Earlier this year, Canada's National Security Intelligence Review Agency (NSIRA) announced it experienced a 'cyber incident. @NSIRACanada is responsible for, amongst other things, reviewing the operations which have been undertaken by Canada's intelligence community. #cndnatsec
At the time there was very little public information, which led me to raise a serious of questions of what unclassified or Protected (as opposed to Secret, Top Secret, or Top Secret SI) information might have been accessed by a third party. See: christopher-parsons.com/questions-surr…
NSIRA has, subsequently, provided further details on their incident at: nsira-ossnr.gc.ca/nsiras-update-…
In its statement, the agency sets out that only two files were seemingly acquired by the third party.
In its statement, the agency sets out that only two files were seemingly acquired by the third party.
1. "a file containing system and software configuration settings for one of NSIRA’s servers;"
2. "NSIRA’s active directory database" that "generally consisted of an individual’s first and last name, their office and/or personal phone numbers, and their NSIRA email addresses, as well as a hash of current and previously used passwords"
The specific threat actor is not explicitly called out in the body of the update, though at the very end of the document NSIRA reveals that the exploited Microsoft Exchange vulnerability was linked to a known Chinese cyber campaign (see: canada.ca/en/global-affa…) 
There has been very limited reporting on NSIRA's update about the incident (see, most recently:nationalpost.com/news/canada/rc…) and to date little or no mention that Chinese operators are alleged to have obtained the aforementioned files.
So...why does this matter?
At the most basic level, it means that Chinese operators have personal information of the employees of NSIRA. For some employees, these are people with *extremely* privileged access to intelligence community systems, access they need to conduct review.
At the most basic level, it means that Chinese operators have personal information of the employees of NSIRA. For some employees, these are people with *extremely* privileged access to intelligence community systems, access they need to conduct review.
For those who had their non-business information obtained (e.g., personal phone numbers) then any two factor SMS systems they relied on are at risk. Operators could move from one set of compromised accounts (e.g., personal email, online banking, etc) to others.
Operators targeting reviewers, in this way, might develop information to either engage in spearphishing, obtain material that could be used to compromise them, or to simply develop an understanding of what interests those employees personally & professionally.
More broadly, it means employees are potentially at heightened risk for physical and digital surveillance and targeting, both domestically and internationally when they travel.
In short, a nation-state operator, likely China, knows who are Canada's reviewers & can begin determining who has what roles in the agency. For any recent hires (remember, NSIRA is growing now) their CVs and likely position types may also be used to enrich foreign intelligence.
People who work in Canada's intelligence community (including those @nsiracanada) are always at heightened risk.
However, I believe this is the first time that the Agency has indicated that a known, major, nation-state actor has the personal information of all its employees.
However, I believe this is the first time that the Agency has indicated that a known, major, nation-state actor has the personal information of all its employees.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
