Photo illustration by the Globe and Mail/iStockPhoto / Getty Images
On a drab Wednesday in early February, malicious software from Russia quietly infiltrated the internal systems of Canada’s largest bookstore chain.
At the time, Indigo Books & Music Inc. IDG-T had recently promoted a new chief executive, and a major upgrade of the company’s decades-old website was just wrapping up. The retailer was implementing grand plans to expand its offerings, looking beyond books and launching into a wide array of markets around the world.
But that morning, a coterie of hackers made themselves known to Indigo for the first time. Soon, an emergency response team of staffers speedily shifted into overdrive, as they tried to contain the complex threat along with the help of third-party experts.
The cybercriminals, nevertheless, were well-resourced, Indigo spokesperson Melissa Perri recalls. By the time they asked for a ransom that day – Feb. 8 – the attackers had already deployed the notorious Russian malware dubbed LockBit to illegally access the company’s multilayered network.
Indigo reacted swiftly by shutting down its operations. Come evening, the company acknowledged publicly that it was experiencing a “cybersecurity incident,” not revealing much else out of caution. Officials would not find out until more than two weeks later that the invaders had also acquired reams of sensitive internal data.
In early February, malicious software from Russia quietly infiltrated the internal systems of Canada’s largest bookstore chain. But cybercriminals told executives at Indigo Books & Music Inc. they wanted more.Christopher Katsarov/The Globe and Mail
Over the next few months, the attack wreaked havoc on Indigo. It crashed e-commerce, affected customers’ ability to pay for or find merchandise in stores, and made shipment impossible.
Hackers threatened to leak personal and financial information about Indigo employees to the dark web, a corner of the internet known to be used for illicit purposes such as child pornography, organ-trade racketeering and identity theft. Many workers at the company say they’ve had sleepless nights since. Some think frequently about quitting; others already have.
To this day, the Federal Bureau of Investigation in the United States, the Royal Canadian Mounted Police and even Indigo officials still don’t know who exactly the hackers are. The full extent of the breach’s impact also remains uncertain. As of April, Indigo reported $5.2-million in expenses related to the incident, but the damage to the business was much broader, as sales sank and losses swelled.
This attack, however, is far from unique. Authorities have warned about the threat of such digital onslaughts for years.
But hacking is a bigger problem now than ever before.
Over the past year, many high-profile organizations in Canada have been hit, including the Hospital for Sick Children in Toronto, the Prime Minister’s Office, grocery giant Empire Co. Ltd. EMP-A-T, which operates Sobeys, Safeway, IGA and FreshCo locations from coast to coast, the Liquor Control Board of Ontario and others.
Just in July, it was revealed that Canada’s biggest gold company, Barrick Gold Corp. ABX-T, was struck by Russian cybercriminal group Clop. The attack also hit at least 375 other international organizations, including Vancouver’s transit police and a vendor of Sun Life Financial Inc. SLF-T, compromising confidential internal data.
According to cybersecurity consulting firm NCC Group, ransomware attacks more than tripled worldwide in June to 434 from 135 last year, driven by LockBit, Clop and newly emerged groups of other attackers.
Industry specialists measure the global cost of cybercrime in the trillions of dollars annually, including ransomware payments, damage and repair to information-technology systems, data theft, investigation costs and other factors.
Cyberattacks can grind entire businesses to a halt, drive customers away, destroy corporate infrastructure and result in costly payments to retrieve critical data. In many cases, systems are left vulnerable for years after an attack.
What’s worse, hackers seem to always be one step ahead of everyone else – large firms with mammoth computing budgets, government bodies, the brightest minds in cybersecurity and even the police.
Recently, hackers have also increasingly been tapping innovative artificial intelligence technology. That means these attacks are about to become a whole lot more sophisticated and calamitous.
Modern-day cybercriminals are not as though many would expect. They operate in small towns and big cities, and have leased or owned offices like any other business, according to more than three dozen interviews with cybersecurity consultants, law enforcement officials, legal experts and reformed hackers.
The hacking outfits have org charts and bosses, with distinct titles and roles. They work in regular shifts, usually 9 a.m. to 5 p.m. They get holidays during winter break and take summer vacations.
