Full Report
Canada's cyber agency and the RCMP say they have investigated multiple cases in which unspecified hacktivists compromised industrial control systems.
Analysis Summary
# Incident Report: Compromise of Canadian Industrial Control Systems by Hacktivists
## Executive Summary
Canadian cyber authorities (Cyber Centre and RCMP) have investigated multiple incidents where unspecified hacktivists compromised internet-connected Industrial Control Systems (ICS) affecting utilities and small businesses across Canada. The impact included physical process disruption, such as altering water pressure and manipulating agricultural silos. The primary response involved investigation and public warning regarding the vulnerability of poorly secured ICS components.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the warning was issued "this week" (leading up to the report date of October 30th, 2025).
- **Incident Date:** Multiple recent incidents occurred prior to the warning.
- **Affected Organization:** Multiple unspecified Canadian utilities, small businesses, an oil and gas company, and a farm.
- **Sector:** Critical Infrastructure (Water Utility, Oil & Gas, Agriculture/Farming).
- **Geography:** Canada.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, attributed to "recent incidents."
- **Vector:** Exploitation of poorly secured, internet-connected ICS components.
- **Details:** The incidents were opportunistic intrusions targeting accessible systems.
### Lateral Movement
- **Details:** Not specified, but the result was control over physical processes (e.g., manipulating water pressure, tank gauges, and silo conditions).
### Data Exfiltration/Impact
- **Details:** Physical process tampering and operational disruption. Specific documented impacts include:
1. Changing water pressure at a local utility, disrupting service.
2. Tampering with an automated tank gauge at an oil/gas company, causing false alarms.
3. Altering temperature/humidity in a grain-drying silo, creating dangerous conditions requiring worker intervention.
### Detection & Response
- **Details:** Incidents were detected through operational monitoring (e.g., false alarms, worker intervention). The Canadian Cyber Centre and RCMP investigated the multiple cases. A public alert was issued detailing the risk to exposed ICS.
## Attack Methodology
*Due to the nature of the summary, specific APT-level techniques are inferred based on ICS compromise, but detailed MITRE ATT&CK mapping is limited by the source.*
- **Initial Access:** Targeting unsecured, internet-accessible ICS components (Inferred: Exploitation of known vulnerabilities, default configurations, or brute-force on exposed OT gateways).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified, but necessary to identify controllable ICS functions (e.g., water pressure valves, temperature sensors).
- **Lateral Movement:** Not specified, assumed movement from the initial access point to the relevant ICS/SCADA layers.
- **Collection:** Focusing on operational data needed for process manipulation.
- **Exfiltration:** Likely low or none; the primary goal appears to be vandalism/disruption (hacktivism).
- **Impact:** Direct manipulation of physical process controls (e.g., changing physical settings like pressure, temperature, and alarms).
## Impact Assessment
- **Financial:** Not quantified, but operational disruption occurred across multiple sectors.
- **Data Breach:** No mention of data exfiltration; impact was operational/physical.
- **Operational:** Service disruption at a utility, false alarms at an energy company, and dangerous conditions created at a farm silo.
- **Reputational:** The security agencies issued a public warning due to the recurring nature of the threat.
## Indicators of Compromise
- **Network indicators:** None disclosed (Defanged: N/A)
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unauthorized remote manipulation of PLC/HMI settings related to water utilities, oil/gas tank gauges, and environmental controls in silos.
## Response Actions
- **Containment measures:** Workers intervened at the farm silo to stop dangerous conditions. Specific digital containment measures are not detailed for the utility/oil and gas incidents.
- **Eradication steps:** Not specified.
- **Recovery actions:** Restoring normal operational parameters (e.g., returning water pressure to normal levels).
## Lessons Learned
- Many Canadian utilities, farms, and manufacturers operate **poorly secured, internet-connected ICS**.
- Exposed ICS components pose **significant risks** to public safety and operations.
- Opportunistic hacktivist activity is an increasing threat targeting critical infrastructure.
## Recommendations
- Immediately isolate or secure all internet-facing ICS components.
- Conduct comprehensive vulnerability assessments focused specifically on Operational Technology (OT) environments.
- Implement strong access controls, authentication, and network segmentation between IT and OT environments to prevent unauthorized remote access to control systems.