British Columbia in Canada has faced multiple "sophisticated cybersecurity incidents" on government networks, province premier said this week. Premier David Eby emphasized that there is presently no evidence of compromised sensitive information and that investigations are ongoing, with further efforts required to ascertain potential data access, as per his Wednesday statement. While the attack's specific nature remains unclear, labeling it as "sophisticated" and its involvement with government networks suggests fans theories of espionage from a state-sponsored actor seeking political intelligence. “I know the public will have many questions about these incidents, and we will be as transparent as we can without compromising the investigation. As this complex work proceeds, government will provide British Columbians with updates and information as we are able.” Eby said. The provincial government's investigation involves the Canadian Centre for Cyber Security and other agencies, with the Office of the Information and Privacy Commissioner duly informed. Neither of the agencies immediately responded to The Cyber Express’ request for a comment.

Opposition’s Spar in the House

B.C.'s political adversaries engaged in heated debate during the question period on Thursday morning, a day after the province disclosed the multiple cybersecurity incidents within its networks. British Columbia United MLA Todd Stone criticized the government, alleging it "concealed a massive cyberattack on the provincial government for eight days." Stone’s accusations came on the backdrop of a memo from The Office of the Chief Information Officer that directed all provincial employees to immediately change passwords. British Columbians are rightly concerned about their sensitive information, questioning whether it has been compromised by a foreign, state-sponsored cyberattack. So, I ask the premier today: Will he reveal who was responsible for this attack?" Stone demanded. Stone pointed out the timing of Eby's Wednesday statement, suggesting it was issued discreetly "while everyone was preoccupied with last night’s Canucks game." [caption id="attachment_67963" align="aligncenter" width="256"] BC United MLA Todd Stone arguing in the House during the QP on Thursday morning. (Credit: Legislative Assembly of B.C.)[/caption]

“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” the Opposition MLA asked.

In response to BC United's criticisms, Public Safety Minister Mike Farnworth accused Stone of "playing politics." “We take our advice from the Canadian Cyber Security Service, who deal with these kinds of things on an ongoing basis. That’s who we will take the advice from in terms of protecting public information, every single time. We will never take advise from the opposition — all they ever want to do is play politics,” Farnworth retorted amid uproar in the House. [caption id="attachment_67981" align="aligncenter" width="271"] Public Safety Minister Mike Farnworth addressing opposition queries. (Credit: Legislative Assembly of B.C.)[/caption]

“When an incident like this happens, the first thing that happens is the protection of the system, honourable speaker. The protection of the information that’s done by technical experts, honourable speaker, who work on the advice of the Canadian Cyber Security System,” Farnworth explained.

“And, honourable speaker, the reason they do that is because if you go out and give information before that’s done, you actually end up compromising people’s information, potentially.”

Multiple Cybersecurity Incidents Rock B.C. in Last Few Weeks

The latest revelation of cyberattacks on government networks comes on the heels of a string of cyberattacks that the westernmost province in Canada is facing. B.C. headquartered retail and pharmacy chain London Drugs announced April 28, closure of its stores across Western Canada after falling victim to a cybersecurity incident. The impact was such that they were forced to even take their phones offline and pharmacies could only satisfy “urgent” needs of patients on-site. Addressing reporters later Thursday afternoon, Farnworth clarified that there was no evidence linking the multiple cybersecurity incidents targeting the province networks to the event that led to the closure of London Drugs locations in the west for several days. "At present, we lack any information suggesting a connection. Once an incident is detected, technical security teams work swiftly to secure the system and ensure its integrity, while closely coordinating with the Canadian Cyber Security Service to address the situation," he explained. "While a comprehensive investigation involving multiple agencies is ongoing, we currently have no indication of any link to the London Drugs incident." The same day as the London Drugs cyberattack came to light, another western province entity BC Libraries reported a cybersecurity incident where a hacker attempted to extort payment for data exfiltrated from its newly commissioned server and threatening to release that data publicly if no payment was received.

China’s Involved?

