Infosec experts are wondering why someone in North Korea planted malware on a computer system run by Metrolinx, the provincially run Toronto suburban transit authority.
Anne Marie Aikins, senior media manager of the rail and bus network that links the suburbs to Ontario’s biggest city, confirmed in an interview Tuesday that its infosec hacking team, working with provincial penetration experts, discovered the intrusion about a week ago.
The agency’s firewall was breached and malware was left on a system, she said, but “at no time was customer private information compromised, nor were any of our safety systems.”
While attribution of cyber attacks can be difficult, she said the agency is “extremely confident” this attack came from North Korea after being routed through Russia.
Aikins wouldn’t detail how the security staff found evidence of the intrusion. But she did say the agency has a team of ‘ethical hackers’ — some call this a red team — that works together with Ontario government infosec experts that test Metrolinx’s system. They found the unspecified malware. Other cyber agencies, which she refused to identify, helped in the response, she added.
A network intrusion at Metrolinx is almost unprecedented. “I’m not sure if I’ve ever been aware of a breach,” Aikins said, in the six years she’s been with the agency.
According to its last annual report, for the 2015-2016 fiscal year Metrolinx’s network handled about 73 million rides. It has an annual budget of about $814 million.
A foreign hacker could have a number of motives for this attack: Trying to indirectly penetrate a government network, financial theft or just mischief. Experts have been writing for years about North Korea’s cyber capabilities, citing attacks on South Korea’s infrastructure. Many — but not all –attribute the 2014 cyber attack on Sony to North Korea as a protest over the movie “The Interview.” North Korea has denied responsibility.
Ray Boisvert, Ontario’s security advisor and a former assistant director of intelligence at the Canadian Security Intelligence Service (CSIS), has long warned about the ctber capabilities of nation states. At an ITAC seminar in December, he said there are 100 countries that can “deliver APTs (advanced persistent threats) and live on your network and do anything they wish.”
David Swan, Alberta-based director of the cyber intelligence at the Centre for Strategic Cyberspace and Security Science, an international consultancy, said in an interview that attacks on his firm’s Canadian client base attributed to North Korea are rare. That doesn’t mean it is an uncommon source. “Canadian companies are very conservative on what they let out (about cyber attacks), and that’s a problem because if you don’t share information on who’s attacking then the bad guys get to run around the neighborhood and keep doing it.”
Canada is not a large player in the veral and diplomatic offensive against North Korea, which is led by the United States. However, Swan noted last week it co-hosted — with the U.S. — a meeting of 20 countries in Vancouver to “demonstrate global solidarity in opposition to North Korea’s illegal and dangerous actions,” specifically building nuclear missile capability. “As North Korea feels the impact of sanctions, it will become more reliant on state-sponsored criminal activity, including through cyber operations, to help fund its WMD (weapons of mass destruction) programs,” their joint statement said. “North Korean cyber-attacks and other malicious cyber activities pose a risk to critical infrastructure in countries around the world and to the global economy.”
That conference “makes Canada a target if (North Korea) is looking for revenge,” Swan said.
At last year’s SecTor conference in Toronto an independent researcher told an audience of a number of North Korean groups believed to be behind some attacks. In October FireEye said its detected and stopped spear phishing emails sent weeks earlier to U.S. electric companies “by known cyber threat actors likely affiliated with the North Korean government.”
In an opinion piece for Reuters written last month, Donghui Park is a Ph.D. candidate at the University of Washington’s Henry M. Jackson School of International Studies and Jessica Beyer, the cybersecurity postdoctoral fellow at the school, argued that “North Korea has consistently used cyber attacks as a distraction from its nuclear program,” particularly targeting South Korea.
One goal of international penetration attempts, they said, is to let countries know of its capabilities to possibly gain leverage in any negotiations about its nuclear program.
Park and Byer believe cash-strapped North Korea, under international sanctions, is likely funding its nuclear program through ransomware and cyber attacks, including theft of cryptocurrency.
North Korea has some hacking teams that are “very talented,” said Swan. Judging by evidence in their code first seen from other sources, he added, some are being groomed by persons in Russia, China and Iran.
(NOTE: This story has been updated from the original with quotes from David Swan)