  ---

• CSE is warning Sporting Events about Potential Cyber Attacks

  • CSE is warning sporting events and attendees to be on guard as they may be specifically targeted by threat actors. Specifically, the report states that, “The high profile and costly nature of major international sporting events make them a prime target for cybercriminals looking to exploit targets of opportunity for profit. They also provide a global stage for hacktivists and state-sponsored actors to gather information and publicly embarrass a target,"

    • This is quite specific regarding who may target them and why, which suggests that CSE has very reliable intelligence. Usually, when CSE or other intelligence organizations release threat bulletins like this, they have intelligence indicating that threat actors are attempting this.

  • On a side note to this, Catherine Tunney is one of the better reporters who covers cyber security in Canada, so keep an eye out for any reports she may be involved with.

    ---