A link copied from the Resort Municipality of Whistler’s (RMOW) website—posted by cyber criminals in the wake of a late April ransomware attack—pasted into a specialized browser called Tor takes me to a no-frills blog.
The page shows various text-based posts with accompanying dates, and in some cases links to click on, each containing files leaked from different attacks by the criminals in question.
In some cases, the attackers include a link to a chat box that can be used to communicate with them directly.
They never take long to reply, but they’re not very forthcoming with their answers.
An ominous message posted to the RMOW website after the attack claimed that 800 gigabytes of information was obtained in the April 28 attack on the RMOW.
On May 15, about 82 gb of Whistler data was posted to the group’s site—internal server files allegedly containing the sensitive information of more than three dozen municipal employees, all of it in a folder the criminals labelled “trash.”
The folder name is noteworthy.
“Publish all trash which we does not need,” the criminals say in one chat session, in stunted English.
“All other data was sold.”
Pressed on what exactly they obtained from Whistler, and what was sold, they reply simply: “We do not discuss auction details sorry.”
Experts say there’s no way to say for sure if they’re telling the truth about selling Whistlerites’ data at auction (they are criminals, after all).
“These are criminal organizations. They don’t always tell the truth,” says Brett Callow, threat analyst with Emsisoft, a cyber security company with a particular expertise in ransomware.
“There are cases where they will claim to have more data than they actually do. There are also, however, cases where they have exactly what they claim to have, so there really is no way of knowing.”
The link to the dark web site wasn’t live on the RMOW’s municipal website for long on the morning of April 28, but it was up long enough to be screenshotted and posted to two popular Facebook groups—posts that can still be found today, link and all.
But by their own admission, the hackers—believed to be a group known as HelloKitty—didn’t get much uptake on their site specific to Whistler’s data.
“ah 3-5 in day… this blog is not so popular…” they admit in one back and forth.
It’s likely that most Whistlerites don’t know how to access the site on the dark web, I say.
“Do they need it? They just live,” the hacker says, getting oddly philosophical, before adding: “live with stupid government :-D.”
In the view of the criminals, the RMOW is “stupid” for not engaging with them, and paying their ransom demand (the amount of which they declined to disclose in chat)—but experts say that is absolutely the right move in these situations.
“[Paying the ransom] doesn’t guarantee they will get their data back, it doesn’t guarantee that the criminals will not misuse whatever data was stolen, and of course it simply incentivizes the cyber crime,” Callow says.
In a release on July 8, the RMOW confirmed it had not engaged with, or sent any payment to, the hackers.
In the days and weeks following the appearance of the RMOW’s data online, other victims follow: an investment firm, a network provider, a skincare company.
The organizations appearing on the group’s news page don’t show the complete extent of their crimes, they say—just those who refuse to talk to them.
According to a recent survey of 510 cyber security decision-makers by the Canadian Internet Registration Authority, almost one in five organizations were victim of a successful ransomware attack in the past 12 months. Of that group, 69 per cent said they paid the ransom demands.
In June, the leak site went offline for good—while the RMOW was left to deal with the fallout.
A TORPEDO TO THE HULL
The attack on Whistler did major damage.
Municipal services were taken offline immediately, and stayed down for weeks.
The municipality—already dealing with the stress and strain of the COVID-19 pandemic for months—was left reeling.
“We managed to keep the boat afloat [through COVID], and then we took another torpedo right into the hull,” said Councillor John Grills, in describing the attack.
Email and phone services were out of commission, leaving staff and council to communicate solely by text.
Staff at municipal hall were forced to revert to old paper processes, and an already overworked planning department was further buried as the broader Whistler community—and all of its expectations for service—carried on around it.
“When I think about the cyber attack and the pandemic, I would say the cyber attack was worse than the pandemic,” says Coun. Ralph Forsyth, who sits on the RMOW’s Technology Advisory Committee (TAC).
