The National Security Intelligence Review Agency (NSIRA) is responsible for conducting national security reviews of Canadian federal agencies. On April 16, 2021, the Agency announced that it had suffered a ‘cyber incident’. An unauthorized party had accessed the Agency’s unclassified external network as part of that incident. The affected network did not contain Secret, Top Secret, or Top Secret SI information. In August 2021, NSIRA posted an update with additional details about the cyber incident that it had experienced.
I raised a number of questions about the nature of the Agency’s incident, and its implications, in a post I published earlier in 2021. In this post, I provide an update as well as some further analysis of the incident based on the information that NSIRA revealed in August 2021.
I begin by outlining the additional details that NSIRA has provided about the incident and juxtapose that information with what has been provided by the Canadian Centre for Cyber Security (CCCS) about the Microsoft Exchange vulnerability that led to NSIRA’s incident. I note that NSIRA (or the team(s) responsible for securing its networks) seems to have failed to either patch NSIRA’s on-premises Exchange server when the vulnerability was first announced, or they were unable to successfully implement mitigation measures intended to prevent the exploitation of the server. The result was employee information was obtained by an unauthorized party.
Next, I note the extent to which NSIRA’s update responds to the initial questions I raised when writing about this incident in April 2021. On the whole, most of the questions I raised have been answered to at least some extent.
I conclude by discussing the significance of the information that was exfiltrated from NSIRA, the likelihood that a nation-state actor either conducted the operation or now has access to the exfiltrated data, what this incident may suggest for NSIRA’s IT security, and finally raise questions about NSIRA’s decommissioning of its Protected networks.
NSIRA’s August 2021 announcement clarified that their on-premises Microsoft Exchange server was compromised, with the effect that unauthorized parties obtained copies of two files. The first included, “system and software configuration settings for one of NSIRA’s servers” and the second contained, “NSIRA’s active directory database.” This database included:
“…basic information on NSIRA’s network users to facilitate their connection to the IT network. This information generally consisted of an individual’s first and last name, their office and/or personal phone numbers, and their NSIRA email addresses, as well as a hash of current and previously used passwords. Individuals affected by the theft of the active directory database have been directly notified by NSIRA, with a few exceptions … The active directory database did not contain information about employees of other Government of Canada agencies nor about members of the public.”
The vulnerability that was leveraged was patched by Microsoft on March 2, 2021. The initial exploitation of that vulnerability has been attributed to operators linked with the Chinese government by Western governments and their foreign affairs departments and intelligence services. Since the patch was released the Canadian Centre for Cyber Security (CCCS)1 has provided numerous updates to the public about this threat activity.
- March 2, 2021: Malicious operators immediately began scanning vulnerable systems once Microsoft had issued its out-of-band patch. At the time, CCCS recommended disconnecting vulnerable systems from the Internet, adopting Microsoft guidance to determine compromise, and to patch where no compromise was found.
- March 5, 2021: While Microsoft provided interim mitigation techniques, CCCS recommended that organizations follow the advice provided on March 2. CCCS noted that patching or adopting interim mitigation solutions would not fully protect systems that had been previously compromised and, as such, again reiterated the need for organizations to assess whether they had been successfully targeted prior to Microsoft releasing their software updates.
- March 11, 2021: CCCS alerted the public that a new family of ransomware was exploiting this vulnerability, and that numerous proofs of concept leveraging the now-patched vulnerability were publicly circulating. Malware using the vulnerability was being used for ransomware as well as data exfiltration operations. The Centre also warned that they had reporting which indicated that Canadian organizations continued to be vulnerable to the Exchange exploit and, also, that some of these organizations’ systems had been further compromised.
- April 14, 2021: CCCS provided additional details of the effects of the vulnerability and warned that there was, “now a renewed risk of similar exploitation to that observed earlier in March 2021, for any systems that have not received the April 2021 updates.” 2
NSIRA’s August 2021 update to their cyber incident clarified that a third-party gained access to its non-classified networks, on a sporadic basis, between March 9 and March 19, 2021. In the “Useful Resources” section of their public announcement the Agency recommended that readers read Global Affairs Canada’s statement on Chinese cyber campaigns and information about the vulnerability that had been publicly provided by the CCCS. An analysis of NSIRA’s Protected networks by the CCCS led NSIRA to assert that while there was no evidence of improper access to, or exfiltration from, those networks the Agency could not, “fully exclude the possibility, however, that the threat actor may have improperly accessed other information stored on the Protected B network.”
In response to this exploitation, and in consultation with the CCCS, NSIRA has, “permanently decommissioned its Protected B network and related IT infrastructure” and stated it was collaborating with the Privy Council Office, Communications Security Establishment, and Shared Services Canada to ensure, “that its IT infrastructure reflects best-in-class IT security measures.”
