Canada’s National Research Council hit by ‘cyber incident’

Open this photo in gallery:

The National Research Council, the Canadian government’s biggest science research and development agency, says its computer network has been attacked, just two months after the country’s foreign ministry suffered a separate cyberattack.

The NRC revealed the incursion the same day the White House warned companies to strengthen protections around their computer systems, citing “evolving intelligence” that the Russian government is exploring options for cyberattacks. Earlier this year, Canada’s cybersecurity agency, the Communications Security Establishment, warned of the risk of attacks from Moscow-affiliated hackers.

Christine Aquino, director general of communications at the NRC, said in a statement Monday that the “cyber incident” was first detected on March 18 and “mitigation actions were immediately taken.” The term “cyber incident” is regularly used by Canadian cybersecurity officials to describe hacking of government computers.

Ms. Aquino declined to provide more detail on the attack, and would not say whether it is believed to have come from Russia, or from individuals or organizations associated with the Russian government.

“The investigation into this incident is ongoing, so we do not have any further information to share at this time,” Ms. Aquino said. She added that the agency is working with the Communication Security Establishment’s Canadian Centre for Cyber Security as it probes what happened.

“As a scientific organization, the NRC remains constantly vigilant to the risk of cyberattacks,” she said. “Procedures and controls are in place at the NRC to mitigate these risks; these procedures and controls made it possible for the organization to respond quickly to the March 18 incident.”

The NRC conducts scientific research in areas such as aerospace, advanced electronics and medicine. And it partners with private industry to bring new discoveries to market.

The Communications Security Establishment issued its warning about Moscow-backed cyberattacks in January. That risk rose after the West hit Moscow with crippling sanctions following Russia’s invasion of Ukraine in late February, experts have said.

In January, Canada’s foreign ministry, the Department of Global Affairs, was hit by a cyberattack that left its access to the internet hobbled for more than four weeks.

The NRC has previously been targeted by foreign hackers. In 2014, the Canadian government publicly blamed “a highly sophisticated Chinese state-sponsored actor” for a cyberattack on the research agency.

Ray Boisvert, a former senior Canadian Security Intelligence Service (CSIS) official, said he thinks the public has been slow to see cyberattacks as another form of warfare, despite the fact that a successful hacking operation can be as damaging as a bomb. But he predicts that will change. “Cyber will be soon indistinguishable from what we would see as traditional warfare,” he said.

Senior White House cybersecurity official Anne Neuberger told reporters Monday that companies that provide critical infrastructure should improve their cyberdefensive postures, because of ongoing digital threats from Russia. Ms. Neuberger said the United States government has seen “preparatory” Russian hacking activity aimed at many U.S. companies, but that it has “no certainty” any attacks will occur.

Stephanie Carvin, a former national security analyst and an associate professor of international relations at Carleton University’s Norman Paterson School of International Affairs, said the federal government fends off millions of computer attacks each day, most of them low-level and automated.

She said two techniques that can sometimes help hackers breach an organization are phishing (using fraudulent messages to try to trick a person into revealing confidential information) or social engineering (pretending to be someone in authority, such as an IT department employee).

Prof. Carvin said the NRC’s most secure computer systems hold significant intellectual property. Even the agency’s internal communications could provide hackers with valuable information, including the names of private-sector companies partnering with the institution, she added. These companies might be more vulnerable to cyberattacks than the government itself.

In February, a federal intelligence watchdog group warned of significant gaps in the Canadian government’s cyberdefences.

The National Security and Intelligence Committee of Parliamentarians said in a report that it had identified “significant discrepancies” in how cyberdefence policies are applied.

“A large number of organizations, notably Crown corporations ... neither adhere to Treasury Board policies nor use the cyber defence framework,” the NSICOP said. “The threat posed by these gaps is clear. The data of organizations not protected by the government cyber defence framework is at significant risk.”

The group said unprotected organizations “potentially act as a weak link in the government’s defences.”

Canada is far from the only target. In February, it emerged that Britain’s foreign ministry had suffered a serious cybersecurity incident earlier in 2022, according to tender documents posted on the U.K. government’s website.

The British Foreign and Commonwealth Office was forced to call in BAE Systems Applied Intelligence to deal with the incident, according to the documents.

In January, Canada’s Centre for Cyber Security joined its counterparts in the U.S. and Britain in urging Canadian companies, such as electrical utilities and energy firms, to watch out for cyberattacks from Russia.

With a report from Reuters

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.