Around the world, states, criminals and their proxies are seeking and exploiting opportunities to capitalize on digital vulnerabilities. Canada experienced an increase in such attacks in 2023, with key sectors such as energy and health care becoming prime targets.
Ransomware remains prevalent. Bad actors penetrate digital systems and extort payment, taking advantage of organizations’ limited capacity for downtime. The expanding cybercriminal tool kit extends this approach but is not limited to the following:
- Distributed denial of service (DDoS): this type of attack overwhelms online services to render them unusable.
- Phishing, social engineering and scams: these are deceptive tactics used to extract sensitive information or install malware.
- Cross-site scripting: this involves the injection of malicious scripts into trusted applications or websites.
- SQL injections: these target data-driven applications with harmful code to compromise functionality.
- Zero-day exploits: these manipulate security vulnerabilities, challenging timely mitigation.
- Password attacks: these exploit user authorization system vulnerabilities to gain unauthorized access.
On January 15, Qulliq Energy Corporation, a power plant in Nunavut, suffered a network breach that crippled its administrative offices. Hydro-Québec’s website also experienced a DDoS attack on April 13. This came a day after the websites crashed for port authorities in Montreal and Halifax. In late June, Suncor Energy confirmed that an unauthorized party had breached its IT network. The disruption impacted the company’s Petro-Canada subsidiary, which includes more than 1,500 retail gas stations. Meanwhile, the International Joint Commission, a body that manages water rights along the US-Canada border, confirmed on September 7 that its IT security infrastructure was targeted by a ransomware gang. The perpetrators claimed they’d stolen and encrypted a flood of confidential data and posted it to the dark web — a corner of the internet often used for illicit purposes.
Assaults targeting hospitals are becoming increasingly frequent. In early November, patient data was not only pilfered but also allegedly made public when five Southwestern Ontario hospitals, using TransForm Shared Service Organization, reportedly suffered a blackmail attempt and ransomware attack. In addition to the data thefts from Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital, the attack also blocked the hospitals’ access to Wi-Fi, email and patient information systems, resulting in postponed procedures and cancelled appointments. In a joint news release on December 14, the hospitals confirmed their systems are starting to make their way back online. A $480-million class action lawsuit has been filed against them and the IT company that services the hospitals.
This incident occurred almost a year after a notorious Russian malware group, LockBit, issued an unprecedented apology, offering to hand over a free decryptor to unlock data it had targeted in a December 2022 attack on Toronto’s Hospital for Sick Children. The assault delayed lab and imaging results, knocked out phone lines and shut down the staff payroll system for weeks. The group faced additional allegations on April 23, relating to its involvement in a July 2022 ransomware attack against the town of St. Marys in Ontario. The incident reportedly cost the town $1.3 million.
Attacks directed at the city of Richmond in British Columbia on June 7, and the Halifax Regional Municipality on June 9, further emphasized that municipalities are also targets, exacerbated by resource constraints that hinder their capacity to stay current with necessary security protocols, hardware and training.
Canadian federal departments responsible for overseeing national security also experienced attacks in 2023. Hackers temporarily disrupted the Canadian Armed Forces website for several hours on September 28. At the same time, a DDoS attack claimed by the hacking group Indian Cyber Force affected the House of Commons and Elections Canada website.
Simultaneously, Brookfield Global Relocation Services, a private firm tasked with assisting Canadian military and foreign service personnel during relocations across the country and globally, confirmed unauthorized access to information on September 29. The investigation is ongoing. In a separate incident, Black & McDonald, an engineering powerhouse that works on military bases and electricity generation plants, sustained a ransomware attack on March 8. Specifics surrounding the attack have not been revealed.
The Canada Border Services Agency acknowledged being targeted in a wave of DDoS attacks on September 17. The attack impacted check-in kiosks, slowing border checkpoints across the country. A group identifying itself as NoName057(16) claimed responsibility. This is a group of pro-Kremlin “hacktivists” who orchestrate relatively simple and short-lived DDoS attacks with the help of hundreds of volunteers.
There’s an urgent need for standards, including incentives for organizations to invest in updated equipment and training.
Organizations peripheral to government are also vulnerable. For example, an unauthorized party embedded malicious code on the Liquor Control Board of Ontario website on January 12, in an effort to gather customer information. Indigo, Canada’s largest bookseller, faced an attack on February 8 that disabled its stores’ ability to process debit or credit card transactions for several days. The incident halted online sales for almost a month, resulting in a loss of nearly $50 million for the company. Gateway Casinos and Entertainment also had to close all of its Ontario locations for two weeks after a “system-wide malfunction” that hit the gaming operator on April 16.
On September 11, Pelmorex Corporation confirmed a ransomware attack, attributing it to a third-party software provider. The incident disrupted the Weather Network, MétéoMédia and Canada’s national emergency alert system, Alert Ready. This system, mandatory on cellphones since 2018, broadcasts alerts for various emergencies, including child abductions, climate catastrophes and active gun violence. LockBit orchestrated that attack, threatening to expose company data unless a payment was made by September 24. Pelmorex chose not to pay the ransom after an internal investigation revealed inconsistencies in the hackers’ claims. The decision underscored the risks of giving in to ransom demands, as it can encourage further extortion attempts.
We should also note the assault on the Toronto Public Library on October 28, which led to a data breach exposing personal details of current and former employees, including social insurance numbers and government ID copies dating back to 1998. The library did not pay a ransom and is reportedly aware that stolen data connected to the cyberattack may end up on the dark web. The information system has been suspended since the October attack and is expected to resume in January 2024.
In short, as we enter 2024, all indications are that cybercriminals are growing more sophisticated and ambitious. Canadians must respond by stepping up their cybersecurity game.
Collaboration with experts from both the private and public sectors is crucial. There’s an urgent need for standards, including incentives for organizations to invest in updated equipment and training. At the same time, public-facing organizations should prioritize transparency and public education. Open communication about the risks and costs of these attacks will encourage a more proactive approach to cybersecurity.
Modern societies’ growing reliance on networks is clearly making us more vulnerable. If we’re to attain cybersecurity resilience, we must go beyond mere adherence to standard procedure. Canadian businesses and institutions need to move quickly to better safeguard our people, networks, businesses and institutions.
