Malicious Cyber Activities
National Security and Intelligence Committee of Parliamentarians Annual Report 2020

Table of Contents

Overview

60. In its 2018 overview, the Committee characterized malicious cyber activities as a significant risk to national security and specifically pointed to the threat China and Russia pose to government networks. Cyber threats are pervasive. They affect government systems, critical infrastructure providers, the private sector and Canadians. Cyber threat actors range from low-sophistication cyber criminals to highly capable state-sponsored actors. Their motivations also vary, and include the theft of personal information for fraud-related purposes or of intellectual property and confidential business information for industrial espionage, and the interruption of critical services. In 2020, cyber threats continue to be a national security concern for Canada, and Russia and China continue to be the most sophisticated state sponsored actors targeting Canadian government systems. ^{Footnote 77} Over the past year, cyber threat actors have also taken advantage of the global health crisis caused by the COVID-19 pandemic to further their objectives. Malicious state and non-state actors have targeted the health sector and government services, and conducted online disinformation campaigns aimed at manipulating public opinion and undermining confidence in the functioning of key public health systems.

Description of the threat

61. *** states represent the most significant state-sponsored cyber threats to Canada. In 2019 and 2020, CSE identified the most significant state-sponsored cyber threats as emanating from China, the Russian Federation, Iran, the Democratic People's Republic of North Korea (North Korea), *** . ^{Footnote 78} CSE has continued to see cyber activity consistent with each actor's national strategic objectives, including in cyber activity against Canadian government networks, private sector systems and critical infrastructure systems.

62. China and Russia continued to be the main drivers of cyber threat activity targeting the government since 2018. This activity has been consistent, year over year, and focused across numerous government sectors, including: [*** This paragraph was revised to remove injurious or privileged information. The paragraph lists the sectors and government organizations. ***] ^{Footnote 79}

63. CSE identified an increase in cyber attacks by state-sponsored actors against Canadian targets in the first half of 2020. ^{Footnote 80} Between January and June 2020, CSE observed *** attempted compromises of Canadian targets by *** Chinese actors. Approximately *** of those attempts, including *** successful compromises, targeted the*** sector. During this period, *** Russian actors attempted to compromise *** Canadian targets, of which CSE assesses that *** were very likely successful. While *** sector targets also made up a portion of*** targeting, that nation's cyber efforts also involved targeting [*** This sentence was revised to remove injurious or privileged information. The sentence describe targeted areas. ***]

64. CSE's 2020 National Cyber Threat Assessment describes several key trends in the cyber threat environment. ^{Footnote 81} First, CSE assesses that the number and sophistication of cyber threat actors is increasing. Second, CSE assesses that state-sponsored programs from China, Russia, Iran and North Korea pose the greatest strategic threat to Canada, and that state-sponsored actors are likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure. Third, it notes that state-sponsored actors will continue to conduct commercial espionage against businesses, academic and government to steal intellectual property and information. Fourth, CSE states that online foreign influence campaigns are ongoing and are not limited to major political events like elections. Finally, it states that cybercrime remains the threat most likely to affect Canadians and Canadian organizations, and that large Canadian enterprises and critical infrastructure will continue to be targeted in ransomware attacks. Between July 2018 and September 2020, the RCMP conducted *** priority investigation(s) related to cyber-crime. ^{Footnote 82} In that same period, CSIS conducted warranted investigation(s) related to cyber threats against *** target(s) and *** organization(s). ^{Footnote 83}

65. Among the broader trends in cyber threat activity, those that relate most closely to national security and intelligence are: information theft for espionage purposes; the compromise of critical infrastructure networks; online foreign influence campaigns through coordinated manipulation of social media and opinions; and the cyber-enabled tracking and surveillance of dissidents and individuals. These areas are discussed below.