This development follows an official inquiry in Canada, revealing unsuccessful Chinese attempts to interfere in past elections. Beijing has refuted these allegations. The Canadian Security Intelligence Service (CSIS) recently published an annual report, warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.

“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.

The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.

With more than 2 billion voters ready to cast a vote this year across 60 plus nations -including the U.S., U.K. and India - Russian state hackers are posing the biggest cyber threat to election security, researchers said. Google-owned Mandiant in a detailed report stated with “high confidence” that Russian state-sponsored cyber threat activity poses the greatest risk to elections in regions with Russian interest.

“Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” Mandiant said.

Why Russia is the Biggest Cyber Threat to Election Security

Russia's approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. State-sponsored cyber threat actors, such as APT44, better known as the cyber sabotage unit Sandworm, and APT28 have a history of targeting elections in the U.S., and Europe. These actors employ hybrid operations, combining cyber espionage with hack-and-leak tactics to achieve their objectives. The 2016 U.S. presidential election is a prime example of Russia's cyber interference capabilities, as per Mandiant. APT28, linked to Russia intelligence unit - the GRU, compromised Democratic Party organizations and orchestrated a leak campaign to influence the election's outcome. Similarly, in Ukraine, APT44 conducted disruptive cyber operations during the 2014 presidential election, aiming to undermine trust in the electoral process. Jamie Collier, Mandiant senior threat intelligence advisor said, “One group to watch out for is UNC5101 that has conducted notable hybrid operations in the past.” Mandiant reports UNC5101 engaging in cyber espionage against political targets across Europe, Palestinian Territories, and the U.S. The actor has also used spoofed Ukrainian government domains to spread false narratives directly to government employees' inboxes. Before Russia's 2023 and 2024 elections, UNC5101 registered domains related to opposition figures like Alexei Navalny and conducted likely information operations to deceive voters. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia's national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said.

Beijing’s Interest in Information Operations

Collier noted that state threats to elections are far more than just a Russia problem.

“For instance, we have seen pro-China information operations campaigns carry out election-related activity in the US, Taiwan, and Hong Kong,” Collier said.

China's approach to election cybersecurity focuses on intelligence collection and influence operations that promote narratives favorable to the Chinese Communist Party (CCP). State-sponsored actors like TEMP.Hex have targeted elections in Taiwan, using cyberespionage to gather critical information and using information operations to shape public discourse, Mandiant’s analysis found. In the lead-up to Taiwan's 2024 presidential election, Chinese threat actors intensified cyber espionage activities, targeting government, technology, and media organizations. Concurrently, pro-PRC information operations sought to discredit candidates perceived as unfriendly to China, using fabricated leaks and disinformation campaigns to sway public opinion, which even the Taiwanese government confirmed.

Watch-Out for Iran’s Espionage and Influence Campaigns

Iranian state hackers are another group of threat actors to keep an eye on for their cyber espionage and influence campaigns, Mandiant noted.

“[Irans’s] campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza,” Mandiant said.

During the 2020 U.S. presidential election, Iran attempted to compromise state voter registration websites and disseminate false information. The U.S. Department of Justice charged two Iranian nationals in 2021 for their involvement in this campaign. Pro-Iranian influence campaigns, including Liberty Front Press and Roaming Mayfly, target global audiences with anti-U.S. and anti-Israeli propaganda, amplifying partisan divisions and fostering distrust in democracies, Mandiant said.

