Blog

Updated: November 14th, 2023

Last year, the CIRA Cybersecurity Survey 2022 reported that Canadian organizations had more difficulty warding off cybercriminals than in pre-pandemic times, with nearly 30% of companies experiencing a data breach and 15% losing reputation and customers after an attack.

This year, we're providing your guide to the biggest cyberattacks in Canada in 2023 (so far) as an accompaniment to our "8 Biggest Cybersecurity Breaches in Canada 2022" edition.

Firstly, Why is it Beneficial to Study Recent Cyber Breaches?

Analyzing recent cyber breaches helps professionals determine rising trends in certain types of threats, commonalities between IT weaknesses, and industries being targeted.

For example, when compared to cybersecurity statistics from 2019 the frequency of security breaches in 2023 has spiked by 20%.

Despite the fact that Canada ranks 13th in the list of countries in terms of the efficiency of their cybersecurity strategy, the amount of security breaches in Canada still rises from year to year, with a staggering 85% of Canadian organizations having been impacted by cybercriminals in the past year alone. As the average cost of a data breach for Canadian organizations across all sectors now sits at $5.4 million, both businesses and the Canadian government are renewing measures to strengthen cybersecurity.

With the average Canadian organization spending 11.1% of their IT budget on cybersecurity, it's no wonder why the government continues to issue legislation and amendments to current security-related regulations to better regulate how organizations protect sensitive data.

That leads us to the main event: your guide to the biggest cyberattacks in Canada in 2023 (so far.) Let's get started:

#1: The Distributed Denial of Service Campaign Targeting Multiple Canadian Sectors

In September, the Cyber Centre was made aware of reports of numerous distributed denial of service (DDoS )campaigns targeting multiple levels within the financial sector, the transportation sector, and the government of Canada.

These attacks are thought to have been politically motivated. Open-source reporting links some of this activity to Russian state-sponsored cyber threat actors whose tactics, techniques and procedures have been extensively documented. This reporting indicates that the actors leverage denial of service tools to harass organizations.

How is this achieved? Well, through a collection of systems operating as a botnet that degrades a targeted web server's ability to provide services. On-premises solutions can manage this malicious activity; however, assistance from third-party DDoS solutions should be considered to prevent significant and focused malicious activity. Websites will, generally speaking, return to regular operation once the actors have stopped the malicious activity.

#2: MOVEit File Transfer Utility and its Impact on Firms EY and Beneva

In 2023, accounting giant Ernest&Young and Quebec-based insurance company Beneva had to release statements to clients stating that their data was copied when the MOVEit servers of each respective organization were hacked.

In Beneva's case, it was reported that less than 1% of its 3.5 million Canadian customer base was affected, resulting in the data of approximately 30,000 people being compromised.

In Beneva's case, a spokesperson stated that all customers affected by the leak received a free 24-month subscription to credit monitoring and identity theft protection services in order to help mitigate the fallout.

For EY, however, the fallout was not as quickly contained: 62 clients of the "big four" accounting firm appeared on the Clop ransomware group's data leak site. The ransomware group's supply chain attack on the frequently-used MOVEit file transfer software leaked an estimated three terabytes of critical information about EY's clients including, but not limited to, financial reports and accounting documents in client folders, passport scans, risk and asset management documents, contracts and agreements, credit agreements, audit reports, account balances, and more.

Impacted victims included Air Canada, Altus, Amdocs, Constellation Software, EY-Continental Transition, Laurentian Bank of Canada, LendLease, Sierra Wireless, SSC Fraud Risk Assessment, St. Mary's General Hospital Surgical Services Review, Staples Canada, Sun Life Assurance of Canada, and United Parcel Service Canada Ltd, making it worthy of the title of one of the biggest cyberattacks in Canada in 2023.

#3: Midnight Blizzard Executed Mass Social Engineering Via Microsoft Teams

Microsoft Threat Intelligence published an advisory in August providing the details of targeted social engineering activity by hacker group Midnight Blizzard (also known as NOBELIUM) conducted via Microsoft Teams.