Information theft for espionage purposes

66. The state-sponsored theft of information can affect government networks and those of other public institutions. These networks are valuable targets because of the essential nature of their services and the sensitivity of the information they manage. ^{Footnote 84} For government networks in particular, CSE has noted that cyber threat actors target confidential and sensitive information, such as*** or details related to *** The continued digitization of government services presents new vulnerabilities to sensitive and confidential information, including through the move to greater use of cloud computing environments. ^{Footnote 85} CSE and its allied counterparts assess that state-sponsored adversaries have both the intent and the greatest capability to direct cyber operations against government networks.

67. Canada and its allies have attributed cyber espionage activity to bath China and Russia. CSE assesses that bath countries have among the world's most sophisticated cyber capabilities. ^{Footnote 86} China uses its cyber operations to target governments, companies and academic institutions globally in order to gain commercial, diplomatie and military intelligence in support of its strategic objectives. ^{Footnote 87} CSE assesses that China's cyber capabilities are [*** Two sentences were revised to remove injurious or privileged information. The sentences describe CSE's assessment. ***] ^{Footnote 88} *** ^{Footnote 89} While Russia also uses sophisticated cyber espionage tactics to support its strategic objectives, CSE assesses that [*** This sentence was revised to remove injurious or privileged information. The sentence describes CSE's assessment. ***] ^{Footnote 90}

68. State-sponsored espionage against private networks is also of significant concern. lntellectual property, confidential business information, and information related to a company's strategic partnerships or research and development plans can be of direct use to a foreign state and its industries. Cyber espionage activities targeting the private sector can result in a loss of competitive advantage, particularly in specialist areas of research and development. For advanced economies such as Canada and its allies, cyber espionage against private networks carries significant risks.

69. Russia and China have conducted cyber espionage against the Canadian *** sectors. ^{Footnote 91} For Russia, these efforts support*** intelligence priorities. ^{Footnote 92} For China, these activities support the [*** This paragraph was revised to remove injurious or privileged information. The paragraph describes a CSIS assessment of China's objectives and a specific example of China's cyber espionage. ***] ^{Footnote 93}

70. Allied countries likely have had similar experiences with Chinese and Russian cyber espionage. In early 2019, China likely launched cyber attacks against the Australian Parliament and its three largest political parties prior to the Australian general election. ^{Footnote 94} More recently, in June 2020, China likely conducted another large-scale cyber attack against Australia, targeting Australian companies, hospitals, schools and government officials. ^{Footnote 95} For this attack, Chinese-sponsored cyber actors reportedly used spear-phishing tactics to breach sensitive networks and conduct reconnaissance. In October 2020, the United Kingdom's National Cyber Security Centre revealed that Russia's military intelligence services conducted extensive cyber reconnaissance in preparation for a cyber attack on the 2020 Tokyo Olympie and Paralympic Games. ^{Footnote 96}

Compromise of critical infrastructure

71. The targeting of critical infrastructure has the potential to compromise public safety and national security. These systems, which are increasingly controlled through remote Internet access, support the provision of critical services such as health networks and hospitals, electricity, transportation, energy, and food distribution systems. ^{Footnote 97} Canada and its closest security and intelligence partners have reported on cyber attacks and network compromises of energy utilities, banks, and telecommunications and communications infrastructure, as well as the networks of cloud-based service providers. ^{Footnote 98}

72. According to CSE, Russia, China and Iran have all demonstrated an intent to develop cyber attack capabilities against industrial control systems linked to critical infrastructure. ^{Footnote 99} CSE has previously assessed that, *** cyber attack capabilities against those systems. ^{Footnote 100} A notable demonstration of this capability took place in 2017, when CSE alerted its partners in the United States to a compromise of an industrial control system in the energy sector. Officiais at the U.S. Department of Homeland Security subsequently stated that Russian cyber threat actors had advanced to the point where they couId have disrupted power flows in North America. ^{Footnote 101} According to CSE, [*** Two sentences were revised to remove injurious or privileged information. The sentences describe a CSE assessment of a state's methods, objectives and targets. ***] ^{Footnote 102} *** ^{Footnote 103} However, CSE also notes that, in the absence of a major crisis or armed conflict with Canada or the United States, the intentional disruption of Canadian critical infrastructure remains unlikely.

