[BreachExchange] Alleged North Korean hack on Metrolinx may open ‘frightening new chapter’ in cybersecurity

Destry Winant destry at riskbasedsecurity.com
Wed Jan 24 20:40:48 EST 2018


An alleged cyberattack on transit provider Metrolinx from North Korea
is sparking concern about state-sponsored attacks on infrastructure,
but also criticism that the Ontario government agency is making the
accusation without showing any proof.

Metrolinx confirmed that malware was recently found on one of the
agency's computer networks, but said that transit safety was not
compromised and neither customer nor staff information was leaked.

Anne Marie Aikins said that investigators believe the attack
originated in North Korea and was routed through Russia, a scenario
that would make it part of what one expert called "a frightening new
chapter" in cybersecurity.

Independent technology analyst Carmi Levy said that the alleged source
of the attack points to a worsening vulnerability around key

"It actually fits in with the growing online risk that public
utilities – namely power generation/distribution, transportation,
water, sewage and other infrastructure, etc. – now face," he wrote in
an e-mail. "It's the kind of thing that should keep us all up at
night, and the signs now point to state-sponsored hackers getting in
on the action."

Last month, the United States government accused North Korean hackers
of being behind the WannaCry virus, a massive ransomware attack in May
that locked thousands of computers in more than 150 countries. A
series of attacks, including financial crimes and the 2014 hack of
Sony Pictures, have been blamed on the Lazarus Group, which some
experts believe has links to North Korea.

In the case of Metrolinx, the agency's justification for blaming North
Korea remains shrouded in secrecy. Ms. Aikins said the agency could
not reveal its proof for security reasons, sparking criticism from the
head of Citizen Lab, a digital rights group at the University of

Ron Diebert said it would be "highly unethical and irresponsible" for
Metrolinx not to make public its proof.

"Given the high stakes for public safety and foreign policy, there is
no reason whatsoever for Metrolinx to not disclose whatever evidence
they have," he argued. "If North Korea was indeed responsible for the
attack, that would be a major development necessitating a Government
of Canada response, since Metrolinx is a Crown corporation."

Queries seeking federal reaction at Public Safety Canada, which
oversees the Canadian Cyber Incident Response Centre, were referred to
Global Affairs Canada. A spokesman there referred them back to Public

Ms. Aikins said only that the agency is "working very closely with our
cybersecurity officials in Toronto and Ottawa."

The malware was believed to be the type that, once latched onto a
system, tries to use its position to access networks connected to the
one it targeted. In the case of Metrolinx, it was found by
cyberexperts hired by the agency to probe its own system.

Ms. Aikins called the case an example of the need for strong and
evolving security precautions.

"It's important that you invest in the most robust information
systems, that they be tested regularly and updated," she said.

A spokesman for the Toronto Transit Commission said that it has not
experienced an attack of the type described by Metrolinx, but that it
has increased cybersecurity monitoring as a result.

More information about the BreachExchange mailing list