“Because the pandemic, it was like, OK, well everyone is experiencing this … whereas the cyber attack was like, man, it’s just us—what are we doing? How do we get out of this?”
The answer was a complete rebuild of the municipal network “from scratch or near-scratch to ensure resiliency against known future cyber threats going forward,” the municipality said in a June 14 release.
The total cost—both direct and indirect, as well as how much will be covered by insurance, and how much will fall to taxpayers—is still not known as of this writing.
On Nov. 12, the RMOW said total costs are still being calculated, but “so far, the bulk of costs … have been covered by the RMOW’s insurance.”
A Dec. 22 presentation to the TAC “will entail an overview of the key findings by the cybersecurity experts as well as best practices and learnings to share with the member representatives going forward,” a spokesperson said.
In the June 14 release, the RMOW said, “experts leading the investigation believe that access to the RMOW’s network was the result of a zero-day vulnerability.”
Pique reported on the zero-day vulnerability (an exploit either previously unknown to the developer or known and a patch had not been developed for it yet) found in SonicWall VPN, a service used by the RMOW, on May 13.
Cyber security experts from a firm called FireEye documented the vulnerability in a blog post on April 29, noting that a patch was released to fix the problem in February.
On Nov. 12, the RMOW confirmed it installed the patch in mid February.
According to Richard Rogerson, founder and managing partner of Ontario-based cybersecurity firm Packetlabs, VPNs, or virtual private networks, have left many organizations ripe for the picking in the early days of the COVID era.
“What we’ve seen is, in the rush to work from home, we’ve left a lot of our VPNs open,” he says.
“A lot of organizations, in the rush to stay open and to enable the remote workforce, they’re leaving the door open to attackers.”
As of Nov. 12, 69 of 82 services disrupted by the attack were fully recovered, the RMOW said.
“The remaining nine services, however, primarily consist of software for which there is no current support or security updates being provided,” a spokesperson said.
“These services will need to be replaced with current software equivalents with accompanying security updates and support in order to be reestablished.”
The RMOW expects to move from “recovery” mode back to “regular operational” mode by the end of November.
A GROWING EPIDEMIC
But Whistler is not alone—ransomware attacks have proliferated in recent years, with more municipalities, businesses, educational institutions and even hospitals falling victim every day.
According to a study by Emsisoft, ransomware caused hundreds of billions of dollars in economic damage in 2020 alone, while the average ransom demand grew by more than 80 per cent.
So far in 2021, “unfortunately, the ransomware problem isn’t going away and attacks are happening at much the same rate as ever,” Callow says on Nov. 1. “In the last couple of days, the Toronto Transit Commission has been hit and the [Newfoundland and Labrador] health system is experiencing a cyber attack which sounds very much like ransomware.”
One cybersecurity expert told CBC News that the attack on the Newfoundland and Labrador health system may be the worst in Canadian history, and has implications for national security.
The list of victims is long and growing.
A ransomware attack on the City of Saint John, N.B. in late 2020—in which the attackers reportedly asked for between $17 and $20 million worth of Bitcoin—cost the city $2.9 million.
Insurance covered most of the costs, but taxpayers were on the hook for $400,000.
The Regional District of Okanagan-Similkameen was similarly targeted in the summer of 2020, though the district says the attempted breach caused a system crash, booting the attacker before sensitive data could be taken hostage.
(Pique requested interviews with both governments; both declined comment.)
According to Rogerson, whose company provides “ethical hacking” services like penetration testing to ensure robust security measures are in place, the rise in ransomware can be traced back, in part, to insurance companies.
“Part of the ransomware epidemic that we have is that a lot of it has been fuelled by insurance. It’s the cheapest path forward … The quickest path to recover your data is just buying the key that unlocks it,” he says.
“And that’s the struggle, is now our insurance companies are funding organized crime.”
Interview requests to the Municipal Insurance Association of BC were not answered before Pique’s deadline.