Online foreign influence campaigns

73. Advanced cyber threat actors have also refined their ability to conduct disinformation campaigns online. Threat actors conduct these campaigns on social media to amplify societal differences, sow discord and undermine confidence in fundamental government institutions. For example, CSE has previously observed Twitter accounts connected to a Russian troll farm tweeting about several high-profile events in Canada, including the January 2017 Québec City mosque shooting, and the increase in asylum-seeker border crossings in summer 2017. ^{Footnote 104} However, CSE assessed that the majority of disinformation campaigns by Russia with a link to Canada are likely *** ^{Footnote 105} Nevertheless, according to CSE, the number of states conducting online influence activities has grown since January 2019 and state-sponsored online activity will likely continue to target Canadian political discourse. ^{Footnote 106}

74. Elections are a valuable target for disinformation and online influence. For example, the Russia-based Internet Research Agency promoted divisive and inflammatory content before the 2016 U.S. presidential election, for which it, and several of its employees, were indicted by the U.S. Department of Justice for "operations to interfere with elections and political processes." ^{Footnote 107} Canada's 2019 federal election does not appear to have been a significant target of online influence and misinformation. The final Report on the Assessment of the Critical Election Incident Public Protocol, provided to the Committee in September 2020, concluded that there was some media activity of foreign origin during the election period, but that "its impact, as with domestic origin social media activity in this period, does not appear to have been consequential." ^{Footnote 108}

Cyber-enabled tracking and surveillance of dissidents and individuals

75. State-sponsored and advanced cyber threat actors have developed sophisticated means of targeting individual persons, such as political opponents or dissidents. These cyber threat activities exploit vulnerabilities in global communication systems to permit eavesdropping or geolocation, or to alter, add or delete content on a targeted user's mobile device. ^{Footnote 109}

76. CSE reports that *** to target individuals of interest in Canada. ^{Footnote 110} CSE assesses that *** ^{Footnote 111} [*** Three sentences were revised to remove injurious or privileged information. The sentences describe a CSE assessment of the targeting of individuals in Canada. ***] ^{Footnote 112} *** ^{Footnote 113} The 2018 murder of Saudi dissident Jamal Kashoggi is a gruesome example of states using advanced cyber threat capabilities to target human rights activists, dissidents, lawyers and journalists. ^{Footnote 114} One study of a prevalent mobile cyber capability suggests that this one cyber tool has enabled the covert cyber tracking, targeting and surveillance of individuals in 45 countries, demonstrating the global use these technologies. ^{Footnote 115}

COVID-19 pandemic

77. State and non-state cyber threat actors have taken advantage of the global health crisis caused by the COVID-19 pandemic to pursue their strategic interests. This has led to an increase in cyber activity since January 2020. CSE assesses that state-sponsored actors, primarily from ***, have targeted the Canadian health sector to obtain information, likely in response to new COVID-19 intelligence collection requirements. ^{Footnote 116} Specifically, CSE noted that these actors have demonstrated an interest in information related to vaccine research and development, medical equipment, and response coordination. CSE assesses that this threat will likely continue for the duration of the pandemic. ^{Footnote 117}

78. Since January 2020, CSE has noted an increase in cyber attacks from *** directed against Canadian targets. ^{Footnote 118} Organizations engaged in research and development related to COVID-19 (e.g, related to a vaccine or rapid testing), or who hold sensitive data related to Canada's response to COVID- 19, are particularly at risk. CSE notes that approximately *** attempted cyber compromises were directed at the health sector. ^{Footnote 119} During the same period, *** directed approximately *** attempted compromises at the health sector. ^{Footnote 120} Overall, CSE assesses that the pandemic has [*** This sentence was revised to remove injurious or privileged information. The sentence describes CSE's assessment of the impact of the pandemic on certain states' cyber activities. ***] ^{Footnote 121}