Comparing NSIRA’s and CCCS’s Timelines
First, let us presume that security staff responsible for auditing NSIRA’s networks did accurately assess the duration of time when the Agency was affected. Assuming this is true, then the comparison of NSIRA’s and CCCS’s timelines suggest that the network security staff responsible for defending NSIRA’s Protected networks were unable to apply Microsoft’s emergency patches on March 2, and either did not apply the interim mitigation policies suggested by Microsoft when announced March 5 or that those policies were ineffective. Further, it is possible that the March 11 update from CCCS, in part, reflected knowledge or suspicion that NSIRA was amongst the Canadian organizations that had been successfully targeted by operators exploiting the vulnerability in Exchange.
In short, despite CCCS publicizing the dangers linked with the vulnerability and Microsoft having released patches and mitigation measures, NSIRA’s systems were not successfully patched nor did they have interim measures successfully deployed. The result was that sensitive employee information was lost to an unauthorized party.
Questions Partially Answered
In my earlier post in April 2021, I raised six questions that emerged from NSIRA’s brief initial statement that it had suffered a cyber incident. In what follows, I discuss the extent to which the Agency’s August update responds to those questions.
Who Notified NSIRA of the Unauthorized Access?
NSIRA’s update statement did not clarify how it came to realize that its Protected systems had become compromised. The statement did make clear that, “[u]pon discovery of the compromise in March, NSIRA worked closely with Shared Services Canada (SSC) and the Cyber Centre to contain the breach and restore the integrity of its systems”. This text did not, however, clarify whether NSIRA discovered the problem, and then brought in the CCCS and SSC, or whether one of those agencies (or another party entirely) identified the exploitation and then NSIRA worked with the CCCS and SSC to remediate the issue.
Which Agencies Were Assisting NSIRA Remediate the Issue?
NSIRA’s updated statement did make clear that the principle parties responsible for assisting in the remediation effort included the CCCS and SSC, and that the Royal Canadian Mounted Police, Privy Council Office, Office of the Privacy Commission of Canada, and Treasury Board Secretariat were all involved as well.
Why Were the Privacy Commissioner and Treasury Board Secretariat Involved?
NSIRA’s update did make clear that the Privacy Commissioner was brought in to specifically address privacy issues linked to the exploitation and loss of personal information, and that the Treasury Board was principally involved by way of being notified of the incident.
What Was the Timeline of Incident, Operator Linger Time, or Operators’ Intents?
The update from NSIRA did make clear the incident’s timeline (noted previously) as well as how long operators were believed to have lingered in, or utilized their access to, NSIRA’s Protected networks. There is no indication in NSIRA’s update of the expected, or imagined, intents of the operators’ activities.
What Provoked the Incident?
The update did make clear that the incident was the result of operators exploiting a known vulnerability in Microsoft systems. It did not make clear why this was an avenue of exploitation multiple days following the announcement by Microsoft and CCCS about the need to apply defensive measures.
How Did the Incident Affect NSIRA’s Operations?
The update was unclear on how NSIRA’s operations were affected, though presumably decommissioning their Protected B network had some effect on the Agency’s operational tempo. The effects, or lack thereof, of this incident on NSIRA’s ability to build trust with organizations it reviews were (unsurprisingly) not addressed.
Implications of the Exfiltration of NSIRA Employees’ Personal Information
As it stands, today, an unauthorized third-party has previously gained access to a range of sensitive personal information about all NSIRA employees. As noted by NSIRA, this party exfiltrated:
“…information generally consisted of an individual’s first and last name, their office and/or personal phone numbers, and their NSIRA email addresses, as well as a hash of current and previously used passwords.”
It is noteworthy, to start, that many employees of NSIRA have incredibly privileged access to Canada’s most sensitive national security information. They require this access in order to conduct reviews and ensure that members of the intelligence and national security communities are operating within their mandated scope and are compliant with Canadian law. However, the extent of this access means that some NSIRA employees would potentially make exceptionally valuable agents for foreign intelligence and national security agencies.
The information that has been exfiltrated could potentially be useful to a motivated and well-resourced threat actor. With an individual’s first and last name, along with their personal or professional work contact information, intelligence collectors could subsequently use open and closed source methods to link NSIRA staff with broader catalogues of personal information that threat actors have assembled. 3 The risk is that a motivated and well-resourced actor might be able to develop, or enrich, dossiers about NSIRA staff using the exfiltrated employee information.
