Hackers may have had a four-day head start when they broke into government systems in January in an attack that continues to leave many employees without full Internet access and revealed flaws in the security of federal computers.
Documents obtained by The Canadian Press say the Treasury Board and Finance departments were notified of "harmful activity" on Jan. 24 by the agency that oversees communications security in Canada.
The departments, whose networks are linked, began to remove infected computers and institute a series of rolling Internet outages to get to the root of the attack.
"I received the report, nothing major," Luc Parson, chief of information technology security for the Treasury Board, wrote in a Jan. 25 email. "We were already doing all the recommendations except for like 1."
However, Communications Security Establishment Canada went back to the departments on Jan. 28, a followup that provided "our first realization of the severity of the problem," according to a draft action plan written by the agency after the incident.
Exactly what damage the hackers managed to do was censored in the hundreds of pages of emails, reports and other documents released under the Access to Information Act. But a Jan. 31 note says the attack was serious.
"Indications are that data has been exfiltrated and that privileged accounts have been compromised," the incident report says.
Meetings between CSEC and the two departments on Jan. 28 triggered a more drastic Internet shutdown that partially continues to this day and threw information-technology staff in both departments into crisis mode as officials scrambled for a fix without clear guidelines as to who was in charge.
"Governance around the crisis needs to change," wrote Marie McDonald, a senior bureaucrat within Treasury Board in the aftermath of the attacks.
When the attacks became public, then-Treasury Board President Stockwell Day acknowledged the hackers were after financial records, but said nothing was compromised.
Government employees in a number of departments had been repeatedly warned only a week earlier that someone was trying to break into their computers. Attempts to infiltrate the system had begun in December, the documents suggest.
A security bulletin said the danger came from spoof email addresses purporting to be from senior government officials but contained "a malicious link, which if 'double clicked' may lead to the exfiltration of data."
"The emails have been socially engineered and tailored to target different audiences within each department and contained a link to a malicious zip file hosted on an external (non government) website," said the bulletin, first circulated Jan. 14.
Three days later, there were fears about the email accounts of senior Finance Department officials being targeted. A bulletin sent Jan. 21 noted "the risk of loss of sensitive information resulting from these targeted emails is HIGH."
As the CSEC and officials from Finance and Treasury scrambled to contain the threat, it appears the Public Safety Department remained in the dark.
Asked Jan. 30 if Public Safety had been briefed, the Treasury Board's Parson wrote: "We were asked not to."
It's not clear who did the asking.
Public Safety was formally brought into the loop the next day. By Feb. 1, the government had activated its cyber-triage unit, which includes officials from the RCMP, Canadian Security Intelligence Service and Defence.
Government employees were formally notified the next day that Internet use was being reined in because the government had been hacked.
Public Safety has refused to answer questions about why its officials were apparently not informed of the attack at an early stage, and whether notification procedures have since changed.
However, the records indicate the mysterious digital assault prompted departments to draft a new protocol soon after for handling such events.
Last year the Conservatives announced a new cyber-security strategy, which set aside $90-million over five years, and $18-million in continuing funding toward beefing up existing systems.
But the records suggest a request for better software that could have helped detect and prevent the spread of the January attack had been languishing in a bureaucratic maze.
When the attack was first reported Jan. 24, Treasury Board seized on the crisis to fast-track a request for better tools, asking that the procurement be considered a matter of protecting national security.
Once the story began to hit the media, officials began receiving the replies they were after.
The attacks took a toll on government IT workers, as time stamps on emails show they were dealing with the issue almost round-the-clock in the early part of February.
One raised concern about staff burnout, while another sought to mobilize volunteers for the weekends to help get the system up and running again.
After the initial shutdown, government employees were allowed access to internal sites, but in order to see external sites they had to submit specific requests for approval.
The documents show employees wanted access to news, travel bookings and the search engine Google. News and travel were allowed, but not Google.
But in order to keep the government moving, Internet kiosks with full access were set up — and they remain in place.
"We're still following procedures to protect the integrity (of the system)," said Jack Aubry, a Finance spokesman.
A spokeswoman for the Treasury Board said the department "has taken the necessary measures to ensure that employees have access to the information and tools needed to meet business requirements."
She declined to comment further on the incident.
The hackers have never been publicly identified. There have been unconfirmed reports they were based in China.