A multi-million dollar Ontario construction firm that has worked on major federal and provincial projects including facilities for national defence and police stations has been hit by a ransomware attack.
According to CBC News, Bird Construction of Mississauga, Ont., acknowledged that it was recently victimized, but didn’t give any details.
“Bird Construction responded to a cyber incident that resulted in the encryption of company files,” the CBC quoted an unnamed company spokesperson as saying. “Bird continued to function with no business impact, and we worked with leading cybersecurity experts to restore access to the affected files.”
IT World Canada has been trying unsuccessfully to get hold of the company.
Brett Callow, a British Columbia-based security analyst with the anti-virus software firm Emsisoft, told IT World Canada that in December the group behind the Maze ransomware posted a note on its site that it had infected the construction company’s systems. The Maze group includes data theft among its strategies, using the threat of releasing some data to pressure victims into paying up. That December note was one of a list of companies Maze said hadn’t co-operated, so their data might be released.
It isn’t clear from the company’s statement if it paid a ransom. But Callow said that for a brief period of time the employee records of a few Bird Construction employees — including their social insurance numbers — were posted on the Maze site. In addition, a document from Calgary-based Suncor Energy that didn’t have personally identifiable information was briefly published by Maze.
“It’s not at all unlikely that the actors are still in possession of the data,” Callow said in an email. “Even if Bird paid the ransom, it seems likely that the criminals would retain the data as they are able to use or monetize at a later date.”
Callow added he has major concerns around the exfiltration and blackmail tactics that are being deployed.
“Based on what we see, it seems many companies are quietly paying ransoms and then making no form of disclosure (the U.K. press is currently looking into another case). And, of course, that means employees and customers do not find out that their data has been exposed and so do not know that they should take action,” he explained.
UPDATE: Asked if the federal government has security worries as a result of the attack because Bird Construction has been a big contractor, a spokesperson for the Canadian Centre for Cyber Security said it “is aware of the many constantly evolving ransomware threats that can affect Canadians and Canadian businesses, including Maze. While the Cyber Centre does not name specific companies or organizations affected by a cyber incident, we have recently updated our published guidance on ransomware which focuses on prevention and recovery.”
For its fiscal year ending December 2018 Bird Construction had operating revenue of $1.3 billion and a net loss of $1 million. The fiscal 2019 results haven’t been announced yet. In November the company recorded a third-quarter net income of $6.8 million on construction revenue of $378 million. In December the company said it had signed a subcontract with the consortium building the second stage of an extension of Ottawa’s light rail transit line. Its job will be to build seven of the 16 stations and a light maintenance and storage facility. No value for that contract was announced.
Over the years Bird Construction has built or been part of consortiums for a number of facilities across Canada, some of them which could be considered sensitive. These include the $263 million RCMP’s southern B.C. headquarters in Surrey; 18 facilities for the Ontario Provincial Police, an aircraft maintenance hangar for Canadian Force base at Trenton, Ont.; and the $104 million expansion of helicopter facilities at the air force base in Dartmouth, Nova Scotia.