Parliamentary Committee Notes: Ransomware and Russian State-sponsored Advanced Persistent Threat Actors

Date:

Apr 20, 2022

Branch/Agency:

NCSB/NCSD

Issue:

You have been invited to appear before the Standing Committee on Public Safety and National Security to discuss Canada’s security posture in relation to Russia where ransomware and Russian advanced persistent threat actors may be discussed.

Proposed Response:

Responsive Lines:

Background:

Ransomware Threat

Ransomware is a type of malware installed on a device that uses extortion to entice the user to pay a sum of money to regain access to their data, or prevent the threat actor from leaking their information to third parties. Ransomware is an accessible tool for cyber criminals, but is also used by state and state-sponsored advanced persistent threat actors (APTs) to achieve strategic and geopolitical goals.

Many Canadian victims give in to ransomware demands due to the severe costs of losing business and rebuilding networks, as well as the potentially destructive consequences of refusing payment – these could include the publishing of sensitive records online, or auctioning off of sensitive records on dark web marketplaces.

Ransomware has become more frequent, sophisticated, and severe in recent years, sometimes threatening the health and safety of Canadians, and Canada’s national security. Many prominent Canadian ransomware incidents have garnered media attention in recent years, and have caused significant disruption to services or businesses Canadians depend upon.

In the Canadian Centre for Cyber Security’s (Cyber Centre) recent threat bulletin The ransomware threat in 2021, ransomware is noted as being very profitable for cybercriminals. High profile criminal groups specializing in ransomware have emerged, such as “DarkSide” whom the United States (US) identified as being responsible for the Colonial Pipeline ransomware incident in 2021.

Russian Threat

While these criminal groups often claim not to have political affiliations, many are thought to be located in Russia and other ‘safe havens.’ The Cyber Centre’s bulletin assesses that Russian intelligence services and law enforcement almost certainly maintain relationships with cybercriminals, either through association or recruitment, and allow them to operate with near impunity – as long as they focus their activities against targets located outside Russia and the former Soviet Union.

The Cyber Centre’s National Cyber Threat Assessment 2020 judged that while cybercrime is the most likely threat faced by Canadians, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada, and that state-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure to further their goals.

Canada, in coordination with likeminded partners, has publicly attributed malicious activities to specific actors. Incidents Canada has attributed to Russia include the 2021 SolarWinds software breach, the 2020 targeting of COVID-19 research, response, and recovery efforts, the 2019 disruption of Georgian media and democratic institutions, and the 2017 notPetya ransomware which caused significant disruption to critical financial, energy, government, and infrastructure sectors around the world.

In January and February 2022, the Canadian Centre for Cyber Security issued a threat bulletin encouraging critical infrastructure network defenders to bolster their awareness of, and protection against, Russian state-sponsored cyber threats. The Government of Canada has increased its engagement with critical infrastructure owners and operators in light of the current threat environment.

As part of Canada’s response to Russia’s invasion of Ukraine, Canada has made multiple supporting statements over social media condemning malicious activities that Allies have attributed to Russia, including incidents affecting Ukraine’s government systems and banking sector.

Royal Canadian Mounted Police

The Royal Canadian Mounted Police’s (RCMP) Federal Policing Criminal Operations-Cybercrime program has the investigative mandate to target the most significant threats to Canada’s political, economic, social, and reputational integrity. Specifically, it focuses on criminal activity that targets the federal government, threatens Canada’s critical infrastructure and key business assets with high economic impact, and involves the use of computer systems to attack or compromise Canadian institutions by groups or organizations acting on behalf of foreign states. Under this mandate, the greatest impact is realized by conducting investigations to identify and target Cybercrime-as-a-Service, criminal networks conducting illicit activity in the cyber realm, and hostile foreign actors (state and non-state). There are currently a number of active Federal Policing investigations into APTs targeting Canadians, the Government of Canada and critical infrastructure systems.

As a National Police Service, the RCMP National Cybercrime Coordination Unit (NC3) coordinates and assists cybercrime investigations in collaboration with Canadian and international law enforcement partners. NC3 and the Canadian Anti-Fraud Centre (CAFC) are also building a new National Cybercrime and Fraud Reporting System for victims to report cybercrime and fraud incidents to law enforcement, which is planned for full implementation in 2023.

Contacts:

Responsible Manager: [REDACTED] National Cyber Security Directorate, [REDACTED]

Approved by: Dominic Rochon, Senior Assistant Deputy Minister, National and Cyber Security Branch, 613-990-4976

Date modified: