CRA Heartbleed hack: Stephen Solis-Reyes facing more charges

RCMP cybercrime investigators have laid a string of new charges against a 19-year-old London, Ont., student accused last spring of hacking into the Canada Revenue Agency’s website.

Today, RCMP laid 16 new charges against Stephen Solis-Reyes involving alleged hacks against the CRA, as well as the computers of the University of Western Ontario, the London District Catholic School Board, and an offshore email service, Jersey Mail, among others.

Police expanded their investigation after raiding Solis-Reyes’ home last April and seizing more than a dozen computers and mobile devices in a probe of a hack into federal government computers.

CBC News has learned investigators raced against the clock last April to track down the suspects who they believed had broken in to computers of the Canada Revenue Agency, stealing sensitive tax information of hundreds of Canadians.

The CRA was one of scores of government departments forced to shut down public online services due to system vulnerabilities tied to the Heartbleed bug.

According to newly released court documents, the CRA shut down electronic tax filing services for millions of Canadians and extended the tax filing deadline after detecting that someone had infiltrated government servers and was extracting full and partial tax return data involving at least 652 social insurance numbers held on CRA servers.

Ultimately, after five days of shutdowns and amid mounting political pressure, RCMP tracked the breach to Solis-Reyes’ home in London, which they raided in the early morning hours. The University of Western Ontario student was charged with mischief and unauthorized use of a computer.

Major tax-time disruption

CRA first detected the breach of its computers on the morning of April 8, 2014, forcing the agency to immediately take its electronic tax filing system off-line during the height of tax season.

Cybercrime specialists worked through the next day, April 9, to patch the vulnerability in the CRA’s programming but watched as someone using two different internet protocol (IP) addresses continued to attempt to hack into the servers until the following morning.

• Heartbleed bug left Public Safety officials scrambling, emails show

• ANALYSIS: Heartbleed bug delay begs explanation from Revenue Canada

On April 10, RCMP Cpl. David Connors of the RCMP National Division’s Integrated Technological Crime Unit was called to a meeting at the headquarters of Canada’s electronic spy agency CSEC (Communications Security Establishment Canada), along with officials from the CRA and Shared Services Canada.  Cyber analysts provided the RCMP with two IP addresses, and intelligence that someone had been extracting tax data from the CRA server.

“The analysis identified 652 distinct social insurance numbers in this data. However, the number of individuals affected is likely to be higher, due to the fragmented nature of the data and the fact that a tax return may include information about more than one individual,” according to an RCMP affidavit used to obtain a search warrant in the case.

That afternoon, after the meeting with CSEC, the RCMP began contacting internet companies asking them to preserve the computer traffic tied to the IP addresses while they prepared and sought official court orders to obtain the material.

On April 12, the RCMP were granted production orders and very quickly were provided information from the internet companies that led them to a subscriber living in London.

The next day, the CRA announced that it was putting its electronic tax filing system back online, amid mounting questions about what had happened to disrupt services.

RCMP investigators raced to file a search warrant application via fax machine through Ontario’s telewarrant centre based in Newmarket that is used evenings and weekends to grant court orders to police in off-hours.

The RCMP’s Daniele Figoni pleaded with the court that “execution of the warrant is required as soon as practically possible due to the possible victimization of Canadian citizens. The longer the suspect has access to the sensitive information that was ex-filtrated, the greater the potential for further uncontrolled dissemination.”

Adding to the pressure was news that the national revenue minister and the head of the CRA had planned a media briefing for 8 a.m. Monday morning to discuss the breach and investigators feared this would tip-off the hacker and could “provide an opportunity for the suspect(s) to destroy evidence.”

Just before midnight on April 13, the court granted the search warrant. The RCMP raided the home at 1:15 AM Monday morning, seizing the following:

• Five mobile phone devices.
• Three tablets.
• Two iPods.
• six computers.
• Two routers.
• Two thumb drives

Two days later, Solis-Reyes was charged with two offences. His lawyer, Gord Cudmore, reached today, said he was aware of the fresh charges but insists his client is not a malicious hacker.

"My client's a 19-year-old man, a fine young man, a very bright young man,” Cudmore told CBC News. “There are no allegations of any malice on his part."

Cudmore plays down any suggestion his client was trying to benefit.

“The original stories, before anyone was charged, there was concerns about somebody hacking into a system and taking information for nefarious purposes. There is no allegation in these final charges against my client of any nefarious purpose,” Cudmore said.

He says his client has been co-operating with the RCMP throughout the investigation.

Solis-Reyes is due back in court Dec. 19.