Earlier this year, Canada's National Security Intelligence Review Agency (NSIRA) announced it experienced a 'cyber incident. @NSIRACanada is responsible for, amongst other things, reviewing the operations which have been undertaken by Canada's intelligence community. #cndnatsec
At the time there was very little public information, which led me to raise a serious of questions of what unclassified or Protected (as opposed to Secret, Top Secret, or Top Secret SI) information might have been accessed by a third party. See: christopher-parsons.com/questions-surr…
NSIRA has, subsequently, provided further details on their incident at: nsira-ossnr.gc.ca/nsiras-update-…

In its statement, the agency sets out that only two files were seemingly acquired by the third party.
1. "a file containing system and software configuration settings for one of NSIRA’s servers;"
2. "NSIRA’s active directory database" that "generally consisted of an individual’s first and last name, their office and/or personal phone numbers, and their NSIRA email addresses, as well as a hash of current and previously used passwords"
The specific threat actor is not explicitly called out in the body of the update, though at the very end of the document NSIRA reveals that the exploited Microsoft Exchange vulnerability was linked to a known Chinese cyber campaign (see: canada.ca/en/global-affa…)
There has been very limited reporting on NSIRA's update about the incident (see, most recently:nationalpost.com/news/canada/rc…) and to date little or no mention that Chinese operators are alleged to have obtained the aforementioned files.
So...why does this matter?

At the most basic level, it means that Chinese operators have personal information of the employees of NSIRA. For some employees, these are people with *extremely* privileged access to intelligence community systems, access they need to conduct review.
For those who had their non-business information obtained (e.g., personal phone numbers) then any two factor SMS systems they relied on are at risk. Operators could move from one set of compromised accounts (e.g., personal email, online banking, etc) to others.
Operators targeting reviewers, in this way, might develop information to either engage in spearphishing, obtain material that could be used to compromise them, or to simply develop an understanding of what interests those employees personally & professionally.
More broadly, it means employees are potentially at heightened risk for physical and digital surveillance and targeting, both domestically and internationally when they travel.
In short, a nation-state operator, likely China, knows who are Canada's reviewers & can begin determining who has what roles in the agency. For any recent hires (remember, NSIRA is growing now) their CVs and likely position types may also be used to enrich foreign intelligence.
People who work in Canada's intelligence community (including those @nsiracanada) are always at heightened risk.

However, I believe this is the first time that the Agency has indicated that a known, major, nation-state actor has the personal information of all its employees.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Christopher Parsons

Christopher Parsons Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @caparsons

13 Sep
Encrypted Phone Firm Ciphr, Used by Criminals, Moves to Cut-off Australia vice.com/en/article/k78…
It's really interesting that Ciphr is expanding to include a 'Lite' version that may significantly expand their user base. Why might an organization that ostensibly markets its services criminals do this?
1) The more people using the service who are not potential criminals may increase costs to LEAs who want to insert a backdoor into the application somehow. If they can scale then there may be a public interest argument to *not* backdoor this Ciphr, unlike An0n.
Read 9 tweets
13 Sep
Stanford professors urge U.S. to end program looking for Chinese spies in academia reuters.com/world/us/stanf…
The FBI has a track record of laying charges against American faculty for inappropriately working with Chinese institutions. But it’s critical that observers recognize that a large number of these investigations are subsequently dismissed.
Canada is adopting American methods of scrutinizing academics, with an expected focus on Asian (and specifically Chinese) collaborators. We will likely see similar charging behaviour, harassment, and bias against scholars based on ‘national security’ concerns and investigations.
Read 8 tweets
12 Jul
Ottawa imposes national security risk assessments for university researchers seeking federal funds theglobeandmail.com/politics/artic…
This announcement has the potential to really gum up academic research protocols by disincentivizing researchers from doing certain classes of work in Canada due to adding bureaucracy or fear of security review and its consequences.
Funding in Canada is often hard to come by and so researchers are naturally disincentivized from publicly complaining about problems in obtaining funding. But they do talk quietly and create whisper communities of ‘problem funders’.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!