China is increasingly targeting Canadian citizens and organizations through the scale and scope of its cyber operations, warned the Canadian Centre for Cyber Security (Cyber Centre) in a cyber threat bulletin issued Monday.
The Cyber Centre said China’s cyber operations surpass other nation-state cyber threats in terms of volume, sophistication, and breadth of targeting. China’s cyber threat actors have targeted a wide range of sectors in Canada, including all levels of government, critical infrastructure, and the Canadian research and development sector.
“The threat from China [to Canadian organizations] is very likely the most significant by volume, capability, and assessed intent. China-sponsored cyber threat actors will very likely continue targeting industries and technologies in Canada that contribute to the state’s strategic priorities.”
China Increasingly Targeting Canadians through Cyberespionage
Chinese cyber threat actors often operate under the directives of PRC intelligence services, targeting information that aligns with the national policy objectives of the PRC. This includes economic and diplomatic intelligence relevant to the PRC-Canada bilateral relationship and technologies prioritized in PRC’s central planning, Canada said.
Government of Canada networks have been compromised multiple times by Chinese actors, the Cyber Centre said. With all known compromises addressed, Chinese cyber threat actors still frequently conduct reconnaissance against federal networks, and other government organizations should be aware of the espionage risk.
Last month, British Columbia, the westernmost province in Canada, reported facing multiple “sophisticated cybersecurity incidents” on government networks. Public Safety Minister and Solicitor General Mike Farnworth later told reporters that an unnamed state actor made three attempts to breach B.C. government networks.
Chinese threat actors also target large datasets containing personal information for bulk data analysis and profiling, the Cyber Centre warned. Online services often collect personal information from their users to function. When personal information is exposed through data breaches or willingly released by the user, it can be used by cyber threat actors to facilitate identity theft or targeted fraud against the user.
Cyber threat actors can collect financial details and social information, information on habits, health, and home security, and location and travel data.
The targets include:
- Government entities at all levels, including federal, provincial, territorial, municipal, and Indigenous.
- Organizations or individuals in close partnership with government entities.
- Universities, labs, and technology companies involved in research and development of PRC-prioritized technologies.
- Individuals or organizations perceived as threats by the PRC, especially those advocating for Taiwan and Hong Kong independence and Chinese democracy.
Elections, Critical Infrastructure Targeted
Canada recently revealed unsuccessful Chinese attempts to interfere in past elections too. Beijing has refuted these allegations but the Canadian Security Intelligence Service (CSIS) recently published an annual report warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.
“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.
The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.
The Cyber Centre also shares concerns with the U.S. about PRC cyber threat groups pre-positioning network access for potential attacks on North American critical infrastructure in case of conflict in the Indo-Pacific.
“The Cyber Centre assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well due to interoperability and interdependence in the sectors of greatest concern.”
Sectors of greatest concern include energy, telecommunications, and transportation.
However, the prelude to the attacks on the provincial government networks also saw the targeting of the healthcare sector in the country, which makes it a cause of concern too. The first of the attacks in this sector was on the retail and pharmacy chain London Drugs, followed by a cyberattack on the First Nations Health Authority (FNHA), which compromised its employee information and limited personal data.
Threat Tactics Detailed
PRC cyber threat actors are known for several sophisticated techniques, the report said:
- Co-opting compromised small office and home office (SOHO) routers to conduct activity and avoid detection.
- Using built-in network administration tools for malicious activity, blending into normal system traffic.
- Compromising trusted service providers to access client information or networks.
- Rapidly weaponizing and proliferating exploits for newly revealed vulnerabilities, posing a continuous risk.
Mitigating the Chinese Threat
The Cyber Centre advises the Canadian cybersecurity community, especially provincial, territorial, and municipal governments, to enhance their awareness and protection against PRC cyber threats. Recommended measures include:
- Isolate Critical Infrastructure: Isolate critical components and services from the Internet and internal networks and test manual controls for operational continuity.
- Increase Vigilance: Monitor networks for tactics, techniques, and procedures (TTPs) reported by the Cyber Centre and partners. Focus on identifying and assessing unusual network behavior.
- Restrict Movement: Pay attention to vulnerable entry points, such as third-party systems. Disable remote access from third-party systems during incidents.
- Enhance Security Posture: Patch systems focusing on vulnerabilities identified by the U.S. Cybersecurity and Infrastructure Security Agency. Enable logging, deploy network and endpoint monitoring, and implement multi-factor authentication. Create and test offline backups.
- Incident Response Plan: Have a cyber incident response plan and continuity of operations and communications plans ready and tested.
By adopting these measures, organizations can better defend against and mitigate PRC cyber threats, the report said.