Following a warning by the Canadian Centre for Cyber Security and Canada’s Five Eyes allies of a “significant threat” from a state-sponsored actor associated with the People’s Republic of China, a cybersecurity expert says the rarity of the alert means it should be taken very seriously in Canada.
“It’s a fairly rare thing to put out something like this so publicly and, of course, it runs a risk of frightening people, and we probably have good reasons to be frightened,” Thomas Patrick Keenan, a professor at the University of Calgary, told The Epoch Times.
On May 24, the Cyber Centre, which is part of the Communications Security Establishment, joined its Five Eyes partners of Australia, New Zealand, the United Kingdom, and the United States to issue an advisory warning of an actor targeting critical infrastructure operators in the United States.
While the Cyber Centre said it had no reports of the actor targeting Canada, it noted that Western economies are “deeply interconnected” and an attack on one country can impact the infrastructure of another. ”
According to the 2023-24 National Cyber Threat Assessment, the state-sponsored cyber programs of China, Russia, Iran, and North Korea continue to “pose the greatest strategic cyber threat to Canada,” with critical infrastructure remaining a prime target for both cybercriminals and state-sponsored actors.
‘Living Off the Land’ Hacking
The threat was initially uncovered by tech giant Microsoft and attributed to Volt Typhoon, a Chinese state actor that focuses on espionage and information gathering. Keenan said companies are often “very shy” about naming who is responsible for cyberattacks.
“But when a big company like Microsoft names a big country like China, I guess we should take it pretty seriously,” he said.
In a May 24 blog post, Microsoft claimed that the Volt Typhoon campaign is pursuing the development of capabilities that could “disrupt critical communications infrastructure between the United States and Asia region during future crises.” It said since mid-2021, the group has targeted critical infrastructure organizations in Guam—home to a major U.S. naval base—and throughout the United States.
The style of attack Volt Typhoon uses has been described as “living off the land,” which means using existing network tools and valid credentials to better avoid detection. Keenan said that as opposed to traditional malware attacks, which involve the creation of new files on computers, “living off the land” means attacks that can exist in a computer’s memory using already available tools.
“What Microsoft is suggesting is that, in this case, it’s not so much an automated attack. It’s a human being sitting at a keyboard with a command line prompt, trying commands to see if they can get into systems, to see if there are weaknesses, or if they can find compromised credentials, no passwords and so on. So it’s kind of different from what we usually see,” he said.
Possibility of Escalation
Keenan said he had asked the Canadian Department of Defence whether the military has authorized any counter-hacking, otherwise known as “active measures,” and was pointed to the Canadian Armed Forces’ (CAF) “Strong, Secure, Engaged” document, which outlines the country’s defence policy.
The document claims CAF has plans to “develop active cyber capabilities and employ them against potential adversaries in support of government-authorized military missions.”
Keenan said that while the CAF could be authorized to engage in active measures against the Chinese communist regime, this would “basically start to get into a cyber war, where we hack them, they hack us back, and so on.”
“I’m fairly confident that those [in the United States] who are responsible for this are thinking about hacking back, but it would require—at least if the Canadian military got involved—high-level authorization,” he said.