‘Ottawa’ Time Hackers at the NRC
Hackers repeatedly picked an odd target two years ago inside the National Research Council: Canada’s official time signal.
At one point, the unknown cyber attackers shut down access to a server that tells NRC clients what the precise time is.
Some of the attacks were fended off. Some simply ended on their own. Together, though, the incidents raise the spectre of hackers using the time signal to get at more sensitive government servers.
The NRC time signal provides Canada’s longest-running (and shortest) radio broadcast, the daily CBC time check at 1 p.m. Eastern Time, which uses a long dash after several seconds of silence.
It also offers a service worldwide in which businesses and individuals can synchronize their computer clocks over the Internet. This allows accurate time stamps for banking, email and scientific observations.
The attacks on the Institute for National Measurement Standards, the NRC division that handles time, began months before another high-profile “cyber intrusion” in July 2014.
In that incident, NRC and Treasury Board jointly announced that NRC’s computers had been hacked days earlier, causing a serious security breach. NRC shut down most of its computers and began overhauling its computer network, a multi-year job budgeted at $32.5 million.
Canada has blamed state-sponsored cyber attackers in China for that intrusion. China vigorously denies involvement.
The cyber-time-raid, beginning in January 2014, was a “denial of service” attack, in which an external computer asked to check the exact time with the NRC’s Network Time Protocol thousands of times per second, causing an electronic traffic jam.
There was a “huge” increase in computer traffic that shut down at least some NRC servers, according to documents released under an access-to-information request.
Most of the 31 pages of emails dealing with the series of attacks are blacked out, and the public portions tell nothing about the suspected source of the attacks.
The newly released documents show:
• NRC and Shared Services Canada staff began discussing the attacks on Jan. 3, 2014, a Friday. Ten days later, an email says: “It appears that the attack is over, the incoming traffic levels have returned to normal levels as of some time yesterday.” It says that some customers lost contact with one server for a while, but found a backup. There were changes to the firewall, a measure that prevents outsiders from gaining access to a computer, as a result.
And a sentence that is partly blacked out concludes: “The rest of the NRC network will not be compromised.” The full conclusion being drawn remains unclear.
• The next attack came in August 2014 — two weeks after NRC had to shut down nearly everything for July’s major cyber intrusion.
Documents say the Network Time Protocol server “is still being attacked,” though the number of hits per second is blacked out. It calls the situation “manageable but not ideal.”
Again, NRC and Shared Services Canada were both involved in trying to block the attack.
• The documents raise the possibility of much earlier security trouble, in 2009 or 2010. Though much of this section is also blacked out, it concludes: “I hope this clarifies the (several words deleted) at NRC. Again, there might be some factual errors, as all this is from memory, and all this happened 4-5 years ago.” It was written in early 2014.
But why would anyone attack a time signal? The papers give no clue.
The temporary loss of our super-accurate time check wouldn’t do the country real harm, said physicist Paul Delaney of York University.
He speculated that the time server was “an easy mark” that provided hackers with a point of entry into the larger NRC network, and beyond that to other federal government computers and to corporations that deal with NRC.
The time servers, designed to allow access to everyone in the world, may have been an inviting target, he said.
“Disrupting the time servers themselves is probably not the big issue. But if you’re using that as a leaping-off point to other, more sensitive servers, that could be the issue.”
“It’s interesting how we have to worry about such things these days.”
The official timekeepers at the United States Naval Observatory have also been hit by cyber attack, and their Master Clock went offline for a day in 2011. They traced the denial of service attack to China.