DND confirmed Tuesday that CMC Electronics, a Montreal-based aerospace company, recently alerted the Canadian government to a “cyber breach related incident” at their company in late May.
Procurement records show the company has done millions in work for the Canadian Armed Forces, chiefly in aerospace engineering and research and development — approximately $19.5 million since 2011, according to DND.
The majority of the contracts (66) were for research and development or engineering services.
The government announced on May 30 that CMC would be part of a team working on an $800 million job to upgrade Canada’s 85 CH-146 Griffon helicopters.
“DND/CAF does not comment on the cyber or IM/IT approaches of third-party vendors; however, we recognize the importance of cyber security in defence and defence contracting,” said Jessica Lamirande, a spokesperson for National Defence, in a statement to Global News.
Lamirande added that none of DND’s internal systems employ CMC Electronics technology.
“We are continuing to monitor this situation, while ensuring DND/CAF information is safeguarded.”
Repeated efforts to reach CMC Electronics were unsuccessful. But in a statement Wednesday afternoon, CMC’s parent company issued a statement confirming they identified a “third-party intrusion” into their network “that disrupted … operations, in connection with a ransom demand.”
“We shut down our network to protect our systems and data, and immediately launched an investigation, with the help of cybersecurity and cybercrime experts,” the statement from U.S.-based TransDigm Group read.
There is no indication that the hacker or hackers behind the breach stole sensitive information.
But public reports, including from Montreal’s La Presse newspaper, suggested the ransomware attack — in which hackers lock organizations out of their own networks and demand a ransom to relinquish control — was allegedly done by a group known as “ALPHV” or “BlackCat.”
A Canadian intelligence source with knowledge of cybersecurity and related “threat actors,” who spoke to Global News on the condition they not be named, described ALPHV/BlackCat as an “affiliate ransomware-as-service” group that sells its services to decentralized groups of clients, who in turn pay fees to BlackCat.
The Canadian intelligence source added some cybersecurity experts believe BlackCat’s technology was developed by another group directly linked to the Russian state.
But profit, rather than pilfering state secrets, appears to be the primary motive.
“(It) seems to be part of some criminal campaign, and not specifically a state campaign,” the source said of CMC’s breach.
In an interview with Global News, Max Heinemeyer, the vice-president of cyber innovation at cybersecurity outfit Darktrace, called BlackCat an extremely prolific and dangerous ransomware group that appears to have links to Russian programmers.
Heinemeyer said that because of the nature of hacking networks in Eastern Europe, the group could potentially have ties to Russian intelligence or organized crime networks.
Unless you’re a major state intelligence agency, Heinemeyer added, it’s nearly impossible to ascertain who exactly is behind ransomware attacks. But it’s also probable the Russian government knows of the group — and allows BlackCat to continue to operate.
The Communications Security Establishment, Canada’s electronic espionage and cyber defence agency, has repeatedly and publicly warned businesses and organizations about the growing threat of ransomware attacks.
“Ransomware is the most common cyber threat Canadians face, and it is on the rise,” read recently publicly-released documents prepared for Defence Minister Anita Anand.
“The global average total cost of recovery from a ransomware attack has doubled in a year, increasing from $970,722 CAD to $2.3 million CAD in 2021. The average ransomware payment in 2020 was $312,493, up 171 per cent from … 2019.”
The CSE’s position mirrors that of close security partners in the U.S., U.K. and Australia, who warned in February that they have observed an increase in “sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.”
— with files from Marc-André Cossette.