79. The pandemic has affected other types of cyber threat activity. [*** Two sentences were revised to remove injurious or privileged information. The sentences describe CSIS's assessment of the potential impact of the pandemic on the operations of hostile foreign states. ***] ^{Footnote 122} *** ^{Footnote 123} Finally, CSIS has pointed to the increased use of mass surveillance technologies across several countries for use in COVID-19 contact-tracing applications, noting the long-term risks posed to persona! privacy by these applications outside of Canada. ^{Footnote 124}

80. State actors have also shifted the focus of their online influence activities to the pandemic. In late February 2020, U.S. officiais accused Russia of spreading disinformation about COVID-19 in a coordinated campaign. Beginning in January, thousands of Twitter, Facebook and lnstagram accounts - many of which had previously been tied to Russia - began posting nearly identical messages in English, German, French and other languages, blaming the United States for the pandemic. Sorne of the messages claimed that the virus was part of a U.S. effort to wage economic war on China; others claimed that it was a biological weapon engineered by the Central Intelligence Agency. ^{Footnote 125}

Key conclusions

81. Cyber threats present a serious and growing risk to Canada's national security. State actors, China and Russia in particular, continue to target government networks, public institutions and private companies for cyber espionage. These actors continue to build their capability to target critical infrastructure, conduct online influence campaigns and monitor dissidents abroad. The pandemic put these threats into stark relief, in particular the threats posed to Canada's health sector. The Committee will deliver its review of the government's defensive cyber capabilities to the Prime Minister in 2021.

Footnotes

Footnote 77

Canadian Centre for Cyber Security (CCCS), Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 77 referrer

Footnote 78

CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 78 referrer

Footnote 79

CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 79 referrer

Footnote 80

CCCS, Cyber Threat Brief: State Activity against Canada January to June 2020, June 26, 2020.

Return to footnote 80 referrer

Footnote 81

CCCS, National Cyber Threat Assessment 2020, https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020.

Return to footnote 81 referrer

Footnote 82

RCMP, Tiered Project Activity Report, November 27, 2020.

Return to footnote 82 referrer

Footnote 83

CSIS, Email response to NSICOP Secretariat, December 10, 2020.

Return to footnote 83 referrer

Footnote 84

CSE, "Public Institutions and Sensitive Information," National Cyber Threat Assessment 2018, December 2018, www.cyber.gc.ca/en/guidance/public-institutions-and-sensitive-information.

Return to footnote 84 referrer

Footnote 85

CSE, "Public Institutions and Sensitive Information," National Cyber Threat Assessment 2018, December 2018, www.cyber.gc.ca/en/guidance/public-institutions-and-sensitive-information.

Return to footnote 85 referrer

Footnote 86

CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 86 referrer

Footnote 87

CCCS, Canada's Cyber Threat Landscape: Overview and Outlookfor 2019, January 30, 2019; CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 87 referrer

Footnote 88

CCCS, Canada's Cyber Threat Landscape: Overview and Outlook for 2019, January 30, 2019.

Return to footnote 88 referrer

Footnote 89

89 CCCS, Canada's Cyber Threat Landscape: Overview and Outlook for 2019, January 30, 2019.

Return to footnote 89 referrer

Footnote 90

CCCS, Government of Canada Cyber Threat Report-Q3 & Q4 2018, undated; CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 90 referrer

Footnote 91

CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1 2019; and CSE, "Cyber Threats to Canadian Infrastructure," National Cyber Threat Assessment 2018, December 2018, www.cyber.gc.ca/en/guidance/cyber-threats-canadian-critical-infrastructure.

Return to footnote 91 referrer

Footnote 92

CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 92 referrer

Footnote 93

CSIS, *** 2020.

