A national cyber-security expert says the ransomware attack experienced by the Northwest Territories Power Corporation on Thursday seems to be part of an increase in attacks that are being experienced across the country during the Covid-19 pandemic.
On Monday, Doug Prendergast, manager of communications with power corp, said the external website (www.ntpc.com), the customer portal (www.myntpc.com), and email system were all out of service after Thursday's ransomware attack.
"NTPC has not yet established a specific timetable for restoration of systems," Prendergast stated. "We will take the necessary time to fully investigate this matter and will not restore systems until we have a high level of confidence that it can be done safely. NTPC has engaged an IT security firm to help with assessing the problem and returning the system to normal."
The company spent much of the rest of the day Thursday in contact with officials from the territorial and federal governments, including the Canadian Cybersecurity Agency. By mid-afternoon, the corporation was communicating the issue to the public through social media and a news release.
photo supplied by David Masson
David Masson, director of enterprise security for Darktrace, an international artificial intelligence cybersecurity company, reached out to NNSL Media shortly after the announcement of the attack at NTPC.
Masson has more than two decades of experience in working with security and intelligence environments in both the United Kingdom and Canada and has worked as a senior manager at Public Safety Canada, the UK Ministry of Defence and Royal Auxiliary Air Force (RAuxAF).
He said the incident deserves as much attention as it can get because a ransomware attack on NTPC, as a provider of electricity to the territories, is an attack on Canada's national infrastructure.
"The federal government's been warning us about these attacks for a couple of years now - the interest in our national infrastructure by threat actors," he said.
"The real reason they will have gone for a power company is the same reason why these threat actors go for things like hospitals and municipalities. It is because there's a very vital service being provided here and the bad guys and threat actors know that the providers of that service are driven to maintain that service and are driven to support the client base whether it be customers or patients. They're driven to keep that going. So they attack in the hope that their desire to get everything back online as quickly as possible will result in the easy option, which is to pay a ransom."
Masson said he regularly provides advice to major government institutions as it comes to cybersecurity issues, but has no specific knowledge of the NTCP attack. He said from an outsider's view, it appears the ransomware attack is a traditional type where attackers through email attempt to encrypt data and then demand a ransom for the victim to get the data back.
"We've seen this type being used in just in the last couple of months and almost certainly (attackers) will be be taking advantage of what's going on in the world, particularly with the COVID-19 crisis," he said, noting that with a pattern of people people working from home rather than headquarters, there is an attempt to exploit weak networks.
Masson explained that ransomware has traditionally only come in one form which has been what seems to have attacked the NTPC system - "malware that gets downloaded onto the network and very, very quickly starts encrypting all your data."
"They encrypt your data so you can't get access to it. And then what we hope you'll do is pay the ransom in order to get access back to your data."
Masson said there is second, more modern type of ransomware that has been more popular worldwide over the last year and that involves encryption and ransom, but also an additional threat that the stolen information will be disclosed on websites.
"The good news is that the electricity supply hasn't been affected and that's really, really great news because that would be disastrous," he said. "What that says to me is that their operational technology network hasn't been affected by it so far. What it probably looks like is its Information Technology Network -the IT network- that's been affected and that's what normally happens with the ransomware attacks."
Masson said it is important for an institution like NTPC to back up its data to ensure there is clean and uninfected copies to use to rebuild the network.
"Right now they'll be checking the network to see where the virus has gone and looking at if there are any other drives on any other servers or other laptops that have been infected. There's nothing worse than cleaning up your network but not cleaning it up sufficiently and then the virus kicks off again.
"When you rebuild again from your backups, it's not a quick process that tends to be a matter of days, or two weeks. You will probably see some of the facilities of NTPC coming back online in bits and pieces."
NTPC says it has filed a report with the RCMP, but Masson says it is unlikely charges would ever be prosecuted.
"The police will be looking to see if they can find evidence of who's done this and so you can get a prosecution," he said. "I think there's very little chance of that. I think there is less than one per cent of successful prosecutions after attacks like this in the world, never mind in Canada."