Global Affairs Canada is still dealing with the effects of a cyberattack last week that led to suspicions it was related to the international tension with Russia.
In a statement this morning, the Treasury Board of Canada Secretariat said some access to the internet and internet-based services is not currently available as part of the mitigation measures that began January 19th, when the cyber incident was detected. Work is underway to restore those services.
“Critical services for Canadians through Global Affairs Canada are currently functioning,” added, Geneviève Sicard, Treasury Board’s chief of public affairs. “At this time, there is no indication that any other government departments have been impacted by this incident.”
“This investigation is ongoing. We are unable to comment further on any specific details for operational reasons.”
The federal government’s chief information officer (CIO) is a member of Treasury Board. Some of Global Affairs Canada’s IT services are delivered by Shared Services Canada. The government statement said both the CIO and Shared Services are working with the Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security on the incident. The CSE is responsible for the security of federal IT networks.
Christian Leuprecht, a Queen’s University professor and senior fellow in security and defence at the Macdonald Laurier Institute, said it isn’t clear from public reporting whether Global Affairs’ secure internal network or its external-facing network was affected.
Nor, he added, is it clear whether the threat actor penetrated one of the networks or the government temporarily shut access just to be safe once the suspicious activity was detected. “If the secure network got hit we’d be in real trouble,” he added.
But, he said, it’s no coincidence this happened when NATO countries, including Canada, are taking action and making tough statements to Russia about troops massed on its border with Ukraine. “Things don’t randomly go down,” he said.
He noted that last week the Cyber Centre urged Canadian critical infrastructure providers to watch for Russian-based cyber attacks.
Foreign affairs ministries, he added, “are a Russian favourite” target. “It doesn’t mean necessarily that they were trying to take down our systems. It might have been that we noticed that the Russians were trying to infiltrate, exfiltrate, trying to divert traffic on the network so we shut down the network.”
“The problem is it’s hard to interpret intent. Is the intent of the Russians is to show that they’re in our networks and they can get us any time, anywhere as a shot across the bow –‘Be careful of what you do. We can escalate this as you escalate your help to Ukraine?’ Or is this the best the Russians can do, to take down the open Global Affairs network?”
“What’s interesting is one of CSE’s tasks is to protect the network infrastructure of the government of Canada. The Russians, however, appear to have defeated CSE’s task. That’s not insignificant.”
On the other hand, he added, federal networks haven’t gone completely down in recent years, as they did during the 2011 attack on Treasury Board and in the 2014 attack on the National Research Council. Both were blamed on China. The most recent failure was the 2020 attack on the Royal Military College and the Canadian Defence Academy.
“The broader interpretation has been CSE now has a handle on this,” Leuprecht said.
Networks can go down because of server issues, he acknowledged, but they also can be taken down deliberately by IT as a precaution when an attack is detected. For example, he said, in 2020 the government took down the Canada Revenue Agency website after a successful credentials stuffing attack compromised 11,000 tax and service accounts of Canadians.
Most of Global Affairs’ external network has come back online fairly quickly, he added, which suggests there wasn’t a malicious actor inside its servers or deep inside the network. By contrast, the RCM network was offline for months.
“It could be just a network malfunction, it could be a network compromise of some sort and the government decided to take down the network [as a precaution] or the Russians ended up intentionally taking down the network. I think what exactly transpired we’ll never know.”