They hire customer service teams that use hotlines to take untraceable calls from their clientele of other hackers and the targets they have hacked. Accountants and financial experts are kept on staff to tally their earnings. Analysts are hired to help determine the most effective strategies to lure potential victims.
“That image of lonely hackers in hoodies typing on their laptops from dark rooms and basements only exists in movies and TV shows,” says Matt Hull, head of cyberthreat intelligence for the NCC Group, based in Britain.
Cybercrime is a well-oiled machine, functioning as a full-fledged industry. Over the years, it has become so profitable that it has been divided into thriving cabals, each with different business lines, Mr. Hull says.
One prominent revenue model is to use software as a service, whereby operator groups license their ransomware technology to affiliates that pay a flat rate or buy subscriptions. In turn, the affiliates often act independently by launching attacks through the software; though, at times, operators also share a slice of the ransom pie as a fee for their services.
This is the kind of cybercrime model that impacted Indigo. LockBit has ties to Russia and carries the same name as the criminal organization that created it, but its leadership is frequently independent of the clients who use its services.
First spotted as early as 1989, LockBit has now become the most common cyberthreat in the country, according to the Canadian Centre for Cyber Security. Last year, it was responsible for at least 22 per cent of all attributed ransomware attacks, the cyberintelligence agency noted. Indeed, LockBit was also behind the attack on Toronto’s SickKids hospital during the 2022 winter holidays.
“The whole thing is certainly murky,” Mr. Hull says. “The ransomware acts as a fantastic disguise because pretty much anybody can purchase it.” But this is just one piece of the puzzle, he added. Cybercriminals also work ahead in different ways to make their money, such as planning passive attacks in addition to the active ones.
It doesn’t matter if they get a ransom or not. The hackers might – and often will – still sell off the information they obtained. In Indigo’s case, the company refused to pay a ransom but now has its employees’ data advertised for sale on the dark web for the cryptocurrency equivalent of about $50 to upward of $300 per worker.
The global data collection market is hugely lucrative for every player involved. Anyone who wants to target a defined group of people for any given number of reasons would find the type of highly specific information that comes out of a data breach incredibly valuable. “That’s why the health care and retail sectors are often impacted,” Mr. Hull says. “They hold lots of this treasured data.”
Advertisers, marketers, information brokers and identity thieves have big pockets, and they’re ready to pay millions of dollars. On the dark web, real-time bidding technology is employed, in which algorithms engage in high-frequency auctions. The automated process can take place tens of billions of times each day, providing even more opportunities for cybercriminals to camouflage.
Police say they keep playing a cat-and-mouse game with hackers, and there is no end in sight.
In 2022, the Canadian Anti-Fraud Centre saw $530-million in hacking losses, a 40-per-cent increase from the year before, a record year itself. The nationwide data repository estimates only around 5 to 10 per cent of victims actually reported breaches to the authorities. But Detective Sergeant Vern Crowley, who works with the cybercrime investigation team for the Ontario Provincial Police, believes it’s likely more dire.
“It’s very sad, though it makes sense,” he says. “Time is money for businesses. Some assume disclosing that they have been compromised will have a stigma for their brand or that they’ll never get their money back by talking to police anyway.”
Yet even after businesses report appropriately, law enforcement officials likely will not be able to catch up with cybercriminals, Det. Sgt. Crowley says. “We use the same technology as them, but I mean these people are innovators. … They come up with new techniques and then we have to learn those techniques to exploit vulnerabilities in them. That takes time – it could be months, or even years sometimes.”
It’s why so many companies decide not to pay a ransom, says OPP Detective Constable John Armit, who specializes in organized financial crimes. “We don’t exactly tell them not to,” he admits.
“We don’t want to see a small town lose 200 or 500 jobs because of a cyberattack,” Det. Sgt. Crowley says. “That’s devastating to any community.”
Photo illustration by the Globe and Mail/iStockPhoto / Getty Images
Carlos Chalico has been in this sector long before it was even called cybersecurity. He started his career with Ernst & Young Global Ltd. in 1986, in what was then termed as information security. Now, he’s the head of cybersecurity and privacy for EY in Canada, working closely with private-sector organizations and various levels of government.
Not too long ago, the founder of a startup told Mr. Chalico that because the business was at its infancy, it could only focus on expenditures related to the company’s survival. His response to that executive was, “Well, depending on the type of business you’re running, you’ll need cybersecurity precisely for that reason: survival,” Mr. Chalico says.
