Cyber attack hits engineering giant with contracts for military bases, power plants
OTTAWA — A Canadian engineering giant whose work involves critical military, power and transportation infrastructure across the country has been hit with a ransomware attack.
Toronto-based Black & McDonald has so far refused to publicly comment on the cyberattack, while the Department of National Defence and other clients of the company have downplayed any impact or damage.
"Black & McDonald notified OPG that they had experienced a ransomware attack which was unrelated to OPG operations and information," said Ontario Power Generation spokesman Neal Kelly.
"OPG conducted an immediate investigation and found there was no impact to our operations. OPG constantly monitors to ensure the highest levels of cybersecurity.
Experts are nonetheless concerned, saying the attack on Black & McDonald represents a far greater threat to Canada's national security and critical infrastructure than the attack on Canada's largest bookstore chain, Indigo Books & Music Inc.
"This is a different ball game," said David Shipley, CEO of cybersecurity firm Beauceron Security. "If it's tied back to Russia in some way, then we've got some more questions to ask. Other nation-states are stepping up cybercrime groups as well, notably North Korea, but also Iran."
Details about the ransomware attack are scarce, with Black & McDonald refusing even to confirm it happened.
Department of National Defence spokeswoman Jessica Lamirande in a statement said it was first reported to Defence Construction Canada, which handles contracts with outside companies for the support and maintenance of military bases across the country.
"Once DCC was informed of the incident, it blocked all incoming emails from Black & McDonald out of an abundance of caution and conducted business by phone or in person," she said. "Once the contractor restored its email system and informed DCC, email communication resumed."
But while Lamirande confirmed the company reported the cyber breach early last month, she could not comment on the ransomware's origins or what measures the company had taken.
Black & McDonald and its subsidiary Canadian Base Operators have several multimillion-dollar contracts with the Defence Department for the support of Canadian military bases, including one signed in 2020 and valued at $157 million over 10 years.
The company, which has 5,500 employees across Canada and reported more than $1.5 billion in sales last year, also provides engineering and construction services for critical infrastructure projects, including nuclear power plants, airports and with the Toronto Transit Commission.
"We were advised by B & M last week, but no immediate concerns were conveyed," TTC spokesman Stuart Green said in an email, adding: "No impact on the TTC."
Without more information on the nature of the attack and its culprit, Shipley takes such assurances with a grain of salt.
"An absence of evidence that something bad happened doesn't mean something bad didn't happen," he said. "What proof do you have that says this didn't get touched, exfiltrated, et cetera. How are you this confident?"
Until more information is available, Shipley said questions will remain.
Cybersecurity officials inside and outside government have been warning for years about the need to strengthen Canada's cyber defences when it comes to critical infrastructure. The country has already seen the impact of such an attack.
Late last year, hackers accessed the private data of more than 58,000 Newfoundlanders. They also wiped out the information technology systems of the province's largest health authority, forcing officials to cancel thousands of appointments, including cancer care.
The threat of a successful attack isn't just losing information. A growing number of devices used to control nuclear power plants, air-traffic control systems and other infrastructure can be accessed remotely, said Terry Cutler, CEO of cybersecurity firm Cyology Labs.
"So it's very serious because if that data got out, they're going sell it on the dark web," he said. "Cyber criminals will sell it, and maybe state-sponsored actors will buy that stuff. And then from there, they can start building up plans to attack."
Black & McDonald's ties to the Canadian military are also a potential source of concern, said Brett Callow, a threat analyst with cybersecurity firm Emsisoft, particularly given current tensions with Russia.
"Some ransomware operations are Russia-based and some are believed to have connections to the Russian government," he said. "This means there's no way to know where the data that they steal may end up or, necessarily, even what the real motive for an attack may be."
There have been reports of other attacks on Canadian defence firms in the past year, though whether there has been an increase is unclear as companies are not normally required to report incidents to the government, let alone the public.
"There's so much secrecy around incidents that's it's hard to tell whether attacks are trending up or trending down," Callow said.
This report by The Canadian Press was first published March 8, 2023.
Lee Berthiaume, The Canadian Press