Canada Post is the latest victim of a supply chain attack that allowed hackers to capture the names and addresses of almost one million senders and receivers of packages over a three-year period.
The post office acknowledged this week that was the result of a cyberattack on its electronic data interchange (EDI) solution supplier, Commport Communications, which manages the shipping manifest data of large parcel business customers.
Shipping manifests are used to fulfill customer orders. They typically include sender and receiver contact information on shipping labels, such as the names and addresses of the business sending the item and the customer receiving.
In the case of this hack, shipping manifests for 44 of the post office’s commercial users were copied which contained information relating to just over 950 thousand receiving customers. Canada Post said after a thorough review of the shipping manifest files it concluded the vast majority (97 per cent) contained only the name and address of the receiving customer. The remainder (3 per cent) contained an email address and/or phone number.
However, cyber experts note that crooks will use email addresses for spam, spear-phishing and impersonation attacks.
Ontario municipality victim of third-party cyberattack
The attack appears to be the work of a relatively new ransomware group called Lorenz. According to British Columbia-based cybersecurity researcher Brett Callow of Emsisoft, Commport Communications is listed on the Lorenz breach site, with copies of allegedly stolen files claimed to have been posted on December 20, 2020.
However, Bleeping Computer quoted a researcher saying Lorenz only emerged in April. Callow said the ransomware’s code is based on the ThunderCrypt ransomware. There’s speculation that Lorenz is a rebrand of ThunderCrypt rather than a separate operation.
Canada Post says it was first notified of a possible problem last November. At that time Commport told Innovapost, Canada Post’s IT subsidiary, “of a potential ransomware issue.” At the time, Commport said then “there was no evidence to suggest any customer data had been compromised,” according to the post office. Canada Post added it was only told last week by Commport that the manifest data it held between July 2016 and March 2019 had been compromised.
Commport was not immediately available for comment. A person who identified herself as an executive assistant said Thursday afternoon that officials are taking names and phone numbers of media for follow-up.
In an email, David Masson, Ottawa-based director of enterprise security for Darktrace, said the volume of data copied indicates that malicious activity had been going on for some time.
This attack is more evidence that complex digital supply chains “are a hacker’s paradise,” he wrote. “Canada Post is just the latest victim in what is a new era of cyber-threat, one where attackers exploit supply chain vulnerabilities to launch mass attacks with maximum return on their investment.
“These silent and stealthy attacks are virtually impossible to detect with traditional security tools and companies today must adopt a zero-trust policy when it comes to third-party suppliers. Perimeter defences won’t work – these attacks come from the inside. That’s why thousands of organizations today rely on cutting-edge technology like AI to identify the subtle indicators of this malicious activity wherever it emerges, and thwart it before damage is done.”
The increase in supply chain hacks speaks to the vulnerability of Canada’s critical infrastructure, said Rick Van Galen, a security engineer at Toronto-based 1Password.
“Until there are robust cybersecurity improvements – protecting credentials, regularly applying patches, adapting more system and design resiliency, ensuring suppliers are meeting the most basic security requirements, and regularly preparing and practicing incident response scenarios – these attacks will continue to have costly ramifications.
“This is a signal for governments everywhere that data protection requirements have changed and appropriate funding is required to support the ever-growing complexities of handling customer data.”
Commport, which began business in 1985, provides a wide range of supply chain management solutions for electronic commerce including electronic data interchange (EDI), value-added networks (VAN), and global data synchronization networks (GDSN).
There are no shortages of examples of third-party or supply-chain hacks, the most recent of which include SolarWinds and Accellion.