Over the past decade, Packetlabs has worked with hundreds of different organizations to shore up their security, including governments at all levels.
What stands out to Rogerson is the lack of funding for proper security.
“We’ve spoken to so many in the municipal government space that can’t get funding for a pen (penetration) test, and a pen test is where we would be able to discover the vulnerabilities in their environment,” he says.
“So a lot of the municipalities are just sitting ducks.”
Asked what kind of security measures were in place prior to the attack, and if it took proactive measures like penetration testing, the RMOW said on Nov. 12 that it was proactive “as per industry best practices.”
In the case of Saint John, the $3-million price tag likely could have been averted with a $25,000 to $50,000 pen test, Rogerson says.
“The insurance company paid for a lot of that, but it’s like we’re playing chicken,” he says.
“We’re on the road racing towards another car and waiting for something to happen, hoping it doesn’t, but we’re not proactively taking a stance to avoid something like this from happening—we’re just waiting.”
It should be pointed out that companies like Rogerson’s stand to profit from proactive cyber security measures, but he also has a point: spending more on security would keep insurance companies out of the equation, and in turn funnel fewer funds to organized crime.
But for many municipalities across Canada, the funding simply isn’t there.
The Canadian government has programs to assist business with cyber security, Rogerson says, adding that the same assistance should be provided to local governments.
“Let’s assess our own municipalities with the same thing we’re recommending small, medium and large businesses to do; and not to say that that isn’t happening, but I don’t think it’s consistently applied across all municipalities,” Rogerson says.
“There’s certain municipalities that have a more significant budget, but there needs to be some provincial or federal oversight to ensure that we’re doing a lot of the right things, and today I don’t think that that is the case.”
Though the page run by the criminals responsible for Whistler’s data breach went offline in June, the criminals themselves remain active.
On Oct. 28, the FBI issued a release about the HelloKitty group, noting that they were first observed in January 2021, and are known to exploit vulnerabilities in SonicWall products.
The criminals “aggressively apply pressure to victims typically using the double extortion technique,” the FBI said. (The double extortion tactic involves stealing information and encrypting it before demanding payment for decryption.)
“In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website.”
HelloKitty actors demand payment in Bitcoin “that appear tailored to each victim, commensurate with their assessed ability to pay it,” the release continued.
“If no ransom is paid, the threat actors will post victim data to [the dark web] or sell it to a third-party data broker.”
Callow and Emsisoft have continued to track the group’s activities, and they “do not seem to be running a leak site,” he says.
“That said, data they obtained in another incident ended up on another gang’s leak site, so it seems they have working relationships with other cybercriminals.”
Further, certain groups seem to be selling stolen data on third-party auction sites.
“Why release it for free when you can make some money from it? So it’s possible Whistler’s info has been sold somewhere and just not noticed. Impossible to say.”
The value of a credit card on the black market is about $4 to $6, Rogerson says. But paired with more identifying info, the cost goes up.
“It would be a lot more valuable, because for the attacker, they can make better use of it,” he says, noting that compromised credit cards are eventually flagged as such, becoming worthless.
“Whereas if they have enough information to get a new credit card, well that’s going to be more valuable to the attacker.”
While the criminals could very well be lying about having sold Whistler’s data, it’s better to be safe than sorry.
The public should remain vigilant, Rogerson says, and review their financial statements and credit card statements regularly.
“They should also be reviewing Equifax-type reports to see if there was any new credit-card products … Having enough information to really forge your identity, they may be getting to the point where they could take out CERB in your name, right?” he says. (As of August 2020, the Canadian Anti-Fraud Centre said there were more than 700 cases of identity theft linked to the Canada Emergency Response Benefit, or CERB.)
“If it has been sold—and who knows if that is the case—someone bought it for a purpose. There’s a reason behind it; they want to make use of that information.”
THE ABSENCE OF EVIDENCE…
More than six months after the attack, the RMOW has told Whistlerites very little about its extent.
