The government of Nunavut continues to restore its systems today after being struck by a ransomware attack over the weekend.
“We weren’t expecting this,” Dean Wells, the territory’s corporate chief information officer, said in an interview Tuesday afternoon.
“We spent the last eight months really focusing with our partners to upgrade the network. We just went through a major upgrade on our satellite network from a very small amount of bandwidth — less than 200 Megs (mpbs) — to a 5 Gig network. We really concentrated on making our network prepared for this, to have our infrastructure in place to help departments deploy programs and services. So we did a lot of work making sure all our firewalls were all protected and firmware updated. Same thing for content forwarding systems and all our security devices beyond that … but this really caught us off guard.”
However, when asked what failed Wells said that is still under investigation. Wells did say systems were hit by the DoppelPaymer ransomware, although he couldn’t say which variant. CBC News quoted Martin Joy, Nunavut’s director of information, communications and technology, as saying the territory’s security system hadn’t yet been trained to recognize this version.
According to security vendor Crowstrike, DoppelPaymer shares most of its code with the BitPaymer ransomware operated by a group dubbed Indrik Spider. However, DoppelPaymer has threateded file encryption, which can increase the rate at which files are encrypted. The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table.
“Perhaps the most interesting change that the DoppelPaymer author made is to terminate processes and services that may interfere with file encryption,” adds Crowdstrike. DoppelPaymer contains several lists of CRC32 checksums of process and service names that are blacklisted. The malware author included CRC32 checksums rather than strings to hinder reverse engineering efforts. However, it is possible to brute-force all of the checksums and recover the respective strings.
The Nunvut incident started around 4 a.m. Saturday when network alarms started sounding. Wells wouldn’t say how many desktops and servers were affected but within a short while the entire network was taken offline as a precaution. Now there are two teams working on the problem: One is determining what systems were infected, while the other is rebuilding the network and installing backup data.
IT suppliers including Microsoft and FireEye are helping with restoration and investigation.
All data that was backed up to the system’s servers is “fine,” Wells said. However, any data on workstations is assumed to have been compromised. On the other hand, territory policy forbids staff from storing data on workstations, so in theory, no important data will be lost there.
With email not available, government staff can only be reached by phone, fax, or in person.
The crippling of IT systems for a government at any time can be serious, but especially for a territory with 25 communities spread across 1.8 million square kilometers serving some 36,000 people.
The government says that services including police and hospital visits are still available, but staff don’t have online access to documents. As a result, some services may be slow or delayed. The telehealth service, increasingly important in such a widespread region, is currently unavailable.
For the time being, health workers are using a paper-based system until network services are restored. Patients have been asked to bring their health care cards and medications for all health care visits. Health payments and reimbursements will be prioritized as soon as the system is up and running.
The government emphasizes that personal information it holds hasn’t been copied and exfiltrated by the attack. The government-owned Qulliq Energy Corporation wasn’t affected.
IT staff are working with the court system to set up computers off the infected network so hearings can continue as scheduled. Court Services has implemented contingency plans to ensure uninterrupted services. But while the court registry is open and new criminal and civil proceedings can be filed, the civil registry, corporate registries, land titles, and securities email registrations are offline.
In a statement on Sunday, Premier Joe Savikataaq said that “essential services will not be impacted and the GN (government of Nunavut) will continue to operate while we work through this issue. There will likely be some delays as we get back online and I thank everyone for their patience and understanding.”
Once the issue was identified, the network was isolated and cybersecurity experts were notified, he said in the statement. Restoring electronic data for services related to health, family services, education, justice, and finance is a priority. “It is difficult to estimate recovery timelines at this early stage,” he added.
“We get about 35,000 [network penetration] attempts a week,” said Wells.
This, he agreed, is the worst cyber incident he’s faced in his career. Since it began he’s had about six hours of sleep.
(This story has been updated from the original with comments from Dean Wells)