The costs of cybersecurity are rising. A Statistics Canada survey of more than 12,000 companies found that one in five firms experienced a hacking incident in 2021, as businesses spent $9.7-billion to prevent these incidents that year, more than three times the amount in 2019.
But cybercriminals are “constantly spending lavishly to exploit new vulnerabilities,” Mr. Hull says. Though figures are difficult to verify, industry estimates suggest hackers are globally laundering, acquiring, spending and reinvesting about US$1.5-trillion in profits a year. The highest-earning cohort makes up to US$2-million a year, while mid-level hackers take home around US$900,000 on average.
Many organizations that rapidly transformed when COVID-19 hit now allow staff to either work completely remotely or at least a few days per week from home. This means employees often use their personal internet connection and their own devices for work. While some firms have introduced security measures, such as asking employees to use virtual private networks in order to access company information, a great deal have not.
Earlier this year, a report released by Mastercard Inc. found remote work alone contributed to a 238-per-cent rise in cyberattacks in 2022 from the year prior. It surveyed 2,007 businesses in the U.S. and 2,002 in Canada, along with 502 business leaders in both countries, stating that cybercrime has spiked by 600 per cent since the onset of the pandemic.
At the same time, cyberintelligence agencies in Canada continually warn that international conflicts such as Russia’s war on Ukraine have also worsened the extent and frequency of cyberattacks here.
Given this rise in attacks, business investments in cybersecurity should be increasing rather than stalling, says Toronto-based Aviva Klein, vice-president for digital payments and cyberintelligence at Mastercard. “And yet, the data doesn’t necessarily reflect that,” she added, noting many companies are still behind on systems that should have been updated years ago.
In Indigo’s case, the company first discussed the imminent overhaul of its website with The Globe and Mail in September, 2022, months before its attack. Back then, it was still running on an in-house system built in 1999. The company launched “a number of initial elements” for its digital transformation around October and November last year, spokesperson Ms. Perri says; namely its order management system from Manhattan Associates, which Indigo uses for warehousing, labour management and transportation.
The transformation project, however, “had no link to the cyberattack, and created no additional vulnerabilities,” Ms. Perri says. It would be “inappropriate to speculate as to why the criminals focused their attention on certain components,” such as how Indigo had stored its employee data, she added.
The average cost of a cybersecurity breach is $5.64-million for Canadian businesses, but only one in three implement vulnerability tools, Mastercard found.
Lisa Kearney, chief executive officer for the Women CyberSecurity Society Inc., says turnover in her field is also high. “There’s rarely any permanent jobs. But then, you’re also navigating the bureaucracy within organizations because they frequently come at it from a fear of the unknown. They often don’t want to listen to you or what solutions you have to offer,” she says.
“At times, you’re asked to step away from your personal ethics and do something immoral, such as hiding when attacks happen, or scrubbing details and whatnot. Turnover happens because of that, too, because at the end of the day, personal reputation is everything in our business.”
Mr. Chalico believes it stems from human nature. He says the corporate stalling surrounding cybersecurity is like the procrastination of an individual buying an insurance policy.
Still, he added, there are other issues that bigwig execs raise with him all the time, too, such as whether cyberexperts are worth trusting at all.
Cyberinsurance has only been around for the past decade or so, explains Mahan Azimi, a policy adviser at the Insurance Bureau of Canada. Currently, it represents a small chunk of the country’s commercial market, and it’s just one of many preventative measures that businesses can employ.
But the adoption of cyberinsurance has grown rapidly. It was actually the fastest growing line of the overall insurance business in Ontario and Quebec in 2022, Mr. Azimi says.
This pace in the development of cyberinsurance reflects something many cybersecurity professionals know all too well: Not only is committing cybercrime lucrative, so, too, is the prevention of such breaches.
The global cybersecurity sector was valued at US$154-billion in 2022, according to Fortune Business Insights. In Canada, market revenue was roughly US$3.5-billion last year, suggest figures from Statista. Top-paying positions in the sector typically earn anywhere from US$100,000 to US$200,000, with some senior-level jobs paying around US$400,000 a year.