Return to footnote 93 referrer

Footnote 94

Colin Packham,"Exclusive: Australia concluded China was behind hack on parliament, political parties - sources," Reuters, September 15, 2019, www.reuters.com/article/us-australia-china-cyber-exclusive/exclusive-australia-concluded-china-was-behind-hack-on-parliament-politica-1-parties-sources-idUSKBN1W00VF.

Return to footnote 94 referrer

Footnote 95

Charlie Moore and Tim Stickins, "China is blamed for huge cyber attack on Australian businesses, schools and hospitals amid increasing war of words between Canberra and Beijing over call for international inquiry into COVID-19," Daily Mail, June 20, 2020, www.dailymail.co.uk/news/article-8438205/Huge-cyber-attack-aimed-Australian-government.html.

Return to footnote 95 referrer

Footnote 96

Patrick Wintour, "Russia planned cyber-attack on Tokyo Olympics, says UK," The Guardian, October 19, 2020, www.theguardian.com/world/2020/oct/19/russia-planned-cyber-attack-on-tokyo-olympics-says-uk.

Return to footnote 96 referrer

Footnote 97

Canada has identified 10 critical infrastructure sectors. Public Safety Canada, Critical Infrastructure, undated, www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx: and Public Safety Canada, National Cyber Security Strategy, May 28, 2019, www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx.

Return to footnote 97 referrer

Footnote 98

CSE, "Cyber Threats to Canadian Infrastructure," National Cyber Threat Assessment 2018, December 2018, www.cyber.gc.ca/en/guidance/cyber-threats-canadian-critical-infrastructure: CSE, "Malicious Cyber Activity Targeting Managed Service Providers," April 4, 2017, www.cyber.gc.ca/en/alerts/malicious-cyber-activity-targeting-managed-service-providers: and PricewaterhouseCoopers, "Operation Cloud Hopper," April 2017, www.pwc.co.uk/cyber-security/pdf/c1oud-hopper-report-final-v4.pdf.

Return to footnote 98 referrer

Footnote 99

According to CSE, Iran's ***. Chinese cyber threat actors have attempted to access ***.CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019; and CSE, *** Strategic Cyber Threat Assessment, March 2018

Return to footnote 99 referrer

Footnote 100

CSE, *** Strategic Cyber Threat Assessment, March 2018.

Return to footnote 100 referrer

Footnote 101

Smith, Rebecca, "Russian Hackers Reach U.S. Utility Contrai Rooms, Homeland Security Officials Say," The Wall Street Journal, 24 July 2018, https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110; and U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, "Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors," March 15, 2018, https://us-cert.cisa.gov/ncas/alerts/TA18-074A.

Return to footnote 101 referrer

Footnote 102

CSE, *** Strategic Cyber Threat Assessment, March 2018.

Return to footnote 102 referrer

Footnote 103

CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 103 referrer

Footnote 104

CSE, "Malicious Online Influence Activity," National Cyber Threat Assessment 2018, December 2018, www.cyber.gc.ca/en/guidance/malicious-online-influence-activity.

Return to footnote 104 referrer

Footnote 105

CSE notes that ***. CCCS, Canada's Cyber Threat landscape: Overview and Outlook for 2019, January 30, 2019.

Return to footnote 105 referrer

Footnote 106

CCCS, *** October 2018; and CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 106 referrer

Footnote 107

United States of America, Department of Justice, "Grand Jury Indicts Thirteen Russian Individuals and Three Russian Companies for Scheme to Interfere in the United States Political System," February 16, 2018, www.justice.gov/opa/press-release/file/1035562/download.

Return to footnote 107 referrer

Footnote 108

Jim Judd, Report on the Assessment of the Critical Election Incident Public Protocol, May 2020.

Return to footnote 108 referrer

Footnote 109

CSE, Statement on continuing coverage related to SS7, April 25, 2014, www.cse-cst.gc.ca/en/media/2018-04-25; and Brigitte Bureau, Catherine Cullen and Kristen Everson, "Hackers only needed a phone number to track this MP's cellphone," CBC, November 22, 2017, www.cbc.ca/news/politics/hackers-cellphone-security-1.4406338.