According to Callow, it’s not very often that the full details of such attacks ever become public.
In August, the RMOW sent a letter to all former employees stating something Pique reported three months earlier: the personal drives of 38 employees were leaked on the dark web after a ransomware attack in late April.
The letter was shared with Pique by several former employees.
“We can now confirm that HR related files for all current and former employees (who were employed up to the date of incident) were on those P-drives,” the letter read, in part.
When Pique reported on the leak in May, the RMOW launched a lawsuit against the paper, seeking unsuccessfully to restrict what Pique could publish about the ransomware attack. The RMOW argued that it was seeking to protect the privacy of its staff, and alleged in its court filings that it did not have detailed knowledge of the data available on the dark web.
In the BC Supreme Court on May 21, RMOW lawyer Paul Hildebrand argued certain information published by Pique might “whet [the] appetite” of would-be criminals, who might then seek out the information on the dark web.
“We just don’t want information on the internet that might provide an incentive and encouragement to others to go try and find this information…” he said in court.
Supreme Court Justice Sandra Wilkinson declined the RMOW’s request for a temporary order restricting the newsmagazine’s coverage. Referring to the injunctive relief the RMOW requested, Wilkinson said: “I have serious concerns about the precedent that this sets.”
The RMOW walked away from the lawsuit in July.
Since Day 1, local officials have said repeatedly “there is no evidence” that the private information of local residents and businesses was compromised (outside of the admission that employee files had been compromised in the letter sent out in August).
That may well be true, but cyber security experts have a phrase they like to use when officials make such claims: absence of evidence isn’t evidence of absence.
It could be that the RMOW’s servers were so mangled by the attack that it’s impossible for them to definitively state personal data was stolen, experts say.
Time and again, representatives from other organizations have made the same claim only to be proven wrong down the line.
Like when eHealth Saskatchewan’s servers were hit with ransomware in early January 2020, and officials confidently stated there was “no evidence” confidential patient info was accessed… until the following month, when it discovered some of its files had been sent to suspicious IP addresses in Europe.
Or when officials in Prince Edward Island reassured the public they had “no reason to believe” personal information was impacted in a Feb. 2020 malware attack, only for said personal information to show up on a ransomware gang’s leak site in March.
Or when the City of Torrance, Calif., issued a statement saying “public personal data has not been impacted” following a March 2020 cyber attack before having to apologize and walk back the statement when leaks proved otherwise.
In Whistler’s case, “if they don’t have sufficient logging, they’re not going to have evidence to say that something has happened, and the real challenge here is that absence of evidence is not evidence of absence,” Rogerson says.
“So just because you didn’t find something is there didn’t mean there wasn’t something to be found. It just means you weren’t capable of even seeing it.”
Pique submitted an expansive Freedom of Information request to the RMOW in August, seeking correspondence related to the attack and details about the legal action against the paper (as well as how much the legal action cost taxpayers).
In late September, the RMOW responded, estimating the necessary search time for the requested records at 120 hours, with a processing fee of $3,510. A municipal staffer also referred to several sections of the Freedom of Information and Protection of Privacy Act, saying that, “with nearly 100-per-cent certainty, nothing will be released” of the info requested.
Pique submitted a scaled-back FOI request on Sept. 22, focusing specifically on the costs and details of the lawsuit against the paper. The RMOW responded with an estimated search time of 17.5 hours and a total cost of $435.
Pique requested an exemption from the charge, arguing the information is in the public interest, which the RMOW granted on Nov. 5.
In a Nov. 5 letter to Pique, the RMOW extended the deadline for collection of the necessary records to Jan. 6, 2022, adding that when it does release the records it “will be electing to withhold the responsive records under a number of FOIPPA exceptions,” but Pique can appeal to the Office of the Information and Privacy Commissioner.
