Reporter Colin Freeze in 2010.Peter Power/The Globe and Mail
What does cyber espionage look like if you're an IT specialist inside the federal government?
In Canada's most central bureaucracy, it means you would confiscate corrupted computers, rip out their hard drives, and send the data across town for forensic analysis. All amid fears that someone had been trying to install a "key logging capability" to see what Privy Council Office staff had been typing.
Or maybe, if you worked at an immigration adjudication panel, you'd be tipped to sinister activity just as one of your colleagues was finishing up a deportation case upon which China-Canada relations pivoted. You would find yourself sending a panicked message at the 11th hour – urging the adjudicator seized with that matter to change her passwords "as soon as possible."
Or consider what would happen if you worked at a secretive agency where Canada's military scientists pioneer new weaponry. You would find yourself writing a PowerPoint on "cyber cauchemars" (nightmares), bemoaning the fact that a "persistent" threat had been lodged in your network, for months. And no one could say anything about it. "We're damned if we disclose to the public, and damned if we don't," one slide would read.
These examples are not hypothetical.
The Globe and Mail has been collecting records under Access to Information laws that relate to seeming acts of cyber espionage directed against federal departments. Each caused significant disruption and disarray.
The events in question are not known to be related, but they occurred within the span of a year.
And they are but a small sample of a vast problem that the federal bureaucracy is struggling with – a problem that is understated because Ottawa officials are loath to draw attention to their vulnerabilities or to pin blame for any attack on any specific groups of hackers.
To be sure, proof and provenance are difficult to discern in the realm of cyber espionage. Yet this month, there have been reports of a powerful Chinese People's Liberation Army hacking group – Unit No. 61398 – targeting dozens of North American businesses and government agencies. Five alleged members were indicted in the United States last week for hacks against American corporations.
Over time, this amounts to a complex threat to Canadian security, prosperity – and, possibly, civil liberties, should the attacks and countermeasures grow over time.
Yet information technology specialists inside the federal government face a much more pragmatic quandary.
Once the hackers have set up shop inside a government network, how do you kick them out?
I. A 'persistent and endemic' threat
Defence Research and Development Canada is the federal department that tries to figure out how Canada will win its next war. Staff there work to engineer better projectiles or vehicles, or even tactics – such as how to breach secure buildings without leaving a trace.
Yet there is one question the agency has been lately pondering more urgently than it used to: How to keep outsiders from getting into DRDC's own computer systems?
This is because, four years ago, IT staff at the department had discovered that a hostile set of eyeballs had virtually lodged themselves inside the network.
"Since Thursday, April 8 2010 the DRDC computer network has been unavailable due to technical difficulty," reads the message that was circulated to outsiders.
But that was just the tip of the iceberg.
The network known as "the DREnet" was feared to have been severely compromised, records show, after succumbing to a hacking technique as common as it is effective.
"You should only download or introduce data into the DREnet from a trusted source," urged a DRDC memo sent after the breach. Staff were warned about "spear phishing" – what happens when seemingly a innocuous e-mail attachment is opened by a corporate employee, thereby releasing hidden malware into the network.
"The most common method to infiltrate a system is to adopt the identity of your target's colleague and get them to download a seemingly harmless document."
Before long, the hostile hackers – whoever they were – became Public Enemy No. 1. at DRDC. Released DRDC e-mails outline a remediation strategy drawing upon some over-the-top military jargon.
The Canadian Forces Network Operations Centre would set up a "command post" in Ottawa. Rapid-response "blue teams" of IT specialists would sweep out to affected military bases across the country (and their superiors later apologized for their being "overzealous" with DRDC staff as they worked to contain the threat). Situation reports – "sitreps" – logged the followup measures. Convoluted flow charts speaking to strategy were drawn up. Some 300 staff were given clearance to work on laptops linked to a virtual private network, to which access was strictly restricted.
The cavalry was called in – in the form of other agencies in Ottawa and beyond.
"The assistance from Government of Canada and allied partners continues and is proving to be invaluable," reads an April 26, 2010, memo.
Yet as weeks turned to months, DRDC staffers were warned to stay off the DREnet – and make sure not to circulate any thumb drives or any PDF attachments that had been exposed to it.
"I understand the impact that the latter request will have on the pursuit of the scientific program and our ability to manage DRDC," reads one lieutenant colonel's memo. "However failure to do so can only serve to lengthen the period of quarantine and have an impact on our credibility as an agency and the reputation of the DRDC brand."
Military scientists lamented that only a "full rebuild" could redeem their network. As this work wore on, one brigadier general channelled Donald Rumsfeld, and griped "how can we turn the vast number of unknowns into knowns?"