Return to footnote 109 referrer

Footnote 110

CCCS, Canada's Cyber Threat Landscape: Review of 2019 and Outlook for 2020, December 1, 2019.

Return to footnote 110 referrer

Footnote 111

CCCS, *** July 1, 2019.

Return to footnote 111 referrer

Footnote 112

CCCS, *** July 1, 2019.

Return to footnote 112 referrer

Footnote 113

CCCS, *** July 1, 2019.

Return to footnote 113 referrer

Footnote 114

Business and Human Rights Resource Centre, "NSO Group allegedly provided software to Saudi Govt. to spy on Khashoggi; Citizen Lab who reported it in turn targeted by undercover agents," January 28, 2019, www.business-humanrights.org/en/nso-group-allegedly-provided-software-to-saudi-govt-to-spy-on-khashoggi-citizen-lab-who-reported-it-in-turn-targeted-by-undercover-agents; and Oren Liebermann, "How a hacked phone may have led killers to Khashoggi," CNN, January 20, 2019, www.cnn.com/2019/01/12/middleeast/khashoggi-phone-malware-intl/index.html.

Return to footnote 114 referrer

Footnote 115

Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak and Ron Deibert, Hide and Seek: Tracking NSO Group's Pegasus Spyware to Operations in 45 Countries, Citizen Lab, September 18, 2018, https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries.

Return to footnote 115 referrer

Footnote 116

CCCS, Cyber Threat Brief: State Activity against Canada January to June 2020, June 26, 2020.

Return to footnote 116 referrer

Footnote 117

CCCS, Cyber Threat Brief: State Activity against Canada January to June 2020, June 26, 2020.

Return to footnote 117 referrer

Footnote 118

CCCS, Cyber Threat Brief: State Activity against Canada January to June 2020, June 26, 2020.

Return to footnote 118 referrer

Footnote 119

CCCS, Cyber Threat Brief: State Activity against Canada January to June 2020, June 26, 2020.

Return to footnote 119 referrer

Footnote 120

CCCS, Cyber Threat Brief: State Activity against Canada January to June 2020, June 26, 2020.

Return to footnote 120 referrer

Footnote 121

CCCS, Cyber Threat Brief: State Activity against Canada January to June 2020, June 26, 2020.

Return to footnote 121 referrer

Footnote 122

CSIS, *** 2020.

Return to footnote 122 referrer

Footnote 123

CSIS, *** 2020; and CSIS, *** 2020.

Return to footnote 123 referrer

Footnote 124

CSIS, *** 2020.

Return to footnote 124 referrer

Footnote 125

Jessica Glenza, "Coronavirus: US says Russia behind disinformation campaign," The Guardian, February 22, 2020, www.theguardian.com/world/2020/feb/22/coronavirus-russia-disinformation-campaign-us-officials; and Bruce Schneier, "Security of Health Information," Schneier on Security, March 5, 2020, www.schneier.com/blog/archives/2020/03/security_of_hea.html.

Return to footnote 125 referrer

Table of Contents

Language selection

Social Media

Search

Search and menus

Malicious Cyber Activities
National Security and Intelligence Committee of Parliamentarians Annual Report 2020

Overview

Description of the threat

Information theft for espionage purposes

Compromise of critical infrastructure

Online foreign influence campaigns

Cyber-enabled tracking and surveillance of dissidents and individuals

COVID-19 pandemic

Key conclusions

Malicious Cyber Activities National Security and Intelligence Committee of Parliamentarians Annual Report 2020

Overview

Description of the threat

Information theft for espionage purposes

Compromise of critical infrastructure

Online foreign influence campaigns

Cyber-enabled tracking and surveillance of dissidents and individuals

COVID-19 pandemic

Key conclusions

Malicious Cyber Activities
National Security and Intelligence Committee of Parliamentarians Annual Report 2020