Advertisement 1

LFP LONGFORM: Digital pirates search for prey in Southwestern Ontario

Article content

It may have just been a coincidence.

But the revelation by Stratford officials on Sept. 19 that the city paid $75,000 to a hacker to regain access to its computer network following a cyber attack five months earlier was followed by a wave of cyber attacks across Southwestern Ontario.

In little more than a week, Woodstock city hall, Woodstock police, hospitals in Wingham and Listowel and an auto parts manufacturer in Strathroy also came under attack.

Advertisement 2
Story continues below
Article content
Article content

Employees lost access to their email, phones and data and the public was cut off from using websites to obtain and provide information. IT departments and police and private investigators worked overtime to restore systems and hunt down who was responsible for the attacks that indicate nothing is off limits for hackers out to make a few bucks.

Worldwide, cyber crime has become a multibillion-dollar industry. Large corporations, especially those handling money and personal information, have long been targets – think the Yahoo and Equifax hacks in recent years.

But less noticeable are the municipalities and public agencies – hospitals, school boards, police departments – targeted and crippled, often for weeks and months, by cyber attacks that can take out everything from email systems to 911 dispatch centres.

***

On Sunday April 14, Stratford city hall posted a short message on its Facebook page saying officials are “managing what appears to be a cyber attack.

“Resources have been deployed to address this, and appropriate risk management plans are being followed. . . . Our email systems and online forms are currently not available, but feel free to call or visit our offices in person during business hours tomorrow,” the message read.

Advertisement 3
Story continues below
Article content

Stratford’s response to the “ransomware” attack was detailed in a report by the city released Sept. 19.

Malware from a hacker infiltrated eight of the city’s servers on April 14, locking up data. The servers were taken offline to contain the attack.

The city started negotiations three days later with the hacker over ransom payment. After the city paid $75,000 in Bitcoin – a digital currency that is difficult to trace – the hacker provided “decryption keys” allowing officials to unlock the data.

The city returned to normal operations April 29. City staff said they didn’t find any evidence of data theft or transfer. Stratford police and the OPP continue to investigate the cyber attack.

Stratford Mayor Dan Mathieson said the city decided to pay the ransom “in consultation with our insurer and in the best interests of protecting data.”

Every municipality is a potential target for hackers, and some may not be taking the threat as seriously as they should.

“It’s safe to assume every municipality feels they’re in good shape,” said Mathieson, a spokesperson on cyber security for the Association of Municipalities of Ontario.

Advertisement 4
Story continues below
Article content

***

Municipal computer systems are low-hanging fruit for cyber attackers, an expert says.

“It is a combination of lack of budget, very complex systems – some of which are aging – and a lack of in-house expertise,” said Brett Callow, a spokesperson for the anti-virus company Emsisoft, an anti-malware company based in New Zealand that operates around the world.

Ransomware is often launched through email when an employee clicks on an attachment in an email, allowing a virus into the computer. The virus then makes its way into other connected computers.

“There is really no way to prevent this from happening,” Callow said.

In Canada, no one tracks how many organizations have been hit by ransomware attacks, or how much it’s costing. Though some might have an idea, that information isn’t public.

“It has emerged as the most significant threat in the cyber security sector. We are not overstating it when we call it an epidemic,” said London-based tech analyst Carmi Levy.

The deepening concerns this week prompted a public warning from London police, urging people to be “wary of ransomware attacks” after a small business in the city was hacked last weekend.

“The criminals behind these attacks don’t care how big or small your company may be,” Det. Jason Eddy, head of the London police digital forensic unit, said in a statement. They only care about getting as much money as they can from you.”

Advertisement 5
Story continues below
Article content
We apologize, but this video has failed to load.
Try refreshing your browser, or
tap here to see other videos from our team.

***

Experts are divided about how municipalities and other agencies hit by a cyber attack should respond.

Paying a ransom sets a precedent and may encourage more attacks.

“If you show a willingness to pay, the hacking community will target you in the future,” Levy said. “And if you pay once, you’re probably not investing in the type of protections to keep from being victimized again.”

And there’s no guarantee hackers won’t take the money and disappear.

But choosing not to pay is taking the moral high ground, a position that may be hard to defend in a crisis, said Gord McKay, a former mayor of Midland.

The central Ontario municipality paid a ransom after it was targeted in a cyber attack in September 2018.

“It didn’t take us any time to decide at all,” McKay said. “You could play with these cyber attackers for months. This is just where you have to grin and bear it.”

Paying the ransom is often cheaper than rebuilding entire computer networks from scratch, which can take weeks and is costly.

As cyber risk co-ordinator at Deloitte, Kent Schramm is on the front lines in helping municipalities escape the clutches of a cyber attacker. The company’s goal is to “stop the bleeding,” he said, even if that means paying the ransom, with Deloitte acting as an intermediary, and moving on.

