mployees at the Bank of Canada in November 2015 were bombarded with 25,000 similar, innocuous-looking emails.
The messages came in both official languages, politely asking recipients to review an invoice in an attached Microsoft Word document. The document was armed with code that would attempt to install a colourfully named program — putinanalking.exe — carrying malware designed to steal banking credentials.
Thanks to the bank’s cybersecurity defences, the vast majority of those emails were filtered out before they reached their intended targets. For the 33 users who did open the emails and attachments, a second layer of the bank’s cybersecurity system kicked in, preventing the malware from transmitting any information to the hackers.
The bank’s employees, however, were not as reliable. Five of the 33 duped users opened the email and attachment even after the bank sent out a notification specifically warning them not to.
Documents obtained by the Financial Post through an access to information request show the Bank of Canada is constantly fending off such attacks, including nearly 15 million unwanted emails during the month of March 2016 alone. The bank’s technical systems block most of them, but employees continue to click on ads or open emails carrying programs designed to compromise the institution’s highly sensitive and economically vital information.
The Bank of Canada provided incident reports showing that 27 cybersecurity incidents were serious enough to warrant followup investigation since 2012. Many of the documents are heavily redacted, but in at least 17 cases, a malicious program was successfully installed on a bank computer.
In an emailed statement, Bank of Canada spokeswoman Louise Egan said hackers were not able to access bank data or execute commands on bank computers in any of those cases.
“Given the protections and safeguards the Bank has in place, it is important to note that the mere delivery of malware into the Bank’s systems, without any ability by a perpetrator to activate or control the malware, does not constitute a breach,” she said.
Anyone from foreign governments to organized crime could stand to gain from insider information about the central bank. The institution affects the entire economy by forming monetary policy and setting interest rates, information that could be very profitable to anyone with improper advance knowledge.
Michael Calce, a former hacker famous for shutting down some of the world’s biggest websites under the moniker “Mafiaboy” and now president of cybersecurity company Optimal Secure, said he was shocked by the number of attacks the bank is fending off.
“These are staggering numbers, the amount of messages they’re receiving,” Calce said. “Even if they’re getting blocked or filtered out, that’s pretty overwhelming.”
Brian Bourne, co-founder of the Canadian information technology security conference SecTor, questioned the central bank’s claimed success rate at shutting down such a large volume of attacks.
He said he has consulted with cybersecurity professionals at major Canadian banks who say they deal with a much higher volume of serious threats and successful breaches than the Bank of Canada has reported over the past four years.
“It just looks really, really light,” Bourne said. “Either they’re completely oblivious to the breaches in their environment, or (their reporting) is very purposely vague.”
The central bank did not elaborate on how it decides which incidents warrant followup action and declined a request for an interview.
“The reports you received simply reflect instances where the Bank’s cybersecurity team needed to investigate further to determine the potential for a breach, and/or take some action. Our reporting was driven by internal requirements,” Egan said.
One thing that’s clear is that humans are the weak link in the central bank’s cybersecurity defences. In addition to employees tricked into opening malicious emails — even after being warned — there were users who downloaded malware while surfing the web or browsing through online shopping emails sent to their work addresses.
Calce said no one is perfect and financial institutions should have safeguards in place to protect themselves when employees inevitably click on something they should not have. Even seasoned cybersecurity professionals can be fooled by sophisticated phishing emails, which can appear to come from colleagues and look identical to legitimate ones.
However, he also said workers should face repercussions if they continue to act carelessly after receiving warnings and training.
“If they’ve gone through the necessary training and education and at that point they’re still clicking malicious links or downloading what they shouldn’t be downloading, they’re going to need to be held accountable,” Calce said. “You’re putting not just your company at risk, but everybody who’s a client of that company.”
In other cases, BoC employees realized something was off and notified information technology staff of suspicious emails before clicking on them.
In February 2014, Bank of Canada senior deputy governor Carolyn Wilkins did just that after receiving a “spear phishing” email, a malicious message targeting a specific person. The document describing the incident was heavily redacted, but noted the email was either sent from China or through a Chinese Internet service provider in an attempt to hide its true origins.
In at least one case, the threat turned out to be a hoax. A hacker group going by the name LOGGERHEADS in October 2015 posted an online message claiming to have login credentials for 1,600 BoC “members and administrators.” In a statement, the bank said it investigated and determined no data breach had actually occurred.
It’s unclear why a hacker group would pretend to have Bank of Canada login credentials. But as for the other attacks, Robert Masse, a cybersecurity expert and partner at Deloitte in Montreal, said cyber threats against financial institutions fall into two broad categories: those motivated by financial gain and those motivated by gathering data or intelligence.
The former is much easier to catch because people notice when money goes missing, he said. On the other hand, a hacker who silently keeps tabs on things in the background might not be detected at all.
“If you’re going in to find data on clients, it’s very difficult to detect that breach,” Masse said. “If it’s for intelligence purposes, usually you’ll never find out.”
David Mohajer, chief executive of cybersecurity company Xahive Inc., said organizations such as the Bank of Canada that are stewards of highly sensitive data should have protocols in place that minimize the impact of a successful cyber attack. He recommended storing confidential information on separate virtual machines, which are different operating systems run on the same piece of hardware.
“In cybersecurity, you can’t react to the problem. You have to prevent the problem,” Mohajer said. “You have to separate the mission-critical data and services from the everyday data and services.”
The Bank of Canada declined to comment on the specifics of its cybersecurity procedures, making it unclear what measures the institution takes to protect its data in the event of a breach. “Canadians can be assured that it has comprehensive cyber defences and business continuity plans in place,” Egan said.
Calce, the reformed hacker-turned-cybersecurity consultant, said he thinks being secretive is a mistake. He said he’s a big believer in bug bounty programs, whereby organizations as diverse as Facebook Inc. and the Pentagon invite people to find vulnerabilities in their systems and provide compensation for reporting them.
The idea makes some executives nervous, but Calce said he thinks the benefits outweigh the risks.
“If you’re trying to fight the fight yourself, you’re going to lose,” he said. “I would rather put it all out there and make that your strength.”