Mr. Chalico likens it to flipping a coin – and winning the toss both ways. “On one side, unfortunately, bad actors have found that going after people’s data or information and using that for nefarious purposes is something that can be easily monetized,” he says.
“On the other side, the definition of controls, the adoption of frameworks, and the enablement of cybersecurity programs is, of course, something that can be considered lucrative as well.”
Quietly, in tight-knit circles, several Canadian business leaders acknowledge that part of their skepticism around cybersecurity comes from the fact that so-called white-hat hackers, who try to prevent attacks by exploring weaknesses in systems using a hacker’s toolkit, are often reformed black-hat hackers. That means people working toward ethically strengthening the security of a business are highly likely to have formerly been cybercriminals otherwise motivated by malice.
Mr. Chalico has observed many cybersecurity professionals being approached to join organized criminals because both sides require similar skills. In many cases, people end up switching sides, he added, “due to black hats often being paid better.”
At times, it gets even more convoluted. “People take contracts and they accept working for a company without knowing that, in the background, that company is doing something on the dark side,” Mr. Chalico says.
A little while ago, Ms. Kearney was performing routine safety drills when she discovered a colossal threat. She’d been hired as a Canadian company’s cybersecurity lead. It was a contract role she had barely begun, but she just unearthed several iterations of a unique malware, socially engineered to target her company and dozens of others.
Ms. Kearney immediately alerted the company’s chief technology officer, who quickly assembled response teams for the incident. She found that an internal application, integrated in the company’s system to use Microsoft Outlook, was compromised by a backdoor channel.
The app in question was plug-in software created by a third-party vendor in San Francisco, which had outsourced its development. One developer turned out to be a hacker. And when that hacker ruptured the vendor from the inside, every single device the app was pushed out to was left debilitated.
The deceitful program was operating for well over a year. Often called a Trojan horse by security specialists, the software was designed to look like a normal part of the computing system, so that it could plunder valuable data from the company and lock it out. The stolen information held hostage would likely have garnered a hefty ransom at a later date.
This was a big deal – not just for Ms. Kearney’s company, but also for many others globally, and their customers. It was a huge breach and nobody knew about it. There were incredible ramifications.
Yet, it was never reported. None of the details were ever made public. In fact, Ms. Kearney, who has since left the company and been a consultant for several others, is not able to talk fully about it. It would all be handled internally, and that would be the end of that, she was told.
“This was actually one of the better cases I’ve dealt with in over two decades of my career. Even if they weren’t fully transparent around it, most companies aren’t,” Ms. Kearney says. “They listened fast. They approached things with a calm. And by hiring someone like me, they already had things a lot more in control because they weren’t acting in a reactionary way.”
The Globe surveyed a wide selection of prominent retailers, including Loblaw Companies Ltd., to learn about the cybersecurity investments and measures in place across this country.Christopher Katsarov/The Globe and Mail
It’s not that companies aren’t aware of the threat. Many routinely disclose their vulnerabilities in general terms, including those that have later grappled with breaches. Indigo, for example, noted in a June, 2022, financial report, nearly a year before its own hacking: “Ransomware attacks are increasing exponentially.”
However, most Canadian companies, even those that are publicly traded, do not break down their spending on cybersecurity – either under capital expenditures or operating expenses, or elsewhere.
So, to learn about the cybersecurity investments and measures in place across this country, The Globe surveyed a wide selection of prominent retailers – including Roots Corp. ROOT-T, Aritzia Inc. ATZ-T, Leon’s Furniture Ltd. LNF-T, Loblaw Cos. Ltd. L-T (which owns Shoppers Drug Mart, No Frills, Provigo, Real Canadian Superstore and T&T Supermarket), Dollarama Inc. DOL-T, Canadian Tire Corp. Ltd. CTC-T, Lululemon Athletica Inc. LULU-Q, Metro Inc. MRU-T (which owns Food Basics and Super C), Empire EMP-A-T, Indigo and Canada Goose Holdings Inc GOOS-T.
Apart from statements about taking cybersecurity “seriously” and making “continued investments,” none of the businesses disclosed any details about their spending. Some even admitted candidly that they will never disclose such matters. Others said while they may not make their investments public, they have processes to report them internally or confidentially.
“We evaluate ourselves annually against industry benchmarks, and test regularly. We do not provide specific breakdowns of our investments,” says Loblaw spokesperson Catherine Thomas.
