Russia-aligned hackers are looking to disrupt Canada's energy sector, intelligence agency warns
CSE says ransomware is 'almost certainly' the primary threat
One of Canada's intelligence agencies is warning that Russia-aligned non-state threat actors will continue their attempts to compromise the country's oil and gas sector until the war in Ukraine ends.
The warning is contained in the Communications Security Establishment's latest threat assessment, made public Wednesday.
"We assess that the intent of this activity is very likely to disrupt critical services for psychological impact, ultimately to weaken Canadian support for Ukraine. We assess that this activity will almost certainly continue for the duration of the war, and will likely increase as Russia's invasion efforts falter, or new support for Ukraine is announced," said the report.
The foreign signals and cyber intelligence agency said that while Russia-aligned non-state actors might be less sophisticated and technically capable than their Kremlin-sponsored counterparts, they still can do damage.
"We assess there is an even chance of a disruptive incident in the oil and gas sector in Canada caused by Russia-aligned actors, due to their higher tolerance for risk, the increase in their numbers and activity, as well as the number of vulnerable targets in the sector overall," said the CSE report.
The agency said those seeking to disrupt the supply of oil and gas in Canada are likely looking to target bottlenecks — such as networks of large-diameter pipelines, transfer terminals and major refining facilities.
The threat assessment comes a few months after a package of leaked U.S. intelligence documents suggested Russia-backed hackers successfully gained access to Canada's natural gas distribution network.
In April, the CSE's Canadian Centre for Cyber Security, the government's authority on cyber security, said it couldn't comment on the leak. It did say it had a confirmed report that an actor "had the potential to cause physical damage to Canadian critical infrastructure."
Wednesday's report, which is aimed at those in charge of oil and gas companies and those working in their cyber departments, warns that multiple actors — from cybercriminals to foreign adversaries — pose a threat to the sector.
Ransomware is the main threat: report
"We assess that particularly business email compromise and ransomware is almost certainly the main cyber threat facing the Canadian oil and gas sector. Ransomware is almost certainly the primary cyber threat to the reliable supply of oil and gas to Canadians," said the report.
In 2021, a ransomware attack on Colonial Pipeline, a 8,880-kilometre-long fuel pipeline running up the Eastern Seaboard, took tens of millions of litres of gasoline offline.
"It was estimated that, at the time that the pipeline was restarted, the Eastern U.S. was only a few days away from experiencing food and other shortages from the disruption of fuel to other sectors such as truck transportation," said CSE's report.
"It is difficult to overstate the importance of the oil and gas sector to national security because much of our critical infrastructure depends on oil and gas products to operate."
CSE said state-sponsored actors, meanwhile, will likely continue to target the sector for commercial and economic reasons — hunting for trade secrets, research, and business and production plans.
"We assess that since the oil and gas sector is critical infrastructure, it is very likely a strategic target for state-sponsored cyber activity to project state power, especially in times of geopolitical tension," said the report.
CSE says Russia unlikely to attack infrastructure
CSE said state-sponsored actors will "very likely" go after operational technology (OT) networks that control the industry's assets. The agency has long warned that the industry's move to connect operational hardware with information technology could make such systems more vulnerable.
"State-sponsored actors are almost certainly striving to improve their capability to sabotage the OT in critical infrastructure," reads the report.
But even if state actors like Russia are in a position to attack Canada's energy supplies, that doesn't mean they plan to, CSE said.
While Russian state-sponsored cyber actors are almost certainly conducting reconnaissance activity against Canadian operators, "it is very unlikely that a state-sponsored cyber actor would intentionally disrupt or damage the oil and gas infrastructure in Canada outside of hostilities," said the report.
"We assess that it is very unlikely that Russian state-sponsored actors would choose to conduct a destructive attack against Canadian or allied-state oil and gas infrastructure outside of perceived imminent armed conflict between Canada and Russia."
The report ends with a plea for the oil and gas sector to bolster its security.
"State-sponsored cyber activity against the oil and gas sector has become a regular feature of global cyber threat activity, especially in times of rising geopolitical tensions," said the report.
"Politically motivated state-sponsored cyber threat actors, including Russia, China and Iran, have targeted the global energy sector for both espionage and disruption/destruction."