Parliamentary Committee Notes: Ransomware and Russian State-sponsored Advanced Persistent Threat Actors
Date:
Apr 20, 2022
Branch/Agency:
NCSB/NCSD
Issue:
You have been invited to appear before the Standing Committee on Public Safety and National Security to discuss Canada’s security posture in relation to Russia where ransomware and Russian advanced persistent threat actors may be discussed.
Proposed Response:
- The Government of Canada has seen a significant increase in ransomware incidents across the country, especially since the beginning of the COVID-19 pandemic, affecting individuals, critical infrastructure, businesses, and all levels of government.
- The Government takes the threat ransomware poses to Canada and Canadians seriously. The Government does not condone paying ransom to cyber criminals and encourages all Canadians to report instances of ransomware to law enforcement and to the Canadian Centre for Cyber Security.
- The Canadian Centre for Cyber Security has assessed in its 2020 National Cyber Threat Assessment that state-sponsored programs, including those of Russia, pose the greatest strategic threats to Canada. State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure to further their goals.
- In addition to the mitigation measures in place to prevent ransomware, the Cyber Centre also publishes threat bulletins and other informational resources to assist Canadians in navigating the threat posed by cybercriminals and state-sponsored threat actors. Two bulletins were released in January and February 2022 addressing the Russian cyber threat.
- Canada and many likeminded partners and allies have publicly attributed malicious activities to specific state actors, including Russia, which has significant cyber capabilities and a demonstrated history of using them irresponsibly.
Responsive Lines:
- Cybercrime events involving foreign state actors fall within the RCMP’s Federal Policing mandate and should always be investigated from a criminal point of view. These actions can result in arrest, seizure of equipment, or disruption to the criminal operations.
- There are currently a number of active Federal Policing investigations into advanced persistent threats targeting Canadians, the Government of Canada and critical infrastructure systems.
Background:
Ransomware Threat
Ransomware is a type of malware installed on a device that uses extortion to entice the user to pay a sum of money to regain access to their data, or prevent the threat actor from leaking their information to third parties. Ransomware is an accessible tool for cyber criminals, but is also used by state and state-sponsored advanced persistent threat actors (APTs) to achieve strategic and geopolitical goals.
Many Canadian victims give in to ransomware demands due to the severe costs of losing business and rebuilding networks, as well as the potentially destructive consequences of refusing payment – these could include the publishing of sensitive records online, or auctioning off of sensitive records on dark web marketplaces.
Ransomware has become more frequent, sophisticated, and severe in recent years, sometimes threatening the health and safety of Canadians, and Canada’s national security. Many prominent Canadian ransomware incidents have garnered media attention in recent years, and have caused significant disruption to services or businesses Canadians depend upon.
In the Canadian Centre for Cyber Security’s (Cyber Centre) recent threat bulletin The ransomware threat in 2021, ransomware is noted as being very profitable for cybercriminals. High profile criminal groups specializing in ransomware have emerged, such as “DarkSide” whom the United States (US) identified as being responsible for the Colonial Pipeline ransomware incident in 2021.
Russian Threat
While these criminal groups often claim not to have political affiliations, many are thought to be located in Russia and other ‘safe havens.’ The Cyber Centre’s bulletin assesses that Russian intelligence services and law enforcement almost certainly maintain relationships with cybercriminals, either through association or recruitment, and allow them to operate with near impunity – as long as they focus their activities against targets located outside Russia and the former Soviet Union.
The Cyber Centre’s National Cyber Threat Assessment 2020 judged that while cybercrime is the most likely threat faced by Canadians, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada, and that state-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure to further their goals.
Canada, in coordination with likeminded partners, has publicly attributed malicious activities to specific actors. Incidents Canada has attributed to Russia include the 2021 SolarWinds software breach, the 2020 targeting of COVID-19 research, response, and recovery efforts, the 2019 disruption of Georgian media and democratic institutions, and the 2017 notPetya ransomware which caused significant disruption to critical financial, energy, government, and infrastructure sectors around the world.
In January and February 2022, the Canadian Centre for Cyber Security issued a threat bulletin encouraging critical infrastructure network defenders to bolster their awareness of, and protection against, Russian state-sponsored cyber threats. The Government of Canada has increased its engagement with critical infrastructure owners and operators in light of the current threat environment.
As part of Canada’s response to Russia’s invasion of Ukraine, Canada has made multiple supporting statements over social media condemning malicious activities that Allies have attributed to Russia, including incidents affecting Ukraine’s government systems and banking sector.
Royal Canadian Mounted Police
The Royal Canadian Mounted Police’s (RCMP) Federal Policing Criminal Operations-Cybercrime program has the investigative mandate to target the most significant threats to Canada’s political, economic, social, and reputational integrity. Specifically, it focuses on criminal activity that targets the federal government, threatens Canada’s critical infrastructure and key business assets with high economic impact, and involves the use of computer systems to attack or compromise Canadian institutions by groups or organizations acting on behalf of foreign states. Under this mandate, the greatest impact is realized by conducting investigations to identify and target Cybercrime-as-a-Service, criminal networks conducting illicit activity in the cyber realm, and hostile foreign actors (state and non-state). There are currently a number of active Federal Policing investigations into APTs targeting Canadians, the Government of Canada and critical infrastructure systems.
As a National Police Service, the RCMP National Cybercrime Coordination Unit (NC3) coordinates and assists cybercrime investigations in collaboration with Canadian and international law enforcement partners. NC3 and the Canadian Anti-Fraud Centre (CAFC) are also building a new National Cybercrime and Fraud Reporting System for victims to report cybercrime and fraud incidents to law enforcement, which is planned for full implementation in 2023.
Contacts:
Responsible Manager: [REDACTED] National Cyber Security Directorate, [REDACTED]
Approved by: Dominic Rochon, Senior Assistant Deputy Minister, National and Cyber Security Branch, 613-990-4976
- Date modified: