Canada among targets in Russian hack on U.S., private companies, Microsoft says

Open this photo in gallery:

Tech giant Microsoft Corp. says Canada was among the targets of a major hack that is believed to have been carried out by Russian intelligence against U.S. government computer systems, private companies and others around the world.

Ottawa has said little about the sophisticated cybersecurity breach. However, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Texas-based SolarWinds Inc.’s’ widely used network-management software was targeted in order to breach government and corporate networks.

Microsoft president Brad Smith said in a blog late Thursday that his company was hacked in connection with the attack on SolarWinds and that Canada was also hit.

“While roughly 80 per cent of these customers are located in the United States, this work so far has also identified victims in seven additional countries,” Mr. Smith said. “This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.”

Mr. Smith said more than 40 organizations were hacked including U.S. government agencies, companies with contracts with the U.S. government, tech companies and think tanks. He suggested Russia was behind the hack, pointing to the cybertechniques the country used in the 2016 U.S. election and French presidential election of 2017.

But he said this sophisticated cyberintrusion is far more worrying.

“This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” he wrote. “The recent attackers used a technique that has put at risk the technology supply chain for the broader economy.”

Canada’s Communications Security Establishment, which is responsible for electronic surveillance and cybersecurity, said Friday that it is assessing the situation and working to ensure federal information technology (IT) systems and networks remain secure.

“While this situation remains ongoing, the Canadian Centre for Cyber Security is actively engaged with our government and non-government partners sharing cybersecurity advice and guidance, mitigation, and operational updates,” CSE spokesperson Evan Koronewski said in an e-mail.

Mr. Koronewski said the Canadian Centre for Cyber Security, a unit of CSE, has issued a Cyber Alert with recommended actions and mitigation advice including isolating SolarWinds servers and blocking internet egress from servers or other endpoints with SolarWinds software.

“The Cyber Centre does not comment on reporting by Canadian organizations regarding cyber incidents. As a result, we do not have any further information to add on potential targets and/or victims,” he added.

The Department of National Defence (DND) said it had used SolarWinds products in the past.

“The contracts for SolarWinds software identified, used at CFB Shilo, expired about ten years ago and did not involve the specific vulnerable version reported by U.S. agencies,” said Daniel Le Bouthillier, head of media relations at National Defence.

However, he said DND is assessing and monitoring “our systems to ensure our personnel, operations and capabilities are protected.” He provided no further comment.

Shared Services Canada, which manages the majority of Ottawa’s IT infrastructure, said that at this point, none of the SolarWinds platforms and products used by the government have been affected by the incident.

“As this is an ongoing issue, Shared Services Canada continues to assess the situation and is working with its government partners to ensure networks remain secure,” the department said Friday.

The U.S. government’s CISA said the hacking operation, which is believed to have started in March, breached U.S. federal agencies and “critical infrastructure” in an attack that was hard to detect and will be difficult to undo.

“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” CISA said. “Removing the threat actor from compromised environments will be highly complex and challenging.”

CISA has not said who it thinks is the “advanced persistent threat actor” behind the “significant and ongoing” campaign, but many experts are pointing to Russia.

“The magnitude of this ongoing attack is hard to overstate,” former U.S. Homeland Security adviser Thomas Bossert said in an article in The New York Times. “The Russians have had access to a considerable number of important and sensitive networks for six to nine months.”

Russian presidential spokesman Dmitry Peskov said Moscow had nothing to do with this hack.

“Even if it is true [that] there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away,” Mr. Peskov told the Russian news agency Tass.

President-elect Joe Biden vowed to make the breach a top priority when he takes office in early January.

“We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” he said in a statement. “We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in co-ordination with our allies and partners.”

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.