Network services are still down at the Royal Military College of Canada (RMC) in Kingston, following a cyber attack on Friday, July 3. While classes will proceed as scheduled using a contingency setup, the academic network that normally handles administration, email, student communications and research remains offline.
“To prevent damage and spread, it is industry best practice to disconnect and shut-down networks experiencing a cyber incident,” said Jessica Lamirande, Media Relations Officer for the Department of National Defence (DND).
“This practice was quickly applied for this incident and, while the investigation is ongoing, network services such as e-mail will remain offline,” she said.
Cyber threat analyst weigh in, names hacker
Lamirande said DND cannot share details of the ongoing investigation. However, cyber security expert Brett Callow told the Kingstonist he believes a group called DoppelPaymer is behind the attack. A threat analyst for the firm Emsisoft, Callow said it was an obvious ransomware scheme.
“Like numerous other groups DoppelPaymer steals their victims’ data before encrypting it,” Callow said. “Unless the ransom is paid, the data gets posted online, typically in a series of installments to gradually ramp up pressure on the organization,” he said.
Callow became aware of RMC’s predicament when he found their data on offer on the dark web. “We came across the data on this specific group’s leak site,” he said. “They have posted various financial documents, as well as a folder labeled Student DB.”
“We’re a cyber security company and have particular expertise in ransomware,” he added, “so we monitor the activities of these groups very closely.”
A partner of Europol’s No More Ransomware project, Callow said Emsisoft creates tools that can sometimes recover, or decrypt, stolen data without the victim paying a ransom. In the case of DoppelPaymer, he said, that is not possible.
“Organizations hit by DoppelPaymer basically have few options. They can either restore their data from backups, unless those have been encrypted or deleted as well; or, they can pay for it,” he said.
Callow said DoppelPaymer’s other apparent victims include municipalities, the Old Spaghetti Factory restaurant, the US Department of Agriculture and the Chilean Ministry of Agriculture.
“They also have been hitting a lot of Canadian transport and logistics companies lately,” he said, “too many for that to be a coincidence.”
Classified systems not affected
DND would not confirm that DoppelPaymer was responsible for the hack, whether a ransom had been requested, or what, if any, of the institution’s information had been leaked.
Lamirande said the incident has not affected any classified systems or classified research at RMC. DND’s operations are also not affected, she said.
“We are also working closely with the RCMP, and have started collaborating with the Canadian Centre for Cyber Security to implement measures to minimize potential impact to our people and operations,” she added.
Callow said that when it comes to law enforcement for these types of attacks, there’s “pretty much nothing” to be done.
“It’s extremely hard to find these groups,” he said. “They move everything through various proxies and tor- based encrypted connections. Which is why the conviction rates of cyber crimes is something like 0.05 percent.”