“We’ll start by taking OttawaPolice.ca offline, just to annoy them,” the hacker group Aerith posted on Twitter just after 6 pm on Nov. 22.
Not long after, several sources reported that not only was the law enforcement authority’s site down, but also that of the Supreme Court of Canada and even the capital city’s government. Less than a year later, Daniel Steeves is ready to reflect on what happened and how his IT department is working to minimize the fallout of a similar attack.
Steeves, CIO of the Ottawa Police Service, was recently featured in a video clip produced by the Canadian Advanced Technology Alliance (CATA), which is preparing to host a cybercrime event later this year. It marks one of the rare cases where an IT leader offers a public post-mortem on a high-profile security incident and shows just how simple it can be for hackers to disrupt everyday digital processes.
“On a Friday around 4:00 pm, we were attacked by a number of hackers from various sites around the world,” Steeves said. “The aggregation against the web site, the volume was so high, that they hit our web site with millions of hits, to the point where our Internet service provider decided to shut off the pipe.”
As a result of the attack, the ISP also asked the Ottawa Police Service to physically remove the site out of its environment because it impacted other areas of its business in the local community.
“While the pipe was turned off, we migrated it out of that environment into a different cloud environment and put a cyber-security shield as a result of that activity,” Steeves explained. “We turned it back on seven days later.”
Many private sector organizations might consider a week without a web site to be crippling to at least a portion of its business, but Steeves said the impact could have been even worse. Beyond the DDoS attack, hackers also managed to spoof the e-mail address of his team’s IT manager and sent it to the Ottawa Police Service’s web registrar with instructions to repoint the site to a web site owned by the cybercriminals.
“The registrar was in the midst of doing that, because they thought that was a real instruction,” Steeves said. Fortunately, the police’s IT department had set up a security protocol to get a bounce back if any changes to the DNS are made. “We called them and let them know that wasn’t an e-mail from us.”
When the registrar looked more carefully at the header of the e-mail message, they recognized the social engineering tactics that were being used. Hackers have continued to try the same trick as recently as last month, Steeves added, but this time went a step further by scanning a fake copy of a driver’s license to “prove” who they were.
“This time we were called (by the registrar) right away,” said Steeves.
Though last year’s DDoS attack was attributed to Arieth and also Anonymous, Steeves said it is difficult to know for certain where such hits originate. That’s because the cybercriminals often operate in countries where Canada doesn’t have agreements with respect to law enforcement.
Steeves said he hopes these kinds of incidents prompt a conversation across various levels of government to create a national strategy to combat IT security threats collectively.
“When you’re under an attack, your solution has to be mobile enough to be able to move with the attack, to be able to absorb the attack,” he said. “We have to recognize that cyber-security is strategic as opposed to tactical. Everybody knows (attacks are) going to happen.”