“The board and the audit committee collectively oversee the company’s cybersecurity risk management,” says Rex Lee, Canadian Tire’s chief information and technology officer.
“On an annual basis, Indigo makes significant ongoing investments in company IT and digital infrastructure and security that is appropriate for a retailer of our size,” Ms. Perri from Indigo says.
This guardedness in Canada also extends to the sharing or collaboration of protocols with one another. “It would make sense for organizations of different types, or at least those in the same industries, to work together against this common threat,” Mr. Chalico says. “You’d be able to see others and know how much they’re spending or what they’re doing to match up and face things together.”
But some experts believe there are valid reasons for the closed lid on cybersecurity disclosures. “Frankly speaking, these organizations have a lot to lose, so, of course, they’re incredibly careful,” says Bradley Freedman, a partner specializing in cybersecurity at Borden Ladner Gervais LLP, one of the country’s largest and oldest law firms.
Mr. Freedman says sharing risk levels periodically is one thing, but talking publicly about any specific cybersecurity incidents is “a whole other ball game because it may bring attention in the wrong way.”
Canadian regulators and Ottawa’s Office of the Privacy Commissioner have been working to make disclosures more prevalent, Mr. Freedman added. “But that reporting isn’t going to be public either,” he says. “It’s about them knowing what steps you’re taking to prevent attacks in general, especially if you’ve been victimized by one before.”
By way of contrast, late last month, Wall Street’s top regulator in the U.S. adopted new rules requiring public companies to disclose hacking incidents, a measure that officials say will help contend with the mounting cost of cyberattacks.
In the meantime, hackers are increasingly banding together for their attacks. “These are multiple parties interested in the same goals,” Mr. Hull says. “Of course, they work together really well. And actually, they often give different tasks to different factions.”
Not only are the people who deploy malware often independent of the groups that license it, in many cases, so are the cyberattackers that provide encryption or decryption tools for the large amounts of data looted from companies.
What’s more, cybercrime organizations have also become quite diverse. On top of traditional terrorists and state-backed hackers, so-called hacktivist groups have emerged, which are often invested in shaming or embarrassing companies by publicizing their assets.
Photo illustration by the Globe and Mail/iStockPhoto / Getty Images
These days, hacking groups may not need people at all, either. Large language models from artificial intelligence tools such as ChatGPT and other chatbots, along with voice, text and photo-manipulation bots, provide ample non-human workarounds. This is especially effective for phishing traps.
A manipulative technique to obtain private information through e-mails, text messages or phone calls, phishing has remained dominant among hackers because of its enduring success. And social media has made it easier. LinkedIn, Facebook, Instagram, X (formerly known as Twitter) and other websites or apps “offer a plethora of personal data, so you can easily act like you’re a legit actor,” Ms. Kearney says.
Fifteen years ago, Mr. Chalico says roughly nine out of 10 businesses he worked with would introduce reactive cybersecurity measures after an attack, rather than setting up proactive protocols. Now, he says around four out of 10 businesses have tilted to become proactive.
“I’m starting to see some progress,” he says.
A report this past spring from Cisco Systems Inc., the California-based tech company behind online tools such as Webex and Jabber, found 78 per cent of Canadian organizations have plans to increase their cybersecurity budget by more than 10 per cent over the next 12 months.
Robert Barton, Cisco’s chief technology officer for Canada, sees hope in the data. “Businesses are finally starting to listen,” he says.
“But what I’m worried about is if it’s enough, or if it’s too late,” Mr. Barton added. “It’s not just about the impacts of the attacks, it’s about the preparedness to withstand them. Most of all, we need to realize, once and for all, that it’s not a matter of if you will be hit. It’s a matter of when. Why leave yourself vulnerable when you’ve got so much to lose?”
Editor’s note: This article as been updated to clarify that hackers threatened to leak Indigo employees’ data to the dark web, and leaked data was advertised for sale.
THE DECIBEL:
For the best listening experience and to never miss an episode, subscribe to The Decibel on your favourite podcast app or platform: Apple Podcasts, Spotify, Amazon Music, Stitcher, Google Podcasts, iHeartRadio, Pocket Casts and Youtube.
Temur Durrani
Susan Krashinsky Robertson