Federal authorities, including the RCMP, are investigating a data breach at the Royal Military College after hackers posted documents that reveal soldiers’ personal information online.
Experts say the leak is a glaring example of the growing threat that “ransomware” poses to organizations.
In a statement released Wednesday, the Department of National Defence said it is working with several federal agencies to probe the breach affecting RMC in Kingston and three affiliated military schools that use a shared computer network.
In addition to RCMP detectives, intelligence agency experts are also involved. “We continue to work with RCMP National Cyber Crime and [Ontario] Division who are actively investigating,” DND said in an e-mail to The Globe and Mail, adding that intelligence analysts at the Canadian Centre for Cyber Security are also working “to minimize any potential impact to our people and operations.”
The Globe first reported the ransomware attack in early July. At that time, the school’s dean of engineering said in a blog post that fixing problems would mostly be a matter of restoring data that had been scrambled from afar by a hacking group.
But it is now clear that the hackers did not merely encrypt RMC’s data – they also took, or “exfiltrated,” corporate records, including ones detailing students’ lives and academic ambitions.
Such double-barrelled attacks are an example of the evolving way in which ransomware hackers shake down the organizations they infiltrate for money, experts say.
“Up until the end of last year, ransomware groups simply encrypted their victims’ data. Starting in November they began stealing it, too, to use the stolen data as additional leverage to extort payments,” said Brett Callow, a threat analyst at Emsisoft.
The New Zealand-based company is among several cybersecurity firms monitoring fallout from the data breach at RMC.
“Even if an organization has backups that weren’t encrypted [by the hackers], they have still got the problem of what to do about the stolen data,” Mr. Callow said. “If the ransom is paid, the organization will receive a decryption key to unlock its own data. And the criminals will make a pinky promise that the stolen data will be destroyed.”
RMC teaches Canadian Forces soldiers about modern warcraft and offers several cybersecurity courses.
Over the past week, some stolen RMC documents started turning up on the dark web, or relatively obscure internet sites that involve untraceable data exchanges among anonymized users. Several cybersecurity firms are now posting samples of the stolen RMC material onto public social-media sites as a way of sounding a broader alarm.
Such firms have scrubbed the leaked RMC materials of information that would identity soldiers.
One leaked document involves a list of more than 3,300 computers and devices on the college’s internal network.
The more specific kinds of documents stolen from RMC that have leaked include a graduate student’s acceptance letter bearing a name, address and e-mail address. There is also a progress report signed by an instructor saying a PhD student is “intelligent, hardworking, and organized.” There is also a “donation approval form” outlining a $54,500 unsolicited donation of seven paintings to the college’s museum.
In general, the leaking of stolen documents by hackers is intended to ratchet up the pressure on organizations to pay ransoms, Emsisoft’s Mr. Callow says. “Should the victim still not pay,” he said, “the remaining data is released usually in a series of installments.”
Officials and instructors with the military college did not respond to interview requests. The college’s main website remains offline and it is unclear when computer systems will be fully restored.
News about the leaks of personal data is surfacing even as Canadian Forces students are on the cusp of starting a new academic year at the college, where the students’ ability to congregate in classrooms is being curbed by the precautions around the global COVID-19 pandemic.
“The cadets are back already – they are already locked down on the peninsula,” said David Skillicorn, a computer science professor at neighbouring Queen’s University, referring to RMC’s Point Frederick location.
He said an online course delivery system is up and running but many administrative systems remain offline. “The problem is that if you get attacked like this you can’t be sure they haven’t left malware inside one of the printers or something like that,” Dr. Skillicorn said. “So it’s a huge job to try and go through and really clean things out.”
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.