What seems to be data from the Royal Military College (RMC) of Canada was leaked on the dark web this week, after the institution was targeted by a cybersecurity attack in early July.
The Department of National Defence (DND) did not confirm the leak contains RMC information, but Global News has viewed many of the files from the leak, including student progress reports, acceptance letters, as well as a myriad of financial documents like tax receipts and budgets for various departments that all appear to be from the college.
According to Brett Callow, a threat analyst with Emsisoft, an anti-malware and anti-virus company, the leak is a result of a type of ransomware attack called DoppelPaymer, which infiltrates organization’s systems, then steals their data.
Callow said ransomware was previously used to encrypt organization’s data, locking the victim out of their systems until they paid a ransom. Recently, however, hackers have started stealing data to use as a form of extortion if payment is not given after the initial attack.
“Groups typically start by publishing only a small amount of the data that was taken, which is the equivalent of a kidnapper sending a pinky finger. Should the victim still not pay, the remaining data is released, usually in a series of installments,” Callow said.
David Skillicorn, a professor in School of Computing at Queen’s University and in the Mathematics and Computer Science Department at RMC, agreed, saying he believes the hackers are trying to pressure the college to pay up.
“I’ve taken to calling this embarrass-ware because they’re trying to find things that will motivate whichever organization is being attacked that maybe they should pay the ransom anyway. And I think this is an example of that,” Skillicorn said.
He added that ransomware attacks were previously seen as more of an annoyance than a real threat, since large companies, organizations and municipalities started backing up their systems in case of such attacks.
The theft of data and the threat to post it is a new practice that Skillicorn says has been adopted to bolster the ransom demand.
In this case, Skillicorn said the threat is fairly empty, since most of RMC’s information could be obtained by access to information requests, and post-secondary institutions are, for the most part, transparent. But, student information, especially students at RMC, could be valuable to certain parties.
“The most problematic data that you could lose would be the transcripts of all of the cadets, because you can imagine looking over that data and deciding who are going to be the senior officers 10, 20 years from now. That would actually be useful information for some other countries,” Skillicorn said.
DND has yet to confirm the attack was a ransomware, but both Skillicorn and Callow believe it was.
Neither could give an estimate at how much the attackers might be asking for, but both experts say it’s not wise to pay.
“In these cases, payments simply results in a pinky promise from the criminals that the copy of the stolen data will be destroyed. Whether or not they do actually destroy that data is something only they know,” Callow said.
Canadian Forces Base Kingston’s new base commander, Stephane Masson, who acts as a steward for RMC, told Global News in an interview Tuesday he does not believe DND will be paying the ransom.
“With what we know, absolutely not, absolutely not, and this is a pretty serious incident, and obviously DND as a department are taking this very seriously,” Masson said.
He added that the RMC’s commandant has ultimate authority over the college, but RMC has deferred all requests about the attack and the subsequent leak back to DND.
For its part, DND said it does not release information regarding security measures.
“We can say that this cyber incident does not affect the operational capabilities or networks of the Canadian Armed Forces or its ability to perform its mandate of defending Canadians,” a DND spokesperson said.
DND continued, saying the attack was a result of a mass phishing campaign on RMC’s academic system, which contained information about general administration, student communications and research at the college.
According to DND, the RCMP and Communications Security Establishment are investigating the attack.
“We are also working closely with the RCMP and the Canadian Centre for Cyber Security (CCCS), under CSE to ensure all appropriate actions are taken to minimize any potential impact to our people are operations,” DND said.
Shared Services Canada (SSC) said they worked with DND to limit external accesses to control the threat, and collected logs and other critical pieces of information. SSC also verified that any other technical systems were not affected.
Despite a disruption in online services at RMC, including emails being disabled for several weeks, DND said classes will begin as scheduled Sep. 8 for RMC students.
The department would not comment any further on the attack, saying the investigation was ongoing.
It’s still unclear who is responsible for the attack. Skillicorn says it sounds like a sophisticated entity that specializes in ransomware operations. Callow said similar DoppelPaymer attacks have been used against the American cities like Knoxville and Torrance, who experienced cyber attacks over the last year.
As for the attacker’s motivations, Skillicorn said they could be financial, or the hackers could have been contracted by another country.
He also said there is an upside to leaking stolen documents — it may lead investigators to the source of the attack.
“Once data leaves the sites, then it goes somewhere and leaves traces as it moves, and so it’s not implausible that those traces can be discovered and followed back.”