Wednesday, January 04, 2017

Russian hackers target Canada

The news cycle has a funny way of rewriting my schedule. This one's a doozy.

I got an email yesterday from the news team at CTV Toronto. They were working on an exclusive story and wanted my take. The FBI and Department of Homeland Security in the U.S. had released a big list of Internet Protocol (IP) addresses that they suspected of having been used by Russian hackers in their attempts to break into systems owned by the Democratic National Committee. The story has been swirling for months that state-sponsored Russian hackers had been trying to influence the outcome of the U.S. presidential election by engaging in cybercrime against electoral targets. (And, no, despite what Donald Trump says, we can't simply "go on with our lives." This stuff is important, and we're all at risk if we simply do nothing.)

The list released by the FBI/DHS contained some 900 so-called malicious IP addresses that were allegedly targeted by the hackers. Six of those IP addresses were traced to Canada. One of them was traced to HydroOne, the huge electric utility that serves the province of Ontario. Ruh roh!

What's the deal with IP addresses, anyway? Each IP address typically corresponds to a unique Internet-connected device, like a laptop, a server, or possibly even an Internet-connected smart device. Every Internet-connected device has a unique IP address, and everything we do online has that IP address attached to it. Send an e-mail, and that IP address is included in the package. Tweet someone? Post a Facebook status update? All of these activities have an IP address embedded in them, and assuming you know where to look, you can easily track the activity right back to its source.

Except hackers don't much like having their activities traced back to them. So instead of using their OWN computers to launch attacks, they hunt around online looking for devices and computers with weak security. And when they find them, they install malware on them that lets them remotely take over the machine - often without the owner's knowledge. Are you a victim? Well, if you don't use updated security software, are always clicking on unknown links from friends and strangers alike in Facebook, use the same easy-to-guess password on multiple systems and haven't changed your passwords in ages, there's a reasonable chance that your computer has at least some malware on it.

The good news: it doesn't look like the Russian hackers were directly targeting the electric utility, and they weren't trying to break into any nuclear generating stations, either (Good...I'll cancel that earlier ruh roh.) Rather, they were targeting weak systems with malware that would then give them a jumping-off point for further attacks - and would make it difficult for those attacks to be traced back to their original source. It's classic hacker methodology: Probe into vulnerable systems, implant malicious code on them, then springboard from there. Sometimes these victimized networks are called "zombie nets", and we often see them used in those big Distributed Denial of Service attacks.

The bad news: Hydro One's security protocols are woefully inadequate if they allow one of their systems - it could be a laptop, a server or some other computing device - to be compromised in this way. Just like you and I have to keep our security software updated and can't click on every link we see in Facebook lest we get our machines infected with malware, likewise Hydro One failed to ensure its own systems were similarly protected. Someone's got some 'splaining to do. And the fact that Hydro One is among those victimized reinforces to us yet again that no one, and nothing, is safe.

As you can imagine, thanks to some faceless Russians and an apparently asleep-at-the-switch electric utility employee, I've been a bit busy on the media front explaining this one.

CTV National News led with the story, and my clip was included at the top of the show (link here), and in Senior Political Correspondent Glen McGregor's report (link here). CTV Toronto's Paul Bliss broke the story in Toronto, and his report is here. The main story on is here:
Exclusive: IP address at Ontario power utility linked to alleged Russian hacking

I spoke live with CTV News Channel's Scott Laurie last night, and am scheduled for another hit with the network this morning at 9 ET. I spoke with Newstalk 1010's John Moore at 5:47 and am live again with CKTB Niagara's Tim Denis at 6:50. I expect more of the same as the fallout from this highly disturbing chapter in digital vulnerability to continue to ripple out.

It makes for early mornings, late nights and long days in between, but it's quite the experience to be right in the middle of the media storms like this one - and to be the guy who tries to sort it all out.


21 Wits said...

Wow, now this is exciting stuff, and I totally agree with you that it is VERY extremely IMPORTANT to keep a handle on this. Good luck and good work in this!

Anonymous said...

More often than not, in the case of an IP Address related to a business, that IP Address is performing Proxy or Network Address Translation for any number of computers behind it on the internal network. Seldom does a laptop or a PC have it's own dedicated IP address when it is part of an organisation. I would like to know more about the purpose of the device in question and how many devices on the internal network may have been compromised by malware and involved in this incident.