Canadian Cyber Centre publishes Baseline Cyber Threat Assessment, predicting increased cybercrime activity

The Canadian Centre for Cyber Security (Cyber Centre) published Monday its Baseline Cyber Threat Assessment on Cybercrime, with support from the Royal Canadian Mounted Police (RCMP), to inform cyber security professionals and Canadians about the threat to Canada posed by global cybercrime. In this assessment, the Cyber Centre addresses cybercrime’s early history, the development of the most significant cybercrime tactics, techniques and procedures (TTPs), and the nature of the global cybercrime threat and its implications for Canada.

The agency outlined in its report that over the next two years, it assesses that cybercrime activity in Canada will very likely increase. So long as cybercriminals can extract financial profit from Canadian victims, they will almost certainly continue to mount campaigns against Canadian organizations and individuals. Moreover, cybercriminals continue to show resilience and an ability to innovate their business model to remain profitable.

“To this end, cybercriminals will continue to evolve new TTPs, including targeting more small- and medium-sized organizations, in order to avoid attention-grabbing higher profile attacks. Cybercriminals, in our judgment, will also very likely adapt to disruptive geopolitical events, such as the Russian invasion in Ukraine,” the Cyber Centre report said. “For example, the international sanctions on Russia’s banking system, along with recent international law enforcement actions against cybercrime forums and measures taken by the Russian government to control its Internet infrastructure more tightly, has prompted Russia-based cybercriminals to pursue workarounds to transfer funds between Russia and other countries, either through novel means or by recalibrating existing cash-out methods.”

The prevailing model of RaaS has demonstrated its sophistication and resilience, even in the face of heightened international scrutiny and law enforcement action, the report added. “For example, DarkSide, the ransomware organized cybercriminal group responsible for the Colonial Pipeline disruption, rebranded into BlackMatter and later ALPHV following increased scrutiny from Western law enforcement. Over the next two years, we assess that cybercrime will very likely remain a national security concern for Canada.”

The report highlighted that ransomware is almost certainly the most disruptive form of cybercrime facing Canada because it is pervasive and can have a serious impact on an organization’s ability to function. “We assess that organized cybercrime will very likely pose a threat to Canada’s national security and economic prosperity over the next two years. Organized cybercriminal groups can impose significant financial costs on their victims. These groups often have planning and support functions in addition to specialized technical capabilities, such as bespoke malware development,” it added. 

“Cybercrime is a growing threat to Canada and one the Cyber Centre takes very seriously. As cybercrime activity continues to rise, we must take the necessary measures to mitigate the risks,” Sami Khoury, head of the Canadian Centre for Cyber Security, said in a media statement. “The good news is that even the most basic cyber security measures can help prevent cyber incidents. We encourage Canadians and Canadian organizations to engage with us to obtain trusted advice and guidance on cyber security. Collaboration at all levels is key as we work to minimize the impacts of cybercrime in Canada.”

“The National Cybercrime Coordination Centre works with police and partners to reduce the threat, impact, and victimization of cybercrime in Canada,” according to Chris Lynam, director general of the National Cybercrime Coordination Centre and Canadian Anti-Fraud Centre. “As a result of our work, we see the evidence and consequences of both basic and advanced cybercrime attacks everyday. All Canadians should understand what is outlined in the new Baseline Cybercrime Threat Assessment so they can join police and partners in combatting cybercrime through prevention, awareness, reporting, and recovery planning.”

The Canadian agency also assessed that over the next two years, financially motivated cybercriminals will almost certainly continue to target high-value organizations in critical infrastructure sectors in Canada and around the world. It also assessed that Russia and, to a lesser extent, Iran very likely act as cybercrime safe havens from which cybercriminals based within their borders can operate against Western targets.

The Cyber Centre maintains a database of ransomware incidents affecting Canadian victims. Based on incident data from Jan. 1, to Dec. 31, 2022, the top 10 ransomware threats to Canada are LockBit, Conti, BlackCat/ALPHV, Black Basta, Karakurt, Quantum, Vice Society, Hive, Royal, and AvosLocker. Most of these ransomware variants are maintained by financially motivated, Russian-speaking cybercriminals based in CIS countries.

“We assess that Russian intelligence services and law enforcement almost certainly maintain relationships with cybercriminals and allow them to operate with near impunity,” the report said. “They do so as long as cybercriminals focus their attacks against targets outside of the Commonwealth of Independent States (CIS). The CIS currently consists of Russia, Belarus, Moldova, Armenia, Azerbaijan, Kyrgyzstan, Kazakhstan, Tajikistan, and Uzbekistan.”

The agency outlined that ransomware has become one of the most devastating types of cybercrime, impacting individuals, businesses, and government agencies. “Successful cybercriminals in the ransomware industry can rapidly develop and adapt their malware to capitalize on evolving global, national, or regional contexts and the resultant changes in the vulnerabilities of target organizations. Many of them operate from safe havens, countries which willingly turn a blind eye to, or are unable to interrupt, cybercrime within their borders,” it added.

“Today, ransomware attacks often use the double extortion tactic. Before encrypting, ransomware actors will exfiltrate files and threaten to leak sensitive information publicly if the ransom is not paid,” the report identified. “Some cybercriminals have moved beyond double extortion tactics to conduct triple or quadruple extortion to maximize the chance their victims will provide payment. These attacks use additional techniques such as threatening an organization’s partners or clients, and distributed denial of service (DDoS).”

The agency highlighted the predominant business model of ransomware called ‘ransomware-as-a-service’ (RaaS), which starts with a core group developing the ransomware itself. “They then let contractors, known as ‘affiliates,’ use their ransomware to attack victims. The core group often handles the malware development, sets rules for target selection (such as avoiding targeting certain institutions or countries), oversees affiliate activity, carries out negotiations, and accepts ransom payment,” it added.

