‘They may already be happening.’ Canada at higher risk of cyberattacks from Russian hackers after siding with Ukraine

Article content

For Farshad Abasi, Russian cyberattacks against Canada are inevitable given Prime Minister Justin Trudeau’s decision to be an active participant in sanctioning Russia over its invasion of Ukraine.

Article content

“They may already be happening and we don’t even know it,” said Abasi, chief security officer at Forward Security, a Vancouver-based cybersecurity company. “If they haven’t already, they will, and we need to be prepared.”

Russia is home to the world’s most notorious cyber hacking groups, including Sandworm, a unit of Russia’s military intelligence organization that has a “history of inflicting digital chaos,” WIRED magazine reported in February.

Sandworm is believed to be behind the 2015 attack on Ukraine’s power grid, which resulted in power outages for 225,000 customers; the 2017 NotPetya malware attack that was targeted at Ukraine, but spread worldwide, paralyzing organizations including Danish shipping and logistics giant A.P. Moller-Maersk A/S, or Maersk. Sandworm is also suspected to have interfered in the 2017 French presidential election and the 2018 Winter olympics, in PyeongChang, South Korea.

Article content

The group’s latest malware, Cyclops Blink, which appeared in late February, already has cybersecurity professionals on edge.

“Russia’s capabilities are indeed frightening,” said David Shipley, CEO and founder of Fredericton-based Beauceron Security Inc.

Russia’s capabilities are indeed frightening

David Shipley

There are reports that Russia’s Conti ransomware gang has threatened to hack the critical infrastructure of any nation that stands in the way of Russia’s takeover of Ukraine. Canada so far has sent military equipment and funds in excess of $25 million to Ukraine.

“We are literally and figuratively poking the bear,” Shipley said. “So Canadians should not feel that we are not connected to this conflict. We are.”

Shipley expects future cyberattacks to be driven in part by Russia’s need for money, as the ruble continues to buckle under the weight of Western economic sanctions.

Article content

Large Canadian companies might be ready. For example, Canada’s six largest banks spent about $100 billion on technology between 2009 and 2019, and significant portion of that spending was on tech “dedicated to security measures,” according to the Canadian Bankers Association.

For smaller companies, it’s a different story. Nearly half of Canadian small businesses suffered a cyber attack, costing upwards of $100,000 in 2021, the Insurance Bureau of Canada said in a report last year. Yet, 47 per cent of smaller companies reporting having no budget allocation for cybersecurity.

We are literally and figuratively poking the bear

David Shipley

Small- and medium-sized businesses are among the “most targeted and least defended,” said Elana Graham, chief operating officer and co-founder of Cyber Defence Corp., or CYDEF, an Ottawa-based firm that helps organizations bolster their cybersecurity infrastructure. “You can live in denial if you like if you’re a small company, but the reality is you could be compromised already and you have no idea.”

Article content

Graham, who has a background in information technology, said she has seen even the smallest of companies, with just two computers on their network, targeted by hackers. She founded the company in 2018, frustrated by the high cost of cybersecurity, which she felt was deterring firms from protecting themselves from hackers.

“For companies that don’t have that sort of layered plan in place, [a cyber attack] can be an extinction-level event,” said Graham, who recalls an instance when 20 per cent of a company’s fleet of computers had been hacked and was being used to ‘mine,’ or create, new bitcoin.

Cybersecurity is something that upper management don’t really want to think about, especially if they lack a background in information technology, or IT. But their participation and willingness is crucial. “It’s not just an IT problem anymore,” said Graham. “It’s a company-wide problem.”

Article content

When the pandemic shifted businesses online, cybercrime began to tick upward. “Just being digital makes [small businesses] vulnerable,” said Shipley.

Many cybersecurity breaches happen due to human error, when an employee clicks on a phishing email, for example. Hackers can also exploit vulnerabilities in software between updates, before the vulnerabilities have been “patched.”

Ransomware, a particularly insidious form of cyber crime, is on the rise. This is where cyber criminals will hack into a company’s software and hold the company’s data hostage for a fee. Much of the time companies end up paying the ransom, funding a vicious loop. “We have been paying the people victimizing us,” said Shipley.

Article content

Cybercrime is big business, expected to total US$10.5 trillion by 2025, Cybercrime Magazine reported in 2020, citing an estimate by Cybersecurity Ventures.

Canada has experienced its fair share of attacks. In 2020 alone, cybercrime cost Canadians $6.4 billion in ransoms and and lost productivity, according to law firm McCarthy Tétrault LLP. That year, cyber-attackers held the city of Saint John, N.B. hostage, seizing its networks and demanding a ransom of about $20 million in bitcoin, CBC reported. The city chose to rebuild its network from scratch at a cost of roughly $3 million.

There are a few steps that businesses in Canada can take to arm themselves against potential cyber attacks. Graham recommends that businesses consult the “Baseline Cyber Security Controls for Small and Medium Organizations” by the Canadian Centre for Cyber Security.

Article content

Shipley recommends businesses adopt a “basic cyber hygiene” routine, which includes using multi-factor authentication, teaching employees about cybersecurity, and patching systems to ensure they are up to date. Leigh Tynan, director of Telus Corp.’s online security business, recommends completing Telus’s free dark web scan to see whether your information has been compromised.

To be sure, some people find cyber-security measures, such as multi-factor authentication, tedious. To this, Shipley said: “The price of digital security is mild inconvenience. And I think that that’s a pretty good price to pay.”

• Email: [email protected] | Twitter: marisacoulton