Advertisement 6
Story continues below
Article content

It’s an “honour among thieves” mentality – the notion that others might not pay in future if an attacker doesn’t deliver – that allows Deloitte to usually recover its client’s information, Schramm said

“All their corporate data is encrypted. They’re basically dead in the water,” he said. “That’s when some of those tough decisions have to be made around the table. What’s the cost of paying? What’s the cost of not paying?”

A municipality’s second call, in the wake of a cyber attack, may be to the local police force. They, in turn, often call the OPP’s cyber investigations team.

“Because cyber investigations are still brand new, a lot of services, at least the smaller services they don’t know where to start,” Det. Insp. Heath Crichton said.

Investigators face a steep challenge finding hackers because it’s easy for them to hide their tracks, he said.

“The internet and the dark web, it all kind of comes together to make that more difficult,” Crichton said. “We’ve had limited success to date, but again, we’re still new at this.”

***

Education and prevention are the key for municipalities to avoid becoming the next victim of a cyber attack.

Advertisement 7
Story continues below
Article content

“The end user is the strongest link when it comes to cyber security, and they’re also the weakest link,” Schramm said.

Ali-Akbar Ghorbani, a computer science professor at the University of New Brunswick and Canada research chair in cyber security, said the human error that opens the digital gate to cyber attackers can be “innocent ignorance” in staff not spotting an infected email, or fatigue among IT employees.

After Wasaga Beach suffered an attack in April 2018 that cost the municipality nearly $300,000 in ransom, staff overtime and consultants, the town increased staff training and switched to new anti-virus software. It keeps two copies of backup data and reviews its disaster response plan, including a cyber attack scenario, every six months.

But if that fails and municipalities are still attacked, they need to have a strong backup system and response plan, Ghorbani warns.

“It’s a necessity. Now that there is a more serious threat, individuals, and companies and municipalities should all be prepared to reinvest.

“If they have good infrastructure, a good backup system, they can say to the criminals, ‘Go to hell, do whatever you want. I can recover quickly.'”

Advertisement 8
Story continues below
Article content

RECENT SOUTHWESTERN ONTARIO CYBER ATTACKS

  • April 14: The city of Stratford alerts residents in a Facebook post about a cyber attack on its network. Ransonware – a computer program that denies access to programs or data until a ransom is paid – jammed the city’s email and phone systems and parts of its website.
  • Sept. 9: Computer network at St. Clair Catholic District school board hacked.
  • Sept. 21: A ransonware virus enters the city of Woodstock’s computer network, preventing employees from accessing email and data networks.
  • Sept. 23: Woodstock police hit by cyber attack that disables email and online reporting.
  • Sept. 26: Hospitals in Listowel and Wingham are targeted, forcing them to take their networks offline.
  • Sept. 27: A representative of the Meridan Lightweight Technologies Inc. confirms the company’s Strathroy plant, employing about 600 workers, had been hit by a cyber attack.
  • Oct. 24.: Elgin OPP report an Elgin business had been locked out its computer files following a ransonware attack.

CYBER LINGO 101

Bitcoin: a digital currency demanded in almost all ransomware attacks. Anonymous and encrypted, bitcoin can be sold or converted to cash and is nearly impossible for police to track.

Advertisement 9
Story continues below
Article content

Encryption: Encoding data so that only authorized parties can access it.

Malware: Software designed to cause damage.

Phishing: Ploy to obtain sensitive information such as user names, passwords and credit card details by using deceptive emails and websites.

Ransomware: Type of malware that threatens to publish data or block access to it unless a ransom is paid.

Spoofing attack: Individual or program pretends to be a trusted source to gain information.

Whaling: A specific type of phishing attack targeting high-profile employees, such as the chief executive or chief financial officer who typically have access to sensitive data. The goal is to manipulate the executive to  authorize high-value wire transfers.

WHO ARE THE ATTACKERS?

Evidence suggests there are concentrations of cyber criminals operating in Eastern Europe, North Korea, Russia, China and the United States, but police say it’s difficult to track the source of cyber attack because of the use of digital currency and the dark web, a part of the Internet that isn’t accessible to search engines.

Some ransomware code has been found to contain a list of exclusion languages, which would prevent that ransomware from activating if a network’s default language is on the list. The tool could be a method of not attacking targets in the attacker’s country of origin, a diversionary tactic, or completely meaningless.

Article content
Comments
You must be logged in to join the discussion or read more comments.
Join the Conversation

Postmedia is committed to maintaining a lively but civil forum for discussion. Please keep comments relevant and respectful. Comments may take up to an hour to appear on the site. You will receive an email if there is a reply to your comment, an update to a thread you follow or if a user you follow comments. Visit our Community Guidelines for more information.

Latest National Stories
    This Week in Flyers