China-based hackers installed malware on NRC computers, report claims
Summertime attack on NRC network involved tempting emails, malware and password theft, a federal report says
OTTAWA—Chinese hackers used tempting emails, malware and password theft to worm their way into National Research Council (NRC) computers in pursuit of valuable scientific and trade secrets, a newly released federal analysis reveals.
The attack, which prompted a shutdown of the federal research agency’s computer network in July, relied on textbook moves commonly seen in state-sponsored digital assaults, says the case study by the Canadian Cyber Incident Response Centre (CCIRC).
Highly skilled perpetrators used complex techniques to infiltrate the NRC and “establish a foothold” within its networks, says the study, released under the Access to Information Act.
Portions of the document remain secret because they deal with computer-system vulnerabilities or methods used to protect networks.
The council carries out advanced research—often with outside partners—in fields including aerospace, health, mining and physics.
Government officials publicly confirmed the attack in late July and took the unusual step of openly blaming the intrusion on a highly sophisticated, Chinese state-sponsored player.
Beijing has denied involvement, accusing Canada of making irresponsible charges.
The CCIRC’s report details the “exploitation cycle” of the attack, saying it began with the collection of valid email addresses for research council employees.
Messages containing malicious links were then sent to the employees’ inboxes—a tactic known as “spear phishing.”
Those who unwittingly clicked on the innocent-looking links set the next phase in motion by leading them to what cyber-sleuths call a “watering hole website”—a site of likely interest to people working in a specific organization or industry.
“In this case, malware was downloaded onto the victims’ system after users, using a vulnerable version of (Microsoft Corp.’s) Internet Explorer, visited compromised websites,” the report says.
Installation of the malware then allowed the hackers to set about stealing credentials such as usernames and passwords, the keys to the corporate network.
This allowed the hackers to connect the compromised research council system to their computers abroad.
“The apparent objective of this activity is the theft of intellectual property, trade secrets, and other sensitive or proprietary information,” the centre’s report says.
However, the report does not say what, if any, secrets were stolen, perhaps because it was written while officials were still assessing the damage.
At the time, the federal privacy commissioner’s office said the hackers had infiltrated a system containing personal information.
Despite the exposure of personal data, the commissioner’s office said last month it had not received any complaints.
“It is also unclear as to whether any personal information has been compromised,” said Tobi Cohen, a spokesperson for the privacy commissioner.
“We are satisfied that the organization took appropriate steps to notify employees and other parties about the cyber-intrusion and that efforts are underway to update (information technology) systems and security procedures to prevent this from happening again,” she added.
“At present, our review of the incident is complete. However, this does not preclude us from investigating should we receive a complaint or should new information come to light.”
Following the breach, the CCIRC distributed two technical notices to increase awareness of telltale signs associated with the malicious activity.
It has also recommended steps to detect, respond to and recover from these threats.
However, given the success of such cyber-operations, the centre “expects that these types of attacks will continue,” the report says.
“Most often, attacks of this type are detected by diligent and well-informed users,” the centre adds, calling for better education about the risks.
“Organizations and users are encouraged to be cautious when receiving emails that contain suspicious attachments or links.”