Diverse Targets Multiple Vectors

Securing elections requires protecting not only voting machines and voter registries but also a wide range of entities involved in the electoral process. Political parties, news media, and social media platforms are frequent targets of cyber operations, which also comes under the attack surface of elections. [caption id="attachment_65433" align="aligncenter" width="551"] Credit: Mandiant[/caption] Cyber threat actors are increasingly employing hybrid operations, combining multiple tactics to amplify their impact. Examples from past elections, such as the Ukrainian presidential election in 2014, illustrate how they are using a combination of cyber intrusions, data leaks, and DDoS attacks to disrupt electoral processes. Owing to this Mandiant detailed likely threat vectors that could be used in the upcoming election season: [caption id="attachment_65432" align="aligncenter" width="819"] Credit: Mandiant[/caption] The threats posed by Russian, Chinese, and Iranian state actors to election cybersecurity are complex and multifaceted. By understanding the tactics and objectives of these actors, election organizations can develop effective mitigation strategies to safeguard democratic processes. However, addressing these threats requires a concerted effort involving international cooperation and a commitment to upholding the integrity of democratic elections worldwide. In-line with this, the U.S. agencies recently released guidance to defending the integrity of democratic processes. The guidance extensively details common tactics seen in foreign malign influence operations, offering real-world instances and suggesting possible countermeasures for stakeholders in election infrastructure. Though many of these tactics aren't new, the widespread use of generative artificial intelligence (AI) has notably amplified adversaries' ability to produce and spread persuasive malicious content, the guidance said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Amidst the complexities of the Israel-Iran conflict, the Middle East is witnessing another form of strife: cyber warfare. Jordan finds itself at the forefront of this battle, facing a barrage of alleged cyberattacks orchestrated by various hacktivist groups. The BlackMaskers Team has emerged as a prominent threat, claiming cyberattacks on Jordan, targeting crucial Jordanian entities, ranging from the stock exchange to private sector enterprises. The ongoing cyberattacks are exemplified by recent incidents of Jordan supporting Israel against Iran in the ongoing war. The BlackMaskers Team proclaimed their actions, declaring Jordan as their prime target. [caption id="attachment_63513" align="alignnone" width="1280"] Source: X[/caption] Their assaults on Jordanian websites and subsequent data breaches have sparked concern, amplifying the vulnerability of national infrastructure and private companies alike.

Cyberattacks on Jordan Amidst Public Outrage

[caption id="attachment_63508" align="alignnone" width="780"] Source: X[/caption] Jordanian authorities are dealing with reports of cyberattacks while also facing public criticism for their decision to support Israel against Iran. The organizations suspected to be affected include the Jordan Stock Exchange and the Jordanian Water Company Yarmook. [caption id="attachment_63510" align="alignnone" width="776"] Source: X[/caption] The gravity of the Jordan cyberattacks was highlighted when the hacker group threatened to leak sensitive information pertaining to more Jordanian companies. This warning, coupled with the release of sample documents, further exacerbated the situation in the country. Amidst the chaos, the cyber assailants remain elusive, evading detection as they exploit vulnerabilities in Jordanian organizations.  The leaked sample data allegedly comprises sensitive documents and information, including financial auditing reports for companies like Jordan Steel, insights into Jordan's alleged assistance to Israel against Iranian threats, and documents from other Jordanian entities.  The Cyber Express has reached out to the listed victims to learn more about these cyberattacks on Jordan. However, at the time of writing this, no official statement or response has been received, leaving the claims made by the threat actor to stand unverified right now. 

Jordanians Display Insurgency Against the Government 

The ramifications extend beyond Jordan's borders, intersecting with the broader geopolitical setup of the region. Reports of Jordan's assistance to Israel in countering Iranian threats have triggered uproar and dissent within the country wherein the local public feels betrayed by their government.  The fallout from these events reverberates across social media platforms, fueling speculation and resentment. Accusations of betrayal and collusion with Israel overburden online discourse, painting a portrait of disillusionment and discontent among Jordanians.  Jordan reportedly is experiencing public outrage for supporting Israel against an Iranian attack. Misinformation regarding the king's role is being circulated online. Many Jordanians feel betrayed by their government's stance, resulting in significant anger and protests against the alliance with Israel. Amidst the chaos, Jordan's vulnerabilities are laid bare once again, wherein an unfamiliar hacker group is claiming cyberattacks on multiple organizations at once. This intrusion, not confirmed though, highlights the current situation in the Middle East where hackers, governments, and the local public are taking sides while war is disrupting the livelihood of common citizens.  This is an ongoing story and The Cyber Express will be monitoring the situation. We’ll update this post once we have more information on the alleged cyberattacks on Jordan or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.