Nearly eight months after hackers launched a ransomware attack on the NWT Power Corporation, documents show officials still don’t know how it happened.
Following the attack on April 30, the corporation – known as NTPC – hired cybersecurity company Hitachi Systems Security to investigate. A May 12 report from the company, which Cabin Radio obtained through an access to information request, states investigators couldn’t figure out how hackers got into the corporation’s system.
“Unfortunately, the attacker was careful to cover their tracks and delete evidence that would allow a forensics response team to determine the exact means of gaining access to the network,” the report states.
According to the document, an unknown attacker accessed NTPC’s network at around 1:36am on April 30 and deployed malicious software dubbed NetWalker on many computers connected to the system.
To launch NetWalker attacks on other organizations, hackers have often used phishing schemes where unsuspecting victims launch the malware by opening legitimate-looking emails or downloading attachments.
In the attack on NTPC, however, investigators said that wasn’t the case.
“The absence of the usual evidence of a successful phishing attack indicated that the attacker has gained unauthorized access to the network by directly compromising one of the computer systems/applications operating on the network,” Hitachi reported.
The cybersecurity company concluded the attackers did not access or take any sensitive information from NTPC.
Instead, Hitachi said, the hackers’ goal seemed to be only to encrypt or lock computer files in order to demand a ransom.
‘Glaring problem’ with investigation, expert says
Though Hitachi concluded no data was taken, other experts say it’s hard to be certain.
Brett Callow, a threat analyst for cybersecurity firm Emsisoft, said the group behind NetWalker routinely takes data before deploying the ransomware that encrypts it. In other words, he said, “they steal a copy of the data before scrambling it at the target’s end.”
“Absence of evidence is not evidence of absence,” he told Cabin Radio. “The fact that an organization was unable to find evidence that data was stolen doesn’t necessarily mean it wasn’t. It only means that evidence couldn’t be found.”
Ed Dubrovsky, managing director of cyber breach response at Cytelligence, said his company has handled around 50 NetWalker cases and a “significant number” involved hackers stealing data.
Dubrovsky added there’s a “glaring problem” with the investigation process outlined in the redacted copy of Hitachi’s report provided to Cabin Radio: it contains no mention of a forensic component. Without forensics, Dubrovsky said, investigators can’t conclusively state data was not taken.
Doug Prendergast, a spokesperson for NTPC, told Cabin Radio a forensics investigation was completed as part of Hitachi’s work.
“The best information we have from our cybersecurity experts and various investigations indicates that the attackers did not exfiltrate data,” Prendergast said by email.
Dubrovsky said he has checked the NetWalker blog where cybercriminals post information stolen from victims who have not paid a ransom. There is no mention of NTPC, he said, suggesting that could mean the hackers didn’t take any data, or it could mean NTPC paid the ransom.
Prendergast said the corporation did not pay a ransom. He would not disclose the amount the attackers had requested.
Callow said there could be a third possibility, that hackers stole the data but rather than posting it online, sold it to another buyer.
The Canadian Centre for Cyber Security and an RCMP cybercrime unit are also investigating the attack on NTPC.
The Canadian Centre for Cyber Security told Cabin Radio it does not ordinarily comment on specific cybersecurity incidents but confirmed it had been in contact with NTPC about the attack.
RCMP had not responded to Cabin Radio’s request for comment by the time of publication.
Prendergast said while investigators could not pinpoint exactly how NTPC’s network was infiltrated, the power corporation believes steps it has since taken “provide a strong defence against similar attacks.”
He said it would be “irresponsible” to detail all of the upgrades the corporation has made to its information technology systems.
Prendergast said all workstations had received a fresh install of the latest Windows 10 operating system. Multi-factor authentication is now required for remote access, while Dell examined the power corporation’s systems for remaining malware before they were returned to service.
NTPC has also hired Dell for 24-hour system monitoring.
Moving to paper
Cabin Radio’s access to information request focused on emails and other documents that illustrate how the power corporation responded to the ransomware attack at the time.
In a letter to the NWT’s privacy commissioner, NTPC chief services officer Paul Grant states “significant damage had occurred” at the power corporation before the ransomware attack was detected.
