Skip to main content

A notorious ransomware gang known as Conti has claimed responsibility for a cyberattack on Rio Tinto PLC’s Aluminerie Alouette Inc. smelter in Sept-Îles, Que., in what one security expert says is a warning shot to other Canadian companies in the context of war in Ukraine.

On the Conti news website Wednesday, cybercriminals from the group published what they said were files containing 20 per cent of the data they stole from Alouette in an attack the primary metal producer confirmed last month. The five files, available for anyone to download on the site, appear to include human resources information as well as documents linked to the company’s management finance committee.

Alouette is the biggest aluminum smelter in the Americas, with more than 850 employees and an annual production capacity exceeding 620,000 tonnes of primary aluminum, according to its website. It is owned by a consortium of five shareholders: British-based Rio Tinto is the largest with a 40-per-cent stake, followed by AMAG Austria Metall AG, Norway’s Hydro Aluminium, Japan’s Marubeni Metals & Minerals and Investissement Québec.

“It really doesn’t look good” for Alouette, said Alexis Dorais-Joncas, a Montreal-based cybersecurity specialist who leads a team of malware researchers with IT security software firm ESET. “We can assume that the attackers went really deep into the network to get those files. And they probably have a lot more where that came from.”

Alouette does not appear to have paid a ransom because the files are on the Conti website, Mr. Dorais-Joncas said. The group will typically make that move in order to press the company to pay. Showing the proprietary information might also attract another buyer interested in obtaining the data.

Alouette said Feb. 28 that it was the victim of an attack from a third party into some of its computer systems, causing what it called a “software breakdown” four days earlier that also knocked out its e-mail and landline phone network. “This type of security incident is affecting more and more organizations and, unfortunately, despite the quality of its modern infrastructure, Alouette is no exception,” the company said.

Ottawa warns Canadian businesses of increased threat of Russian cyberattacks

This week, Alouette said internal and police investigations into what happened are continuing but that early findings are that some personal data might have been compromised. It is offering all of its employees, retirees and former employees a credit monitoring and protection service, according to company spokesman Maxime Lelièvre. The company was quick to counter the unauthorized access and secure its servers, allowing operations to continue normally and safely, he said.

Conti attacked 400 organizations worldwide in the year ending May, 2021, and demanded ransoms as high as US$25-million, the U.S. Federal Bureau of Investigation said in an alert on the group released that month. The group, believed by analysts to be based in Russia, supplies affiliates around the world with malware that they use in extortion attempts in exchange for a cut of the ransom paid.

In a blog post last month, Conti, which is also the name of the ransomware itself, announced its “full support” for the Russian government in its invasion of Ukraine. But that caused some discomfort among its wider network of hackers in other nearby countries, one or more of whom was so angry they leaked information about the group’s tactics in an act of internal sabotage that has stunned cyber investigators.

Conti said in a more recent declaration that it does not ally itself with any specific government. Still, it vowed to retaliate in the event “Western warmongers” attempt to target critical infrastructure in Russia or any Russian-speaking region in the world.

There is no evidence to suggest the attack on Alouette was motivated by anything other than money, Mr. Dorais-Joncas said. But that doesn’t necessarily mean ideology plays no role.

The attack sends a signal to the Canadian government and the country’s corporations that Russia can hit you, said Michel Juneau-Katsuya, a former agent with the Canadian Security and Intelligence Service who now works for investigations firm Titan Sécurité. He called it a type of psychological warfare endorsed by the Kremlin, even if Russia’s government didn’t directly order it.

“[This is] an attempt to basically challenge the Western world, but demonstrate at the same time what they’re capable of doing, what they intend to do, to any allies of Ukraine,” Mr. Juneau-Katsuya said. “And if they can do it to Alouette, they could do it to Hydro-Québec, they could do it to Bell Canada, they could do it to other critical infrastructure that we need to operate. So that’s absolutely a warning.”

Canada’s Communications Security Establishment, the government agency responsible for signals intelligence and cybersecurity, last month urged Canadian organizations to take immediate action and bolster their computer network defences in the context of the Ukrainian conflict. A spokesman for the agency declined to comment on any specific incidents.

Conti ransomware attacks reported against U.S. and international organizations have risen to more than 1,000, the U.S. Cybersecurity and Infrastructure Security Agency said in an alert update Feb. 28. The gang has claimed responsibility for hits on several other Canadian companies in recent days on its website, including Kitchener, Ont.-based IMT Group, a maker of metal components for transportation and other industries.

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.