“I’m not an IT expert, I’m not a security expert. I can understand the fear of the unknown, of the dark web … it sounds menacing,” says Coun. Cathy Jewett, when asked about the perceived lack of transparency around the incident.
“And so it’s because we don’t know. We don’t know who they are, we don’t know what they can do. We know how much of our information that they could potentially have, and that’s scary.”
As for the lawsuit, Mayor Jack Crompton says the RMOW stands behind its decision to sue the local paper.
“It’s a decision our organization made, and it’s one that was not easy to take by any means,” he says. “Clearly the fact that we did take action indicates that it’s a decision council approved.”
The attack itself was “as challenging for our organization as anything we’ve faced this term, which is saying something,” Crompton adds.
“There’s more to do still, but I’ve been really impressed with the work we have done to recover … [cyber security incidents are] not something that are going to stop, so we need to continue to have it as a high priority for our organization.”
According to the RCMP, the National Cybercrime Coordination Unit (NC3) has received more than 1,600 requests for assistance from law enforcement partners since June 2020, more than 30 per cent of which are related to ransomware.
The proliferation of ransomware activity can be attributed to many factors, says RCMP spokesperson Sgt. Caroline Duval, in an email: the exponential growth of the internet and communication technologies; the borderless nature of cyberspace; cheaper and more commonplace technologies; and the payment of ransoms ensuring the crime stays lucrative.
“The criminal exploitation of new and emerging technologies requires new policing measures to keep pace in a digital era. The same technologies that people and organizations use for legitimate purposes may be used by criminals to mask their online activities and evade detection from law enforcement,” Duval says.
“Police must often find technical solutions to decrypt, unlock or otherwise deal with encryption technologies, re-routed Internet Protocol addresses and other technical roadblocks that criminals exploit to cover their digital tracks and commit cybercrimes.”
Criminal investigations—like the one underway into the attack on Whistler—can be initiated as soon as a crime is reported, and the RCMP recommends victims call 911 as soon as possible. (The RCMP would not comment on the status of the ongoing investigation.)
Local police can begin the investigation, and activate national resources as necessary.
Given the breadth of the problem, and how fast it’s growing, cooperation is crucial in combatting cybercrime, and the RCMP works closely with other law enforcement agencies, federal partners and industry, Duval says.
“[The NC3] works to reduce the threat, impact and victimization of cybercrime in Canada, and improve Canada’s understanding of cybercrime and cybercriminals,” she says, adding that it also “coordinates investigations, provides digital investigative advice, produces actionable intelligence reports, and more.”
The NC3 and Canadian Anti-Fraud Centre (CAFC) work closely together, and have complementary mandates under the same operational branch of the RCMP, which is currently working on implementing a new national public reporting system for Canadians to report cybercrime.
“The system will be completed in 2023-24 and will include enhanced functionality and capabilities making it easier for victims to submit reports while providing law enforcement with more detailed information that will help with their analysis and investigations,” Duval says. “In the interim, we continue to advise people to report to the CAFC.”
The RCMP also employs cybercrime investigative teams and cyber capability specialists “dedicated to bridging the divide between the complex technical cyber world and that of conventional investigative techniques and strategies,” she adds.
Individuals and organizations can protect themselves by: updating anti-virus software often, and scanning for viruses regularly; never clicking on pop-ups that claim your computer has a virus; don’t click on email attachments from unknown senders; use pop-up blocking features in your browsers; never download anti-virus software from a pop-up or link sent in an email; frequently back up your computer, and store back ups on a separate device; train employees on cyber security, and implement security policies and procedures; and proactively develop an emergency response plan and backup/recovery plans in case of a cyber attack.
Asked for an update on the ongoing investigation, a spokesperson with the B.C. Office of the Information and Privacy Commissioner declined to answer any questions, noting that the Freedom of Information and Protection of Privacy legislation puts “strict limitations” on what the office can disclose.
Find more info and resources at getcybersafe.ca.