Russian hacktivist threat on Canada’s pipelines is ‘call to action,’ top cyber official says

A cybersecurity incident affecting a Canadian gas pipeline — which pro-Russian hacktivists and an intelligence officer claimed could have caused an explosion — is “a call to action for the critical infrastructure sector,” according to Canada’s top cyber official.

The incident was revealed in a trove of leaked U.S. intelligence materials that included an apparently intercepted conversation between a hacking group known as Zarya and an officer at Russia’s Federal Security Service (FSB).

According to the document, marked Top Secret, during this conversation the hackers claimed they could "increase valve pressure, disable alarms, and initiate an emergency shutdown of an unspecified gas distribution station” located in Canada.

The authenticity of the document, which was first reported by The New York Times, has not been confirmed.

Following media coverage, Canada’s prime minister Justin Trudeau gave what appeared to be a thematic statement to journalists regarding cyberattacks targeting critical infrastructure in general.

“In regards to the reports of cyberattacks against Canadian energy infrastructure, I can confirm that there was no physical damage to any Canadian energy infrastructure following cyberattacks,” he said.

A spokesperson for the Prime Minister’s Office said they had nothing further to add when asked if this statement was intended to describe all cyberattacks Canada’s energy infrastructure had faced or just the consequences of the incident covered in the leaked intelligence.

When asked about the document, Sami Khoury, the head of the Canadian Centre for Cyber Security (CCCS), told The Record that he considered this statement to be the prime minister confirming “an incident” had taken place.

“I can’t comment on the leaks themselves, but we know that there are cyber powers such as Russia that have the capability to affect the physical world,” said Khoury, speaking at the CyberUK conference in Belfast last week.

“We’ve seen it all the way back to 2014-2015 when Russia turned off the electricity in Ukraine. So this is a big concern of ours, [if] these capabilities become more normalized,” he added.

“So, we have confirmed there was an incident. The prime minister acknowledged there was an incident that did not cause any physical damage,” said Khoury.

He explained that the agency’s policy was not to comment on particular incidents and so he would not go into the details of it or what the genesis of the incident was.

“The important thing is that we learned from it, the important thing is that there was no physical damage done, and it’s a call to action for the critical infrastructure sector to heed our advice and talk to us about how we work with them to make their systems more resilient,” said Khoury.

The threat of pro-Russian hacktivist groups moving from disruptive attacks to destructive ones was emphasized during CyberUK, with Britain's cabinet secretary Oliver Dowden warning that groups aligned to the Russian state, but not under the Kremlin's direct control, were "attempting to cause maximum damage to the UK's critical national infrastructure.”

Britain’s National Cyber Security Centre (NCSC) issued an alert during the conference warning that some pro-Russia hacking groups had “stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure.”

Paul Chichester, the NCSC’s director of operations, told journalists at the conference that the threat alert was issued because of “events over the past few months,” although he said he couldn’t talk about what those specific events were.

The threat report states that NCSC considers it unlikely that the hacktivist groups could “deliberately cause a destructure, rather than disruptive, impact in the short term” – at least “without external assistance.”

However it cautions: “But they may become more effective over time, and so the NCSC is recommending that organizations act now to manage the risk against successful future attacks.”

Where this external assistance may come from is unclear. There are many alleged connections between the FSB and Russia’s cybercrime underworld, however it is the FSB’s rival agency, the GRU, which has been behind Russia’s most impactful offensive cyber operations targeting Ukraine’s power supply.

During the conference, Dr. Jamie Collier of Mandiant said that the threat intelligence company assessed with “moderate confidence” that Russian hacktivist groups were now coordinating their activities with APT28 (also known as Fancy Bear), the GRU-sponsored group responsible for the attacks on Ukraine’s critical infrastructure.

Whether a similar level of technical knowledge about such sabotage is present within the FSB is unclear. According to the Top Secret document, the officer speaking to the Zarya hackers “anticipated a successful operation would cause an explosion” and the FSB was said to be “monitoring Canadian news reports for indications of an explosion.”

It is not clear whether the hacktivist group truly had the ability to cause physical damage or an explosion, nor whether this statement about monitoring was a tacit instruction. The hackers claimed to be interested in causing a "loss of income" and "not to cause loss of life.”

Asked whether the loss of life scenario was plausible, Khoury told The Record: “I believe and I trust the people building those critical infrastructure sector [systems] to have the fail-safes built into their infrastructure.

“I’m an electrical engineer, I’m in cybersecurity, so I can’t comment on how our pipelines or how our electricity lines [are] designed, but they need to think about the scenarios that there are fail-safes and certainly strong security, to avoid somebody messing around with it and causing it to misbehave, or [causing] physical damage.”

Khoury said that while information sharing with Canada's partners in the U.S. and U.K. was strong, the country needed “to do better on information sharing with the private sector.”