Q: What vulnerabilities are imbedded in the Cold Chain Equipment Optimization Platform (CCEOP)? What would the consequences of a successful hack have been?
A: The CCEOP is one of the most complicated supply chains in the world. The Pfizer vaccine requires storage at -75 degrees Celsius. It can be kept in a freezer farm for up to 6 months but requires dry ice to keep it extremely cold during transport. Any stage of that chain is open to potential hacking. The IBM report included detection of hacks of various organizations within the CCEOP supply chain, including organizations in the energy sector.
They suspect a solar panel manufacturer in South Korea could have been hacked, because several trucks delivering the vaccine use South Korean-manufactured solar panels. Other organizations included a German web development company that creates websites for pharmaceutical clients—this could have opened a backdoor through the developer. We saw a similar attack over the summer when IP was stolen from Canadian research facilities. There may be business-related information about purchasing and pricing that could have been stolen. Ransomware may have been part of this attack as well.
Q: What actors do you think are the likely perpetrators of these hacking attempts, who were the main targets, and what was the rationale for this attack?
A: Canadian, U.S, and UK cyber intelligence agencies put out a joint warning that they had detected Russian government hacking attempts on Western research facilities in July. However, there has been no attribution to this latest attack. IBM has indicated that the level of sophistication suggests it was a nation-state actor, and that the campaign started in September 2020. This attack is like the one we saw in 2016, when DNC servers were hacked by the GRU, which uses NotPetya malware.
The goal of these attacks is to gain access to those networks within those supply chains to potentially gather intelligence, extort money, disrupt those supply chains, and there is possibly malign intent as well. Some of these are goals of Russian and Chinese governments. The EEAS warned us in March that this could happen. We have seen warning signs of attacks such as this throughout the past year as well. We’ve seen what happens when these attacks have happened in the past.
The media and the experts talk about how to defend against these attacks and it really does come down to an individual’s cyber hygiene. We are not talking about deploying systems that cost 10s of millions of dollars. This is basic cyber literacy. That means ensuring your password is not “password” or your birth date — ideally a multifactor authentication. Training is clearly needed, certainly in private businesses, and individual Canadians should be learning more about these sorts of practices. The recent CCCS report indicated that Canadians lost some 50 million dollars to cybercrime in 2019 alone. A lot of this can be avoided just by practicing some very basic cyber hygiene.
Q: The CCCS released a report claiming that state-sponsored actors are likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure. What capabilities are likely in development, and what disruptions are experts most concerned about?
A perfect example is the NotPetya ransomware attack. In 2017 GRU attacked a group of hospitals in Pennsylvania. ICUs were targeted and critical machines within the intensive care unit were shut down for about a week. The GRU then demanded a ransom. That attack demonstrates how deeply some of these state-based actors can penetrate as well as how much damage they can do. The costs of NotPetya attacks has amounted to approximately one billion dollars. In Ukraine, a NotPetya attack shut down critical infrastructure, electrical systems, and the radiation monitoring system at Chernobyl. The recent CCCS report warned that Canadian infrastructure is also at risk—specifically our electrical infrastructure.
IoT presents issues as well. We are relying more and more on devices and programs attached to our phones. These attacks are even worse when combined with various types of information warfare. In the four years since the DNC server hack, disinformation narratives have been amplified and polarized in the U.S. It is exactly the kind of Western world Putin wants. When combined, disinformation and the hacking of critical infrastructure is an extremely powerful tool. In many ways, the Russian government has been able to destabilize American democracy at a cost of less than a single battle tank and no loss of life. If that is the cost of this kind of warfare and it is so effective, then why not engage in it?
Nonetheless, some states are starting to impose costs on state-based actors. The U.S recently announced sanctions on several GRU agents who were involved with hacking. Canada has not done that yet. The government needs to start imposing consequences on governments that do engage in this sort of hacking, because right now they are operating with relative impunity. We can push back with active cyber capabilities and active counter disinformation capabilities. However, Canada is not there yet. I think we are far away from acknowledging the problem. There is a very alarming reluctance in the Canadian government to attribute these attacks to nation-states when they are coming from them.
Q: What kind of impact has pandemic-related disinformation had on the government’s ability to inform the public and address various Covid-19 related issues? What have some of these disinformation campaigns looked like?
There is a myriad of narratives that have been put out there. There were suggestions in Russian media, which got picked up on conspiracy theory websites, that the virus was developed inside a U.S bioweapons lab. It was then published on Global Research—a Canadian conspiracy theory website, which was recently identified by the State Department as being one of the pillars in the Russian disinformation network. This site employed eight GRU agents as writers for their platform. The Covid-19 origin conspiracy theory appeared on several platforms and was further amplified by Chinese diplomats.
The [most harmful] are the ones suggesting that there is no pandemic, that this is some manufactured crisis—Bill Gates and George Soros are behind it, big pharma is behind it. One of the worst narratives we are seeing is the anti-mask movement. I’ve seen a number of state and Kremlin-aligned actors promoting these narratives on social media platforms which often advocate anti-mask rallies. The terminology contained in these narratives—the tyranny of our governments, that they’re trying to impose totalitarianism on our societies, is completely absurd.
One of the most alarming aspects of this growing threat is incidences of public officials legitimizing very bizarre conspiracies. Ontario MPP Randy Hillier suggested that quarantine centres are being used as incarceration camps for Canadians. Derek Sloan, a federal MP from a nearby riding, has put out a petition containing several known false narratives and conspiracy theories.
These latest hacking attempts reinforce a greater need for cyber hygiene and cyber literacy in critical organizations. We can’t always rely on big tech to detect these attacks for us. It will take a coordinated effort form the government to help ensure critical infrastructure is protected and important organizations have the right cyber security defensive protocols in place. This is a growing problem. We need to coordinate a broader effort to combat these threats. If we don’t, then we are at serious risk.
Marcus Kolga is a digital communications, global human rights, sanctions, disinformation and cybersecurity expert. He is a writer, documentary filmmaker and political activist. He comments regularly on foreign policy, international human rights and disinformation issues in Canadian and international media, and his opinions are frequently published in Canada’s national newspapers including The Globe and Mail, Toronto Star, Ottawa Citizen, and other international publications.