Using previously compromised Microsoft 365 tenants renamed to appear as tech support entities, Midnight Blizzard stole credentials by sending messages over Teams to engage with users and bypass the platform's built-in multi-factor authentication (MFA) prompts.

While this campaign impacted less than 40 organizations globally, this did include targets within Canada. These organizations were advised to do the following to circumvent future related attacks:

• Review the Microsoft advisory and look for indicators of compromise to determine if related activity has occurred

• Establish Employee Awareness Training surrounding phishing and implement procedures for what to do if a phishing attempt is received by an employee or key stakeholder

• Implement phishing-resistant MFA like FIDO2 security keys, Windows Hello, and Certificate-Based Authentication

• Enforce the management of administrative privilege

• Fortify their business continuity planning

#4: Vulnerabilities Impacting HTTP/2 - Rapid Reset Played a Role in the Biggest Cyberattacks in Canada in 2023

Industry research orbiting a vulnerability impacting HTTP/2, a version of the HTTP protocol most commonly used for web servers, was released in 2023.

Reportedly, Vulnerability CVE-2023-44487 utilizes a flaw in HTTP/2 that, in turn, results in an overload of a targeted web server with malformed requests.

The result? A denial of service. Open source has reported that this vulnerability has been exploited in the wild. The original alert was published in an attempt to raise awareness of CVE-2023-44487, highlight the potential impact on organizations, and provide recommendations for Canadian organizations that may be targeted by related malicious activity.

It was advised that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on consolidating and monitoring Internet gateways and isolating web-facing apps.

#5: Indigo Lost $50M, in Large Part Because of Their Recovery Time Post-Cyberattack

Indigo lost a staggering $50 million in its last fiscal year, largely due to its highly publicized cyber breach.

The TSX-listed company posted financial results mid-2023 for their most recent quarter and full financial year up to April 1st, revealing that the book retailer posted revenue of $1.058 billion last year: a decline of $4.6 million, or 0.4%, from the year before.

In terms of merchandise sales, the number grew by $4.6 million (0.5%) to $1.015 billion, compared with $1.010 billion in the prior year.

This is all largely due to their infamous cyberattack in February, when Indigo was hit by a massive cyberattack that rendered its stores unable to process debit or credit card transactions for several days. This resulted in their online sales being wiped out for nearly an entire month.

Cyberattacks like the one on Indigo reiterate the importance of investing in cybersecurity preemptively, versus after a breach has occurred; this is particularly true for cyber insurance, which 48% of SMBs only purchase after a breach.

#6: Air Canada Employee Data Was Leaked in Security Breach

Popular transportation company Air Canada confirmed this year that it had experienced a security breach. This breach permitted an unauthorized threat actor group limited access to the “personal information of some employees and certain records.”

The company's statement contained only limited information on the extent of the breach or when it occurred, but did stress that no customer information had been compromised in the incident. Representatives from Air Canada also reported that it quickly initiated measures to mitigate the breach’s impact, stating it has contacted the parties affected by the data leak and the relevant authorities.

Alongside this breach, the Canada Border Services Agency (CBSA) confirmed that a distributed denial of service (DDoS) attack caused connectivity issues that impacted check-in kiosks and electronic gates at numerous airports nationwide.

At this time, a pro-Russia hacking group claimed responsibility for several attacks targeting Canadian government organizations, including both the CBSA and the Canadian Air Transport Security Authority.

#7: Southwestern Ontario Hospitals Had to Rebuild Networks in the Wake of Cyberattacks

Five hospitals in southwestern Ontario were impacted by a sophisticated cyberattack in October and had to rebuild their networks from scratch.

"Through our investigation, we know that all our clinical and non-clinical systems were impacted as they are reliant on a safe secure network," read a statement released by the hospitals' IT provider, TransForm, and distributed by Windsor Regional Hospital, Hotel-Dieu Grace Healthcare, Erie Shores HealthCare, Bluewater Health, and Chatham-Kent Health Alliance. The statement went on to say that experts had advised TransForm that rebuilding all networks was the safest course of action moving forward.

