(Photographic illustration of Maclean’sphoto courtesy of iStock)
In recent months, there have been a series of high-profile cyberattacks against large Canadian retailers, critical infrastructure systems and, most recently, the city of hamilton. Not even the Toronto Zoo is safe from the wide reach of online vulnerability. And as the world goes digital and more crimes unfold in cyberspace, the threat will only increase over the next two years, says Sami Khouri, director of the Canadian Center for Cyber Security and author of a new report detailing increase. in attacks for both financial and geopolitical reasons. And yes, as with everything else, AI makes it even scarier.
It seems like not a week goes by without news of a new high-profile cyberattack: the Toronto Zoo, the LCBO, SickKids, Sobeys, Indigo, the RCMP… the list goes on. What is driving this wave?
The bottom line is that cybercriminals have found a way to make money through ransomware attacks. When the world first went digital, cybertechnology was a tool of states, another way for countries to spy on each other. But then these tools began to leak and fall into the hands of criminals, which is when we saw the beginning of for-profit ransomware attacks. Initially, a criminal would break into a computer system, lock it, and demand a payment to unlock it. This has become less effective over the years as more companies have backed up their data. Instead, most criminals today steal information from a company and then demand payment to return that information. We also increasingly live in the digital world, increasing our threat surface and providing more opportunities for bad actors to exploit. During the pandemic, many companies rushed to go digital. Safety may not have been your primary concern in that predicament.
Let’s say I’m a large department store. What type of information do I have that can be stolen?
Most of the time, stolen information is simply discarded data: name, address, date of birth, social security number. If the affected company or institution is not willing to pay the ransom, the information is published on the dark web as something that other criminals could exploit. Everything has a price: 50 cents per credit card number, two dollars per passport number. This type of personal information is used to fuel scams, typically phishing schemes that have become commonplace.
REGISTER TO READ THE BEST OF MACLEAN’S:
Get our top stories delivered straight to your inbox twice a week
Of course, institutions are also greatly affected. The average cost of ransom payments reported in Canada is around $300,000, but there is also the cost associated with having to take the entire system offline to prevent any spread. Getting it back up and running can be very expensive, both in terms of hiring technical experts and having your business offline for days or weeks. And if you’re a business with customers, there will be a cost in terms of relationships and rebuilding trust.
I guess the hacker stereotype of the internet nerd who lives in a basement is no longer accurate.
There are still hackers who live that life. They are the ones who develop the hacking tools, only now they are selling them to more sophisticated criminal enterprises like Lock Gate and Black Cat, cyber gangs that operate with a real business model called RaaS or Ransomware as a service. These groups rent their ransomware tools to other criminals and keep a portion of the ransoms paid by victims. Nowadays, you don’t need to know coding to launch a cyberattack, you just need to know how to navigate the dark web and other people will do it for you.
If it’s all about money, why target public organizations and not a big bank?
We do not speak publicly about specific incidents but, in general, these are targets of opportunity. It’s not someone on the dark web saying: I’m going to go after this or that organization., but they may have found a weak point in the organization’s computer system that they can breach. Or someone within the organization clicked on a phishing email, a fraudulent email that tricks employees into sharing information, allowing a criminal to catapult themselves into the network without breaching external defenses.
I’m thinking about those scenes in Mission Impossible where Tom Cruise tries not to activate any of the laser cables. Now it’s just clicks?
Good. By clicking, you can allow a malicious actor to bypass all of your organization’s defenses and, once inside, communicate with outsiders.
Speaking of movies, paying a ransom is often presented as an ethical dilemma, but you say it’s more of a business decision.
In Canada there is no law prohibiting the payment of ransoms. The government does not recommend it, but yes, it is a calculation. Any company considering him should keep two things in mind: First, he is a criminal and there is no guarantee that he will hold up his end of the bargain. In some quarters there is honor among thieves, but at the end of the day you just don’t know it. We have heard cases of double jeopardy where they ask for a ransom to unlock the system, only to delete your information again. Second, if word gets out that you paid a ransom, perhaps another group unrelated to the first will target you.
For companies that decide to pay, I assume they won’t put unmarked bills in a suitcase.
That’s how it is. Ransoms are usually paid through a cryptocurrency exchange, so it is paid in Bitcoin laundered with other Bitcoin sources, making it difficult for authorities to trace the payment back to the cybercriminal.
Are there professionals specialized in handling these types of situations?
They are called breach coaches – professionals who will hold your hand during a ransom negotiation – but ideally, organizations should invest in cybersecurity to avoid these situations in the first place. If an incident occurs, our organization has published a ransomware playbook that contains plenty of guidance on how to protect yourself. We encourage anyone who has been a victim of an attack to report it so we can help. Our services are totally confidential. We know that cybercrime is often underreported, perhaps out of embarrassment or because victims are too busy handling the immediate situation. In 2023, we received 305 ransomware reports from both individuals and businesses. The real figure would be five or ten times higher.
What is the biggest cybersecurity mistake you see companies making?
We hear people say, I’m a small to medium sized business, why would anyone come after us?, But that is not the point. It doesn’t matter if you’re a zoo, a bank, or a small business: if cybercriminals find a weak point, they will exploit it. These weaknesses are almost always based on a lack of updating. Whether it’s an iPhone or a corporate server, the update notifications you receive not only serve to increase functionality but also close vulnerabilities.
So running an old operating system is like leaving your keys in the glove compartment?
Exactly. That’s why I always say patch, patch, patch.
We are also seeing cyber attacks against critical infrastructure and governments. Last year in the energy sector, this month, the RCMP. Is the motivation different for attacks against public institutions?
That really depends. Ransomware attacks can hit critical infrastructure and governments, but in cases of nation-state-driven attacks, the motivation is usually strategic, either to steal some kind of valuable information (perhaps Russia or China want information about Canada’s oil reserves, for example) or to destabilize. Russia cut off power to Ukraine two Christmases in a row in 2014 and 2015. You can imagine that if that happened in Canada, the impact would be devastating.
How serious is that threat?
In December, we published a national cyber threat assessment calling out Russia, China and Iran, countries that have demonstrated the ability to hack our infrastructure and remain idle in the hope of one day doing something. Last year, as part of a joint operation with US intelligence, we caught China hiding in critical infrastructure networks, and we can assume they were not hiding to get money.
You mentioned phishing emails as a growing problem. What’s your best advice on how to avoid them?
Everyone has to be very critical of the emails they receive. Phishing is now more sophisticated. Previously, you only needed to look for strange phrases and grammatical errors to know that something was fake, but now cybercriminals are using ChatGPT to create emails that are indistinguishable from real ones. And it is moving from the written word to also voice and video. You can go to YouTube and listen to my voice in an interview I did and now you can make my voice say whatever you want.
You are talking about deepfakes. Was Taylor Swift a hot topic in the office in January?
Deepfakes were definitely a topic of conversation, and still are, particularly from an election security standpoint. Increasingly we are seeing cyber threat actors using AI to generate misinformation, whether it be fake phone calls or videos. More than half the world will vote next year, so this could have huge consequences.