Credential stuffing attacks paralyze government online services

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

August 21, 2020 – The public online services of the government of Canada were recently under a series of cyberattacks. So-called credential stuffing attacks mounted on the GCKey service and the Canada Revenue Agency (CRA) accounts to fraudulently obtain government services and compromise Canadians’ personal information. In total, 11,200 accounts were affected by the attack. The stolen credentials were obtained by previous hacks worldwide. After putting multiple security mitigation measures in place the attacks are now under control, and the government services mostly resumed on Wednesday evening. Canadians are advised to check all their online accounts that have the same credentials for suspicious activity.

Public online services such as GCKey and Canada Revenue Agency (CRA) accounts have been temporarily suspended this week after a series of cyberattacks conducting so-called credential stuffing, according to a statement from the office of the chief information officer of the Government of Canada. 11,200 CRA and GCKey accounts have been affected in total by the attacks. Hackers used previously stolen usernames and passwords to gain access to public online services in order to fraudulently obtain government services and compromise Canadians’ personal information.

CRA and GCKey services under a series of credential stuffing attacks

On August 15, early in the morning, the CRA portal was directly targeted with a large amount of traffic using a botnet through so-called credential stuffing. Hackers used stolen credentials – passwords and usernames – collected from previous hacks of accounts worldwide to gain access to Canadian government services user accounts.

Read more: COVID-19 scams exploiting government funding programs such as CERB

Besides the fact that many people reuse passwords and usernames across multiple accounts, the cybercriminals took also advantage of a vulnerability in the configuration of security software solutions which allowed them to bypass the CRA security questions and gain access to CRA accounts. On August 17, government officials confirmed in a press conference that the vulnerability was patched and the risk attack factor has been mitigated.

11,200 accounts in total were impacted, including more than 9,000 GCKey accounts and 5,600 CRA accounts – although about half the CRA accounts were linked to the GCKey hack. GCKey is a secure online portal used by about 30 federal government departments and allows Canadians to access government services online such as Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account.

‘The GC [Government of Canada] has taken action in response to credential stuffing attacks mounted on the GCKey service and the CRA,’ tweeted the Government of Canada on their Twitter account on Saturday. Subsequently, the government agencies put multiple security mitigation measures in place including temporarily shutting down their online services. The government officials pointed out that the GCKey service itself was not compromised.

However, a third of the impacted accounts successfully accessed services before they were disabled. The government said it is reviewing the activity associated with those accounts.

Three cyberattacks were aimed at the CRA

Since the spring, Canadian taxpayers have been reporting fraudulent CERB applications and other suspicious fraudulent behavior on their CRA online accounts. They were left wondering how the hackers got into their accounts. On August 17, Annette Butikofer, chief information officer for the CRA, explained at a press conference that the tax agency way impacted by three cybersecurity incidents that may have allowed fraudsters to access the CRA My Account of certain individuals.

In total, approximately 5,600 CRA accounts – out of about 15 million – may have been impacted. The first incident involved about 3,400 CRA accounts from the GCKey attack. The second incident involved an attempt to access over 2,000 taxpayer accounts directly through CRA services. Butikofer explained that this incident was detected in the previous week and immediately shut down, which allowed the cybercriminals to bypass the CRA security questions. The third incident occurred over the weekend whereupon the CRA chose to take down the online services.

GCKey and CRA accounts temporarily suspended

The government officials pointed out that several immediate measures have been put in place to contain the attacks and implement measures to protect the online government services. One of the most noticeable measures was the temporary shut down of all online services.

Especially, the suspended CRA online services came at a time when many Canadians and businesses have been relying on the website to apply for and access financial support related to the COVID-19 pandemic. The CRA My Business accounts are back online with additional security measures since Monday and the online services for individuals were reactivated on Wednesday late in the afternoon.

To prevent access to other government online accounts, the link between CRA accounts and My Service Canada accounts has also been temporarily disabled. The government agencies announced that they would contact all affected individuals. Their impacted accounts have been revoked. These individuals will receive a letter from the CRA or the responsible government department explaining how to confirm their identity in order to protect and restore or access to their CRA account or receive a new GCKey.

‘If you’ve been a victim here, there’s a good chance you’re a victim elsewhere, as well’

‘The Government of Canada, like every other government and private sector organization in the world, deals with ongoing and persistent cyber risks and threats,’ said Marc Brouillard, acting chief information officer for the Government of Canada. To determine if there have been any privacy breaches, the government and the RCMP are continuing its investigations. Furthermore, they contacted and alerted the office of the Privacy Commissioner about possible breaches.

The government experts recommended that Canadians check all their online accounts for suspicious activity. Since the breach used stolen usernames and passwords from other sites, the CRA has encouraged Canadians to replace the passwords of their online accounts. ‘If you’ve been a victim here, there’s a good chance you’re a victim elsewhere, as well,’ said Brouillard.

To reduce the risk of cyberattacks, Canadians are advised to use unique passwords for different accounts. To avoid nasty surprises, experts also recommend Canadians to check their online CRA account regularly to ensure all information is accurate and they have secure passwords. People with online CRA accounts are also advised to sign up for email notifications from the CRA. That way, they get informed when their address or banking information for direct deposit is changed.

‘The safety and security of Canadians, and their information, is the Government of Canada’s top priority. We continue to actively investigate these attacks and are taking swift action to implement additional security features as the investigation continues,’ read the statement from the office of the chief information officer of the Government of Canada. Anybody who has immediate concerns, are asked to call 1-800-O-Canada. For more cybersecurity information visit the website of the Canadian centre for Cyber Security.

Read more: CPA hit by cyberattack resulting in data breach