INRS cyberattack cost at least $268,778
INRS saw its computer and telephone systems paralyzed by a cyber attack on August 17.
Targeted by a cyberattack on August 17, the National Institute for Scientific Research (INRS) had to quickly extend nearly $270,000 to contain the incident, restore its systems that had been put out of order and, above all, protect its data. research and personal information of its members. A necessary evil given the urgency and gravity of the situation, say experts consulted by Radio-Canada.
Few details have leaked out so far on the act of piracy which affected the computer and telephone services of the organization which is dedicated to high-level academic research and the training of graduate students.
Anxious not to disclose information that could serve the cause of the person or persons behind the intrusion into its systems, INRS prefers not to talk too much about the progress of the investigation and the consequences that the cyberattack has had. had on its research and training activities.
Radio-Canada was unable to find out if the attack was still in progress. It was also not possible to know if it was indeed a ransomware attack, as many experts suspect.
In a message published on its website on September 4, INRS announced that email addresses with the domain name inrs.ca were once again functional (archives).
In a written statement, the Institute, whose head office is located in Quebec, told us that it had no proof that data, personal or otherwise, , have been used for malicious purposes.
Nevertheless, from the outset and for prevention only, INRS has undertaken to offer its community a free credit monitoring service and protection against identity theft. The investigation into the cyberattack continues, as do the organization's efforts to recover, writes the Institute.
A search carried out in the Quebec government's Electronic Tendering System tells us that in the days following the start of the cyberattack, the INRS awarded firms specializing in computer security two mutual agreement contracts. 'a total value of $268,778.
The first contract, worth $188,778, was awarded on August 23 to the American company Mandiant Inc., a subsidiary of the giant Google. The second, worth $80,000, was awarded to the Quebec company Micro Logic Sainte-Foy ltée on August 30.
As soon as INRS became aware of the cyberattack, the organization contacted its insurer, who recommended a team of external consultants who are experts in the field to support it in the context of the incident, explains the ;research and teaching establishment.
The Minister of Cybersecurity and Digital, Éric Caire, relies in part on ethical hackers to help the Quebec state detect security flaws in its computer systems (archives).
He specifies that, with the exception of the deductible, all costs relating to these external services are the responsibility of his insurer.
“Given the urgency of the situation, in particular to protect personal and research data as much as possible, it was obvious that INRS could not proceed by call for tenders and wait several weeks for these grants. . »
— Excerpt from the statement that INRS sent to Radio-Canada
INRS specifies that the costs related to the cyberattack are not limited to 268,778 $ spent on external firms.
In particular, the organization had to resort to legal advisers to accompany it in the process. Registration for the Equifax service offered to its members will also entail additional costs, the amount of which will depend on the number of people who request an activation code.
As long as the establishment does not will not have fully recovered from the attack, it is difficult for him to give an exact figure. INRS specifies that, like the costs relating to contracts awarded externally, the other expenses incurred since the incident are covered by its insurance.
The cybersecurity consultant and owner of the firm Trilogiam, Jacques Sauvé, affirms that it is normal for an organization targeted by a cyberattack to resort to external expertise, even if it already has a team of TI.
Cybersecurity is a different story and when you get into cyberattacks, it takes quite specific knowledge and skills. So they may have in-house cybersecurity resources, but maybe not necessarily [in sufficient numbers] and with the knowledge that they would need to deal with an event of this magnitude, indicates Mr. Sauvé in an interview with Radio-Canada.
Jacques Sauvé states that the number of cyberattacks perpetrated in Quebec and elsewhere in the world increases by approximately 300% each year and that those whose existence is revealed represent only “the tip of the iceberg”.
He adds that there are even firms on the market specializing in negotiation that can help companies or organizations that are being tried to extort using ransomware.
< p class="e-p">The value of the contracts awarded by INRS in the wake of the August 17 cyberattack seems reasonable for the work to be performed.
“Any business, organization that experiences a cyberattack will typically hire outside consultants to recover, clean up, do what is called attribution, determine where it came from and who did that. So it's completely normal. »
— Jacques Sauvé, cybersecurity consultant, owner of the firm Trilogiam
According to Alexis Dorais-Joncas, cybersecurity specialist at Proofpoint, everything indicates that INRS was the victim of an attack carried out using ransomware. The use of a specialized firm therefore seems to him justified in view of the task to be accomplished.
In its report entitled National Cyber Threat Assessment 2023-2024, the Canadian Center for Cyber Security says observed an increase in threats against municipal and provincial governments.
There are experts in this sub-specialty of cybersecurity who are going to step in and make sure to contain the attack. So, identify the segments of the networks that could have been compromised by the attacker then, quietly, ensure that we rebuild a network that is secure, that the attacker was indeed kicked out and that can take a while, says Dorais-Joncas.
“A ransomware-type attack [is an attack] that cripples the entire network and then takes a while to recover, depending on how well prepared the organizations are. ”
— Alexis Dorais-Joncas, Cybersecurity Specialist for Proofpoint
As long as a business or organization is under attack, there is no should not be surprised if, like INRS, it opts for discretion, at least during the incident response process.
The cyberattack at INRS cost $268,778
EMISSION ICI PREMIÈRE • First hourThe cyberattack at INRS cost $268,778. 8-minute audio content, ICI Première show. Listen to audio.
It's normal for victims not to reveal too much until we know exactly what happened, and especially until we know if the x27; attacker is still present in the network. We are not going to reveal all our cards publicly, so I understand that the organizations are not going to reveal everything, mentions Alexis Dorais-Joncas.
According to Alexis Dorais-Joncas, there are two main categories of cyberattacks: those aimed at extorting ransoms and those aimed at stealing strategic information, a tactic also known as cyberespionage.
Once the threat has been removed, the disclosure of information as part of a review can prove beneficial for all institutions or companies likely to be targeted by a cyberattack.
This allows everyone to increase their level of defense because everyone will have learned from the incident and be able to make the necessary corrections so that the same incident does not happen again, underlines the specialist of the cybersecurity for Proofpoint.
Jacques Sauvé agrees. By focusing on transparency, without necessarily going into fine detail, the victims of cyberattacks offer an educational opportunity to the entire population.
If public organizations like the City of Laval and the Société de transports de Montréal have been exemplary in their way of communicating information after being attacked by hackers, opacity remains the norm, argues the owner of the Trilogiam firm.
In the cybersecurity community, we find it very distressing, the lack of transparency. It shouldn't be awkward anymore. These are things that happen. We are not talking about if it will happen, but when it will happen and it is very, very rare for organizations to be transparent during a cyber attack, deplores Jacques Sauvé.
In 2022, the Government of Quebec became the first state in North America to have a ministry entirely dedicated to cybersecurity and digital.
In Quebec, the adoption of Bill 25, which modernizes the legislative provisions for the protection of personal information, aims precisely to dispel the fog surrounding cyberattacks.
Part of the provisions of the new law came into force effective September 22, 2022. The others will take effect on the same date next year or in 2024.
Eventually, public bodies and businesses will be required to notify the Commission d'accès à l'information of any incident likely to compromise personal information.
Law 25 provides for fines that can go, in the event of a repeat offense, up to 100 $000 for a natural person and up to $150,000 for a business or public organization.