Many of the corporation’s critical programs were taken down in the attack. Officials shut down other systems to stop the malware spreading.
While Hitachi concluded NTPC had responded “very effectively” by taking essential systems offline, doing so meant NTPC’s website didn’t work, corporate email accounts failed, and the company couldn’t pay employees or bill customers as usual.
“The impact on the corporation’s ability to do business is substantial,” states a May 2 email from NTPC president and chief executive Noel Voykin to the corporation’s board of directors. Voykin added productivity was “very low.”
One of the biggest impacts of the attack was to the Inuvik plant. As NTPC lost camera footage access, the plant switched to manual control that requires 24-hour monitoring. Ordinary operation was restored on May 29.
Internal documents show NTPC worked quickly to find a way to pay employees after the attack and moved to a paper-based system to pay vendors. Staff used instant messaging and Skype calls to communicate until temporary email addresses were set up on May 7 – though days later, many of those email addresses still weren’t working properly.
At the time, NTPC was grappling with a litany of other issues. The power corporation was adapting to Covid-19 pandemic restrictions, trying to fix a leak at the Snare Falls hydro plant, preparing for flooding in Hay River, and dealing with a power outage in Yellowknife.
“The challenges keep on coming for us,” Voykin said in notes he prepared for a Skype call with staff on May 5.
“We are definitely living in interesting times.”
As the days stretched on, the patience of the more than 200 employees at NTPC appears to have worn thin.
“Lots of people have expressed concern that you can’t do basic things like issue your timesheet and many of the other normal things that we all just take for granted,” Voykin said in notes for another Skype call with employees on May 6.
Nine days later, in a report to the board of directors, Voykin said staff were getting “restless.”
“I am noting frustration particularly in the higher-performing team members. The ransomware attack is also creating stress in our senior and middle management employees,” he wrote.
NTPC’s customers faced challenges of their own in the wake of the attack.
Because the attack delayed their ability to pay bills, customers received bills for May and June in quick succession.
“This situation is obviously far from ideal but it is just one example of the types of challenges we will all face as systems are restored,” Voykin told board members, adding they would work out payment plans to ensure customers didn’t face financial hardships.
Six weeks after the attack, in mid-July, NTPC restored its website and online bill payment portal.
While Hitachi’s report notes a lot of time and money is often needed to eradicate ransomware and restore systems, it’s unclear how much the attack cost NTPC.
An email from Voykin states the final cost “could be significant.”
Circus Spider and Bugatti
NetWalker was created by a Russian-speaking cybercrime group known as Circus Spider.
As ransomware, it functions by blocking access to a system or files. The attacker then demands a ransom before the victim can regain access. If that’s not paid, attackers often publish sensitive information or sell it on the dark web.
According to security software company McAfee, NetWalker was first detected in August 2019. It has since evolved into what is known as ransomware-as-a-service – the malware’s creators sell or lease it to a range of hackers.
In March 2020, someone using the alias “Bugatti” began actively advertising NetWalker on two popular underground forums. McAfee believes Bugatti is “likely a well-respected and experienced cybercriminal” given how well-received NetWalker has been among hackers.
NetWalker’s operators have partnered with experienced cybercriminals focused on compromising entire networks of organizations rather than individuals.
Referencing an article sent to him by a Hydro Quebec employee, NTPC’s Voykin said in an email to board members he believed the corporation was dealing with an “extremely sophisticated organization.”
Voykin added he was surprised no data was taken from the corporation but the article appeared to affirm NTPC’s recovery approach of “taking things slow.”
There has been an uptick in NetWalker attacks since March 2020, largely against healthcare and education institutions. McAfee estimates cybercriminals using NetWalkter have extorted at least 2,795 bitcoin – or US$25 million – between March 1 and July 27.
The Canadian Centre for Cyber Security’s national threat assessment for 2020 calls ransomware the country’s most common type of cybercrime. It expects ransomware attacks against big companies and critical infrastructure providers to continue.
The centre said it monitors new forms of ransomware and regularly shares information and advice with the energy sector to help mitigate risks.
There is no way to fully prevent ransomware, the centre said, but there are ways to minimize risk like storing frequent back-ups offline and minimizing access to data.