An alleged cyberattack on transit provider Metrolinx from North Korea is sparking concern about state-sponsored attacks on infrastructure, but also criticism that the Ontario government agency is making the accusation without showing any proof.
Metrolinx confirmed that malware was recently found on one of the agency's computer networks, but said that transit safety was not compromised and neither customer nor staff information was leaked.
Anne Marie Aikins said that investigators believe the attack originated in North Korea and was routed through Russia, a scenario that would make it part of what one expert called "a frightening new chapter" in cybersecurity.
Independent technology analyst Carmi Levy said that the alleged source of the attack points to a worsening vulnerability around key infrastructure.
"It actually fits in with the growing online risk that public utilities – namely power generation/distribution, transportation, water, sewage and other infrastructure, etc. – now face," he wrote in an e-mail. "It's the kind of thing that should keep us all up at night, and the signs now point to state-sponsored hackers getting in on the action."
Last month, the United States government accused North Korean hackers of being behind the WannaCry virus, a massive ransomware attack in May that locked thousands of computers in more than 150 countries. A series of attacks, including financial crimes and the 2014 hack of Sony Pictures, have been blamed on the Lazarus Group, which some experts believe has links to North Korea.
In the case of Metrolinx, the agency's justification for blaming North Korea remains shrouded in secrecy. Ms. Aikins said the agency could not reveal its proof for security reasons, sparking criticism from the head of Citizen Lab, a digital rights group at the University of Toronto.
Ron Deibert said it would be "highly unethical and irresponsible" for Metrolinx not to make public its proof.
"Given the high stakes for public safety and foreign policy, there is no reason whatsoever for Metrolinx to not disclose whatever evidence they have," he argued. "If North Korea was indeed responsible for the attack, that would be a major development necessitating a Government of Canada response, since Metrolinx is a Crown corporation."
Queries seeking federal reaction at Public Safety Canada, which oversees the Canadian Cyber Incident Response Centre, were referred to Global Affairs Canada. A spokesman there referred them back to Public Safety.
Ms. Aikins said only that the agency is "working very closely with our cybersecurity officials in Toronto and Ottawa."
The malware was believed to be the type that, once latched onto a system, tries to use its position to access networks connected to the one it targeted. In the case of Metrolinx, it was found by cyberexperts hired by the agency to probe its own system.
Ms. Aikins called the case an example of the need for strong and evolving security precautions.
"It's important that you invest in the most robust information systems, that they be tested regularly and updated," she said.
A spokesman for the Toronto Transit Commission said that it has not experienced an attack of the type described by Metrolinx, but that it has increased cybersecurity monitoring as a result.