The Chinese military hackers accused of corporate espionage by U.S. officials on Monday are also suspected of being behind a hack of Canada’s Immigration and Refugee Board (IRB), say U.S. cybersecurity experts.
Records obtained by The Globe and Mail show that in 2011, federal officials were concerned a spying campaign had been launched as Canada was on the cusp of deporting one of China’s most wanted men, Lai Changxing. The Vancouver adjudicator involved in the case was told by her security officials to change her password “as soon as possible” in the days before his deportation.
Federal officials say suspected acts of cyberespionage against Canadian government targets are shockingly routine, but they almost never highlight specific attacks or suspects.
What makes the IRB attack significant is that U.S. cybersecurity experts familiar with it allege it was the work of Shanghai-based hackers known as “Unit 61398” of the People’s Liberation Army. Unit 61398 may be a new name to the general public, but it has long been notorious in security circles for hacking into the computer systems of corporate and government targets in two particular countries: Canada and the United States.
Richard Barger, chief intelligence officer of a Virginia-based firm called Cyber Squared Inc., said no one else could have developed the “customized malware” that was used. In an interview, he added that suspicious traffic to Canada “matched up with dates that led to the extradition hearing.”
On Monday, prosecutors in Washington announced they were laying criminal charges against five suspected military hackers associated with Unit 61398. The group’s alleged exploits are well known to North American cybersecurity experts, who also refer to it as “the Comment Crew” or “APT1.”
A 2012 report authored by Virginia-based Mandiant Corp. first publicly outed the group, alleging it was Beijing’s weapon of choice for hacking Canadian and U.S. computer systems. The modus operandi is often said to be “spear phishing,” or hacking that occurs after an e-mail containing a hidden malware attachment is sent to an organization, and opened.
Cyberespionage is notoriously hard to attribute to specific adversaries. But fears about Chinese hacking have surfaced in Canada before: Two years ago, a former Nortel Networks security adviser publicly alleged that Chinese cyberspies had been a fixture in the company’s systems.
The nation's top cybersecurity official, John Forster, told Parliament earlier this year that “there are now more than 100 nations that possess the capability to conduct cyberoperations on a persistent basis,” and that “our government systems are probed millions of times a day and there are thousands of attempts to compromise these systems every year.”
Records obtained by The Globe under Access to Information laws show how the Canadian government suffered a spate of significant breaches between 2010 and 2011. These records are highly redacted and do not accuse any specific groups.
One set of records show that, in 2010, military scientists at Defence Research and Development Canada feared their network, known as “DRENet,” had succumbed to “serious threat.”
“How can we turn the vast number of unknowns into knowns?” a brigadier general griped during a cleanup effort. “We’re damned if we disclose to the public, and damned if we don’t,” reads a postmortem.
Though the breach was first noticed in the spring of 2010, the tinkering with the network lasted until 2013, when DRENet was “recertified and accredited.”
Records from February, 2011, show that the Privy Council Office in Ottawa – the bureaucratic body that is a repository of sensitive files for Prime Minister Stephen Harper and his cabinet – was in someone else’s crosshairs.
“One of the workstations targeted by the attack was definitely compromised,” reads a PCO report from that time.
In the IRB case, days before Mr. Lai’s enforced flight home, security officials noticed a systems breach as he was ordered temporarily released from custody. “Could you please ask [adjudicator] Leann King to change her password as soon as possible?” reads a July, 2011, internal IRB e-mail.