Affiliates are often responsible for gaining access to victim networks, ensuring the collection of data, locating data backups, and deploying the ransomware. Often, affiliates take a large cut of the proceeds, sometimes up to 80 percent. These are not hard-and-fast rules, and they can change depending on the group.

Beyond solely financially motivated cybercrime, the Cyber Centre has observed some cases where state-sponsored cyber threat activity and cybercrime overlap. This activity ranges from state-sponsored threat actors tasking cybercriminals to achieve strategic goals or fulfill intelligence requirements, to state-sponsored cyber actors engaging in cybercrime outside of their official capacity in pursuit of personal profit.

“We assess that Russia and, to a lesser extent, Iran very likely act as cyber-crime safe havens from which cybercriminals based within their borders can operate against Western targets,” the Canadian agency reported. “We further assess that both Russian and Iranian state-sponsored cyber threat actors will use ransomware to obfuscate the origins or intentions of their cyber operations.”

The Cyber Centre said that it assesses “that Russian intelligence services and law enforcement almost certainly maintain relationships with cybercriminals and allow them to operate with near impunity. They do so as long as cybercriminals focus their attacks against targets located outside Russia and CIS countries. Consequently, many of the most sophisticated and prolific cybercriminals are Russia-based. In 2019, the US Department of Justice indicted the leader of the Russia-based EvilCorp cybercriminal group for providing direct assistance to the Russian Federation’s malicious cyber efforts.” 

It added that in April 2021, the US Department of the Treasury stated that the Russian Federal Security Service cultivates and co-opts cybercriminals, including EvilCorp, enabling them to engage in disruptive attacks.

“Since the Russian invasion of Ukraine in February 2022, several Russian-speaking organized cybercriminal groups have come out publicly either in support of Russia or against its enemies,” the report detailed. ^“Regardless of their motivations, we assess that any escalation in cybercriminal activity against Ukraine, NATO, or the European Union very likely benefits Russia’s strategic goals in Ukraine.” 

For example, the Canadian agency added that in late January 2022, incidents at two subsidiaries of the German oil transportation company Marquard & Bahls and an unrelated ransomware incident at the ports of Amsterdam, Rotterdam, and Antwerp in the Northwest Europe refining hub market caused significant disruption in the delivery of oil products in parts of continental Europe, potentially worsening the existing energy crisis caused by Russia’s then-imminent invasion of Ukraine.

In November 2022, vendor reporting attributed the Prestige ransomware campaign, which targeted organizations in the transportation and related logistics industries in Ukraine and Poland, to Russian military intelligence cyber actors, the report pointed out. 

“In June 2017, cyber threat actors launched destructive cyber attacks masquerading as ransomware, dubbed NotPetya, against Ukraine that quickly proliferated globally, causing over CAN$10 billion in global damages. Canada has assessed that Russian actors developed the NotPetya ransomware. Australia, New Zealand, the United Kingdom, and the US assess that Russia was directly responsible for the June 2017 attack.”

The Cyber Centre report also detailed that the relationship between Iran-based cybercriminal groups and Iranian intelligence remains unclear. For example, Iran-based cybercriminals have been observed carrying out ransomware attacks and website defacements against targets in the US, Israel, and the Gulf States in response to major geopolitical events such as the killing of Islamic Revolutionary Guard Corp (IRGC) commander Qassem Soleimani in 2020. However, while the US, Israel, and the Gulf States are Iran’s main geopolitical rivals, they are also relatively wealthy countries that provide financially motivated Iranian cybercriminals with lucrative targets to attack and exploit.

“Despite this uncertainty, we assess that the Iranian state likely tolerates cybercrime activities by Iran-based cybercriminals that align with the state’s strategic and ideological interests, and provides a haven to individuals that have been indicted by foreign law enforcement authorities, possibly recruiting talented cybercriminals to join the intelligence services,” the report said. “However, Iranian law enforcement authorities almost certainly pursue and punish Iran-based cybercriminals that are suspected of targeting domestic victims.”

According to third-party industry reporting, between late July 2020 and early September 2020, Iran’s IRGC operated a state-sponsored ransomware campaign through an Iranian contracting company. It mimicked the TTPs of financially motivated ransomware groups to avoid attribution and maintain plausible deniability.

The agency assessed that cybercriminals are likely to continue compromising Managed Service Providers (MSPs) and software supply chains to maximize the number of potential victims and profits per compromise. “Cybercriminals conducting operations against these types of targets are financially motivated and either seek to exfiltrate commercially valuable information for sale, extort victims through the deployment of ransomware, or deploy cryptojackers (malware that “mines” cryptocurrency using the resources of an infected device).”

Cybercriminal supply chain compromises are particularly concerning given the lack of discrimination in their targeting, the report added. “Supply chain compromises have the potential to expose a wide cross-section of organizations to business disruptions, including elements of critical infrastructure such as schools, hospitals, utilities, and other typical Big Game Hunting targets.”

Commenting on the report, Tom Kellermann, senior vice president of cyber strategy at cybersecurity company Contrast Security, wrote in an emailed statement that “The Pax Mafiosa within Russia is thriving. The protection racket between the regime and cybercrime cartels began in 2013 and serves to offset economic sanctions. The is a Silicon Valley of the East and it exists in St. Petersburg, Russia.”

In June, the Canadian agency warned its oil and gas sector that medium- to high-sophistication cyber threat hackers are likely to consider striking organizations indirectly by initially targeting the supply chain. The agency also expects an even chance that Canada’s oil and gas infrastructure would be affected by cyber activity against U.S. assets due to cross-border integration.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.