The update also specified which systems were impacted and which records doctors may not be able to access. These systems included, but were not limited to: patient records and history; patient medication lists; pre-admission work-ups; and reports from other professionals involved in patients' care. 

This coincides with healthcare being one of the most-targeted industries for cyberattacks for five years in a row, with unauthorized access in hospitals being up 162% since 2019.

#8: Cyberattacks Targeted Both Military and Parliament Websites in One of the Biggest Cyberattacks in Canada in 2023

A hacker group in India claimed ownership of a series of military and parliament-targeted cyberattacks. Still, Canada's signals intelligence agency reported that the "nuisance" attacks likely did not put private information at risk. The attacks were aimed at institutions controlled by the government, but not the core infrastructure from which federal departments and agencies operate.

In September, the month the attack occurred, the Canadian Armed Forces stated that its website became unavailable to mobile users but was fixed within a few hours. It says their site is separate from other government sites, such as the one used by the Department of Defence and internal military networks, meaning the delay had no long-term ramifications.

Meanwhile, various pages on the House of Commons website continued to load slowly or incompletely due to an ongoing DDoS attack. "House of Commons systems responded as planned to protect our network and IT infrastructure. However, some websites may be unresponsive for a short period," spokesperson Amelie Crosson said in a written statement that week.

#9: Suncor Energy Hit By Cyberattack, Impacting Petro-Canada Gas Stations Country-Wide

Calgary-based Suncor Energy was the latest oil company to report experiencing a cybersecurity incident in 2023.

The attack was first revealed when social media users reported an inability to use credit or debit cards at the company’s chain of Petro-Canada gas stations, as well as difficulties accessing the company's car wash services.

In Canada, there hasn’t been a large-scale, successful cyberattack on a domestic oil and gas company. However, cybersecurity experts have warned for years that this country’s energy industry is an attractive target for cybercriminals. That includes both financially motivated cybercriminals, such as ransomware attackers, as well as state-sponsored hackers seeking to create geopolitical mayhem.

Takeaways From the Biggest Cyberattacks in Canada in 2023

In 2023 and beyond, no industry is safe from cyber breaches. Proactive cybersecurity has never been more vital.

Here at Packetlabs, we execute these via a variety of potential methods:

• DevSecOps: DevSecOps is integrated early in your development cycle and acts as an extension of your development team to flag vulnerabilities within your existing detected management systems

• Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization

• Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with your internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts

• Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of your cybersecurity strategy. As the first step in strengthening your security posture, this assessment generates the roadmap to strengthen your overall security program

• Compromise Assessments: A Compromise Assessment uncovers past or present threats like zero-day malware, trojans, ransomware, and other anomalies that may go unnoticed in standard automated vulnerability scans

• OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing

• Ransomware Penetration Testing: A ransomware penetration test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack

• Cloud Penetration Testing: Multiple perspectives help with strengthening your security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle

• Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that you can discover gaps and vulnerabilities unique to your organization and test your ability to detect and respond to threat actor

• Application Security Testing: More targeted in scope than a regular pentest, application security testing uncovers vulnerabilities residing in your web and mobile apps. Application Security Testing actively explores your application from an attacker’s perspective

• Infrastructure Penetration Testing: An infrastructure penetration testing assessment uncovers vulnerabilities in your IT and network systems and provides a tailored approach to each environment

These are in addition to the Packetlabs Portal, which lets you quickly view findings, prioritize efforts, request retests after remediation, and monitor progress.

Each type of penetration test or assessment can be tailored to your organization's specific cybersecurity wants, needs, goals, and pre-existing vulnerabilities. 

Conclusion

Over the past five years, there has been a significant increase in attacks on public infrastructure, healthcare systems, and educational institutions.

Cybercriminals have not only become more sophisticated; they have also become more coordinated in their attacks on the system.

Now more than ever before, organizatons around the world must take proactive steps to secure their digital infrastructure to prevent, mitigate, and remediate both successful and attempted breaches.

Looking to take the next step to strengthen your security posture? Reach out to our team today for your free, zero-obligation quote.