"This threat is persistent and endemic," reads the "cyber cauchemars" PowerPoint postmortem that was circulated that fall.
Records obtained by The Globe indicate the network was first felt to be fully functional again around that Christmas – some eight months after the attack was discovered.
(Yet the fuller fixes may have actually taken years. "Security for the Defence Research and Experimental Network, or DRENet, has since been recertified and accredited in December 2013," said DRDC spokeswoman Kathleen Guillot, in an e-mailed response to Globe questions.)
II. A 'key-logging capability' in the PCO?
By Groundhog Day, 2011, technology specialists in the Langevin Block were seeing shadows of something sinister in their own networks.
Secure faxes – still the communications medium of choice within Ottawa when computer network security is felt to be at risk – started flying Feb. 2 between the affected agency, the Privy Council Office and CSEC and other agencies.
This unknown group of hackers didn't penetrate as deeply as in the case of the military scientists.
But the suspected act of cyber espionage is still alarming. The PCO is like a central nerve system for the Canadian bureaucracy – a repository of sensitive files for Prime Minister Stephen Harper and his cabinet. Outsiders are simply not welcome inside.
Records released in relation to the 2011 PCO hack describe the target as in the "BNet" (an acronym that forms part of some PCO staffers' e-mail addresses).
"The malware is also suspected to contain a key-logging capability" reads a log of the government's responses to the threat.
It describes the event as "the latest spear phishing attempt on PCO."
The released logs document a two-month-long cleanup effort showing that the PCO's IT security teams worked with CSEC to confiscate some workstations, and watch whether the computers that remained in place were pinging out to a particular "external IP [Internet Protocol] address."
As a growing list of websites, e-mails and IP addresses were blocked from PCO networks, the crews searched for "malicious entities" and a "suspected malware file."
One workstation was deemed "definitely compromised" but later "CSEC reaffirmed that nothing suggests exfiltration of documents."
Just after Valentine's Day, Rennie Marcoux – then the assistant secretary to the cabinet on "S&I" issues (security and intelligence) – was briefed in a postmortem about the event.
PCO staffers were told to change their logins to a "new strong password composition requirement."
Records show the network's "hash" (encrypted) file of staff passwords was feared compromised.
But by the end of that March the fears had blown over.
III. A fugitive freed and a password change
Several months after the threat at the PCO, a Fujianese fugitive boarded a plane to China.
Lai Changxing's enforced July 2011 return to his homeland ended a decade of debate over the man's fate.
Now serving a life sentence in China, Mr. Lai had been a wanted Chinese smuggler turned failed Canadian asylum seeker. And for years, he had been a source of constant consternation for top Chinese Communist Party officials, who had been pressing Canada for his handover almost since he arrived in the late 1990s.
China is "extremely concerned about Canada's behaviour" a Chinese Foreign Ministry spokesman said in 2009, according to a U.S. State Department cable later circulated by WikiLeaks. He upheld China's "unwavering" position that the "fugitive Lai Changxing return to face trial under Chinese law."
In 2011, as Mr. Lai's time for due process was exhausted – after facets of his case had made their way to the Supreme Court and back – a federal adjudicator ordered him freed from detention just days before his scheduled July 22 Air Canada flight to Beijing.
And that was when fears about a highly targeted attack arose within the Immigration and Refugee Board.
Records show that on a Sunday morning e-mails began to fly between the IRB's IT security, CSEC, and other agencies.
"Possible compromise at Immigration and Refugee Board" read a subject line of one e-mail.
A few hours later this telling message was sent.
"Can you please ask Leeann King to change her password as soon as possible."
Ms. King is the adjudicator who had been seized with the Lai case, and decided to give him some liberty before he got on the plane. Administrators proactively reset her accounts as they sent secure faxes to CSEC.
The released records regarding the IRB response to the hack are relatively vague – possibly due to extensive redactions of the released documents, or possibly due to the fact that the response was not as in-depth as at the PCO or DRDC, which are seen as more central Canadian government agencies.
Nothing happened that affected the outcome of that case. Mr. Lai got on his plane.
One year after the Lai deportation, Bloomberg News published an exposé that cited the previously undisclosed IRB hack as one of several acts of suspected cyber espionage likely sponsored by the Chinese People's Liberation Army. The 2012 article referred to the hackers by their monikers "Byzantine Candor" or, more colloquially, "the Comment Crew" – yet today this same group is more typically referred as "Unit 61398."
The unit is the home of the five suspected Chinese state-sponsored hackers who were indicted in the United States this month.
Colin Freeze is a national security reporter based in Toronto.
Colin Freeze