Further, any NSIRA employee who’s private mobile phone number was exfiltrated will now be at heightened risk of having their personal accounts compromised should they have enabled SMS-based Two Factor Authentication (2FA) to protect these accounts.4 It is notable that many of Canada’s banks rely on SMS- or email-based implementations of 2FA , and most major online platforms (e.g., Google, Facebook, etc) permit individuals to use SMS as their second factor. Using a number of illicit but easy-to-use techniques, motivated operators could obtain those SMS-based codes and gain entry to individuals’ personal accounts. Having done so they could collect compromising material (in the interests of developing agents), deepen existing portfolios of NSIRA staff, or collect information from personal accounts in the hopes of facilitating targeted spearphishing attacks against either NSIRA employees or other individuals in their professional or personal orbits.
Furthermore, NSIRA employees may be at heightened risk when they travel domestically or internationally as a result of threat actors potentially having enriched dossiers about them. Knowing someone’s personal phone number means that it is relatively easy to assess where someone is physically located in the world, meaning that motivated operators could conduct surveillance of domestic movements as well as foreign travels. In the latter case, depending on where NSIRA employees are travelling, adversaries might have enhanced opportunities to tamper with digital devices that employees carry with them, conduct physical surveillance, or otherwise engage in threat activities towards NSIRA employees. Furthermore, with a phone number in hand it is possible for well-resourced actors to use remotely installed malware to gain presence on an employee’s device(s) in order to conduct surveillance meant to advance the adversary’s interests.
CCCS did not identify activity on NSIRA’s Protected B network and, as such, does not assess that an operator has gained access to the wider pools the Protected information with which NSIRA is entrusted. However, CCCS also could not perfectly rule out that such access did not occur. As such, while of diminished probability,5 the following information may have also been compromised:
- Personal information about other employees of the Government of Canada that NSIRA interacts with, including the names and identities of persons in the national security space;
- Information about complaints that have been made to NSIRA about potentially problematic practices alleged to have been undertaken by national security agencies in Canada;
- Recent job applicants, inclusive of their CVs, which might indicate their expertise and potentially reveal domain knowledge or administrative capacity that NSIRA is attempting to fill;
- Individuals noted in security clearance forms;
- Contact information and correspondence linked with NSIRA’s outreach with academic and NGO communities; and
- Personal information about individuals who have contacted NSIRA.
Who is Responsible for NSIRA’s Cyber Incident?
NSIRA, in its update, directed readers to a July 2021 statement from Global Affairs Canada which condemned the Chinese government for its deliberate efforts to massively exploit the Microsoft Exchange vulnerability that is at the heart of NSIRA’s cyber incident. This may, perhaps, indicate that NSIRA or the Government of Canada more broadly believes or suspects that Chinese operators are behind this intrusion and exfiltration. This said, and as pointed out by Tyler McLellan, another actor is as or more likely to have been responsible for this incident.
When NSIRA suffered its incident, the CCCS had already recognized that there were multiple non-Chinese operators that were beginning to take advantage of the vulnerability that Microsoft had revealed in the process of issuing their patch. Put another way, with the patch in the public domain operators raced to reverse engineer the vulnerability to exploit it in on-premises Exchange servers that had either not yet been patched or had not successfully deployed mitigation measures. The result is that while a Chinese operator may have exfiltrated the information from NSIRA it is also possible that a separate state or non-state actor was responsible for the cyber incident. While foreign intelligence operations undertaken by the Communications Security Establishment (CSE) or activities undertaken by the Canadian Security Intelligence Service (CSIS) may reveal the party that is definitively responsible for the exfiltration, it is equally possible that the responsible threat actor will remain unknown for the foreseeable future.
So, what does this mean in terms of the threat actor who exfiltrated the information about NSIRA’s employees? Barring additional intelligence, it is likely fair to presume that NSIRA’s employees are known by name, phone number, and other identifiers to a foreign actor and their operators. Should the Chinese government be responsible then at least the Government of Canada and NSIRA can plan intentional mitigation and protective measures. If, however, the operators or threat actor remains unknown then the government and the Agency might plan for the worst and simply assume that some motivated and well-resourced adversary has the information and, as a result, adopt a broader but less specific defensive posture for NSIRA staff.
Without knowing the threat actors behind the operation, however, it becomes more challenging to assess the risks to employees: will the actor and their operators just delete the data if they are engaged in criminal behaviours but do not believe the collected information has value for their criminal endeavours? Or might the information be of interest, with the hopes of turning an employee of NSIRA into an informant a la Cameron Ortis? Alternately, could a criminal actor try to sell the NSIRA employee information to adversarial government agencies, with the potential result that multiple adversarial parties might know who is employed at NSIRA and potentially have information that can be used to conduct remote surveillance of them, and potentially also gain access to some of their digital accounts?
