Cybersecurity, Governments and Passwords
Governments, local and federal, provide certain services to the people they represent. These may consist of snow removal, unemployment insurance, defense, assistance during disasters, and other services. Canada is clearly no different providing a vast number of services to its citizens. All of these services require data for processing and record-keeping. This data and the computer systems processing and storing these are certainly viable targets for the attackers.
To access these services, the Canadian citizens need to login to the service portal. This was set-up much like any other login screen where the user puts in their username and password into the website. Normally, this runs very smoothly as the user puts their credentials in. The problems start when the user has the same password across many domains. There have been so many breaches, most people’s passwords are for sale and probably have been sold many times. These passwords provide the basis for the credential stuffing attack. The attackers use the passwords per person across many domains in the hope the user has used the same password several times. This makes the attacker’s job much easier since they already have the sample passwords to begin their work with.
This is what happened in this case. The attackers previously used passwords on other domains to check if the users have the same password across many different services. The attack was detected on August 7th. While this occurred in Canada, this form of attack could occur anywhere. The successful attack is indicative of a systemic issue with user passwords. Using the same password is an incredibly bad idea for several reasons. The attack is a clear and shining example of this.
The attack, per the Office of Chief Information Officer for Canada, affected 9,041 GC Key accounts and approximately 5,500 Canadian Revenue Agency (CRA) accounts. The GC Key accounts were used in a fraudulent manner in an attempt to access the government services. Once this was detected the GC Key accounts were cancelled.
Fortunately, the attack was contained. The users should really not re-use the passwords, since this is the requirement for the attack. Each website or service really should have its own password. If the users have too many passwords to remember, there is always a password manager to handle the issue. The users should also use MFA. This severely reduces the potential for this type of attack to remotely occur. Post-attack, the affected users should monitor their online accounts. Once detected the citizens were contacted after the accounts were deleted. The users were informed on how to receive a new GC Key. Granted this was a hassle for the users, however, if the same password was not used across multiple domains this would not have been a problem. The CRA accounts access was disabled also. The Canadian agency is working with people to restore access to the CRA MyAccount.
From a law enforcement aspect, the Royal Canadian Mounted Police (RCMP) was contacted on August 11th. The office of the Privacy Commission was contacted to alert them of a possible breach also.
This issue provided many lessons for the users to use different passwords, and not use the same for several domains.
Breen, K. (2020, August 15). Hackers targeted thousands of cra, government service accounts in credential stuffing attacks. Retrieved from https://globalnews.ca/news/7278345/canada-hackers-credential-stuffing-attack/
Bronskill, J. (2020, August 18). CRA expects online services restored Wednesday following cyberbreaches. Retrieved from https://www.nationalobserver.com/2020/07/18/news/cra-expects-online-services-restored-wednesday-following-cyberbreaches
Coop, a. (2020, August 16). Thousands of government service and CRA accounts hit by credential stuffing attack. Retrieved from https://www.itworldcanada.com/article/thousands-of-government-service-and-cra-accounts-hit-by-credential-stuffing-attack/434578
Government of Canada. (2020, August 15). Statement on GC key credential service and recent credential stuffing attack. Retrieved from https://cybergc.ca/en/news/statement-gckey-credential-service-and-recent-credential-stuffing-attack
Government of Canada. (2020, August 15). Statement from the office of the chief information officer of the government Canada on recent credential stuffing attack. Retrieved from https://www.canada.ca/en/treasury-board-secretariat/news/2020/08/statement-from-the-office-of-the-chief-information-officer-of-the-government-canada-on-recent-credential-stuffing-attack.html
IT World Canada. (2020, August 16). Thousands of government service and cra accounts hit by credential stuffing attack. Retrieved from https://o.canada.com/techology/tech-news/thousands-of-government-services-and-cra-accounts-hit-by-credential-stuffing-attack/wcm/
Jones, R.P. (2020, August 17). Cyberattacks targeting cra, canadian’s COVID-19 benefits have been brought under control: officials. Retrieved from https://www.cbc.ca/news/policies/cra-gckey-cyberatack
Kilpatrick, S. (2020, August 17). CRA resumes online service with new security features after cyberattacks. Retrieved from https://o.canada.com/personal-finance/cra-resumes-online-services-with-new-security-features-after-cyberattacks/
Kirk, J. (2019, December 31). How can credential stuffing be thwarted? Retrieved from https://covid19.inforisk.today.com/interviews/how-credential-stuffing-be-thwarted-i-4551
Muncaster, P. (2020, August 17). Canadian citizens lose #COVID19 funds after government account hijacking. Retrieved from https://www.infosecurity-magazine.com/news/canadian-citizens-credential/
Net News Ledger. (2020, August 17). Credential stuffing of government of Canada computers update. Retrieved from https://www.netnewsledger.com/2020/08/17/credential-stuffing-of-government-of-canada-computers-update/
Rautmare, C. (2020, August 17). Credential-stuffing attacks affect canadian services. Retrieved from https://www.inforisktoday.com/credential-stuffing-attacks-affect-canadian-services-a-/4839
Rubins, A. (2020, August 19). Cyber-attack target 1,000s of canadian tax, benefits accounts. Retrieved from https://www.cybernewsgroup.co.uk/cyber-attacks-target-1000s-of-canadian-tax-benefits-accounts/
Security Info Watch. (2020, August 18). ‘Credential stuffing’ attacks wreak havoc on government accounts in Canada. Retrieved from https://www.securityinfowatch.com/cybersecurity/information-security/news/21150744/credential-stuffing-attacks-wreak-havoc-on-government-accounts-in-canada
TH Author. (2020, August 18). Canadian government issues statement on credential stuffing attacks. Retrieved from https://www.threatub.org/blog/canadian-government-issues-statement-on-credential-stuffing-attacks/
The Canadian Press. (2020, August 19). CRA resumes online services with new security features after cyberattack.