Canada's spy agency warned the government that federal departments were under assault from rogue hackers just weeks before an attack crippled key computers.
A newly released intelligence assessment, prepared last November, sounded a security alarm about malicious, targeted emails disguised as legitimate messages — the very kind that shut down networks two months later.
"The systems and networks used by various Canadian government departments have been attacked directly or indirectly," says the Canadian Security Intelligence Service report.
A declassified copy of the top secret intelligence assessment, Cyberattacks on Canadian Government Departments: An Overview, was obtained by The Canadian Press under the Access to Information Act.
Extensive portions of the Nov. 4, 2010, report — including what are likely direct references to foreign suspects — have been excised due to ongoing sensitivity of the material.
"Canada has been engaged in detecting, monitoring and mitigating a series of ongoing and evolving ... cyberattacks directed against the computer systems and networks used by Canadian government departments," says the CSIS document.
"The perpetrators of such attacks use ... correspondence directed against individuals within Canadian government departments," adds the report, noting they rely on "crafted emails with malware in their attachments or links to externally hosted malicious files.
"The emails appear to have been sent by trusted individuals in Canada or officials associated with foreign governments and international organizations, meetings and expositions."
Employee Internet access at the Treasury Board and Finance departments — whose systems are shared — was cut off in January after what officials called "an unauthorized attempt" to break into the networks.
A routine evaluation of both departments last year revealed they had not been following all of the government's information technology security requirements.
Records previously released under the access law show government employees in a number of departments were advised last January of attempts to break into their systems, only days before one of the attempts succeeded.
The CSIS assessment notes the "tools and techniques used in these attacks are in a constant state of development and incorporate new computer-related technologies and Internet-related capabilities."
It says "attribution is difficult when dealing with computer-based attacks which can be routed through a number of computers, or 'hop points."'
In a speech last year, CSIS director Dick Fadden said Canada is attractive to foreign spies because it's a leader in areas such as agriculture, biotechnology, communications, mining and the aerospace industry.
"Certainly, China has often been cited in media reports as an example of a country that engages in such activity but it would not be exclusive to that country. Just as the Internet is global, so is the cyber threat," Mr. Fadden said.
In its annual public report last June, the spy service said cyberattacks launched through the Internet were the fastest growing form of espionage.
Attackers target computer systems in search of technology, intellectual property, military strategy and commercial or weapons-related information, the annual report said.
The civilian watchdog that monitors CSIS says the spy service takes a two-pronged approach to cyber investigations: first, it tries to determine whether the attacks are aimed at Canada and, second, examines the motivation behind them.
The Security Intelligence Review Committee also found that CSIS works very closely with the Communications Security Establishment, a sophisticated wing of the Defence Department with the twin role of snooping on foreign communications and protecting Canadian networks from intrusions.
While CSE's intelligence provides CSIS with investigative leads, information collected in the course of CSIS probes can enhance CSE's ability to respond to cyber-threats, says the review committee's annual report released last Wednesday.
Arthur Porter, the Montreal doctor who chairs the civilian committee, said in an interview that while the area of investigation was rather new, CSIS was playing an appropriate role.
"We could find no evidence that it had overstepped its bounds."