All of the aforementioned possibilities presumes a degree of intentionality on the part of the threat actor and their ability to maintain control of the information that has been exfiltrated. It is possible that this was a random smash and grab operation, and that the collected information will just end up in one of the many massive archives of personal information that are trafficked on the Dark Web. If so, then NSIRA employees’ information will be widely accessible to a randomized assortment of operators and threat actors around the world. Further, if the threat actor cannot maintain the security of the exfiltrated information then other actors may access it without the knowledge of whomever first extracted the employee information.6 Should this be the case, it would be possible for the party responsible for exfiltrating the information–imagine a criminal actor–to have lost control of the information on the basis that a government agency–say the Chinese, Russian, French, or Israeli intelligence services–possesses secret access to wherever the data was exfiltrated. In such a scenario, the number of organizations that might have NSIRA employees’ information may be largely unknowable.
In effect, while the information that NSIRA knows that it has lost was ‘only’ Protected information, this information can have significant value in the hands of a moderately well-resourced actor. It remains to be seen what, if any, effect(s) will follow from NSIRA’s loss of its employees’ information.
This cyber incident has likely heightened the risks facing NSIRA employees and particularly those who are involved in review processes or who otherwise have access to significant volumes of Secret, Top Secret, and Top Secret SI information, or operational information about NSIRA itself. The extent of that risk, however, remains murky given that neither NSIRA or other branches of government have positively confirmed the party responsible for the incident. It is possible that the responsible party remains unknown.
The incident also raises significant questions about how NSIRA secures it systems and why there was a meaningful time delta between when the vulnerability was publicly disclosed, and patch and mitigation measures made publicly available, and the Agency’s on-premises Exchange server(s) being successfully exploited. Were NSIRA staff, or parties responsible for securing their Protected network, unable to maintain a needed patch tempo? Were the mitigation measure insufficient and, if so, why? To be clear, these questions are not meant to assign blame to individual staff members within the government, per se, but instead to demonstrate that serious questions remain around the ongoing operational security of NSIRA’s organizational activities, as well as those of other Government of Canada agencies that also handle sensitive files.
Further, NSIRA’s decommissioning of its Protected networks raises the question of what will replace these systems. Will they be maintained by Shared Services Canada and protected, in part, by the Canadian Centre for Cyber Security (both of which may prospectively be reviewed under NSIRA’s mandate) or will some other arrangement be created? And who was ultimately responsible for the failure to adequately secure these systems prior to experiencing the cyber incident; does accountability lay with NSIRA, Shared Services Canada, or the Cyber Centre, or some other party entirely? The response to this question is important in order to develop lessons learned and ensure that appropriate measures are put in place to prevent similar incidents from occurring again in the future. Furthermore, a more substantive (and at least semi-public) after-action report of the incident, and how similar incidents are meant to be avoided, may enhance general public trust in NSIRA’s abilities to securely fulfil its mandate.
In conclusion, NSIRA’s cyber incident has received little attention in the media. Nevertheless, the loss of its employees’ information could have significant implications for its staff and, by extension, Canada’s national security. While the incident is seemingly just another in a daily deluge of security breaches and cyber incidents, that it affected a sensitive part of government merits consideration, as does how to best protect and support NSIRA’s staff now that they may be experiencing a heightened threat risk.
- The Canadian Centre for Cyber Security is a significantly public-facing side of Canada’s foreign signals intelligence agency, the Communications Security Establishment. ↩︎
- CCCS did not explain in their public-facing post why there was a renewed risk from this vulnerability, though it can likely be explained by additional operators leveraging it to conduct non-state operations, inclusive of criminal data exfiltration and ransomware activities. ↩︎
- In the United States, there is a serious concern that the CIA and other individuals operating in the national security space have been significantly compromised as a result of the exfiltration of records from private health insurers, hotel chains, travel companies, and so forth. ↩︎
- The National Institute of Standards and Technology (NIST) has deprecated SMS-based 2FA, though this is not the same as outright banning its use in American federal environments. SMS-based 2FA remains an effective way for impeding bot-based account breaches though for anyone with even a marginal security risk–inclusive of just being an influencer online or someone who communicates strong opinions online–would be well advised to adopt a software application that generates one-time passwords or rely on a hardware token as their second factor. ↩︎
- In future reporting, it would be helpful for NSIRA or partners who assess security breaches to assign a public confidence rating to their conclusions so that the public can better understand the likelihood that certain information was exfiltrated or that operations were carried out with one goal or another. ↩︎
- In national security spaces this is sometimes referred to as ‘fourth party collection’, where one agency (‘Agency A’) obtains access to information without being aware that they have been compromised by another (‘Agency B’), such that intelligence that the first agency is collecting may be being secretly copied by the second. ↩︎