Cyber Incident Victim: Bird Construction
Date:
Jan 2020
Location:
Canada
Summary
A ransomware attack targeted a construction firm with significant federal contracts, encrypting company files and exfiltrating 60 GB of data. The Maze group claimed responsibility for the incident, which prompted the victim to engage cybersecurity experts to restore access without operational disruption. While no secure government data was confirmed compromised, the breach highlighted vulnerabilities in contractors handling sensitive projects, including military and law enforcement infrastructure. The company had previously secured numerous high-value government contracts, raising broader concerns about supply chain security practices among state suppliers. Industry experts emphasized that such attacks often exploit smaller vendors as entry points to target government-linked systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2020, the Toronto-based Bird Construction experienced a ransomware attack claimed by the Maze cybercriminal group. The attackers encrypted company files and exfiltrated approximately 60 GB of data, employing Maze's characteristic tactic of threatening public data exposure to pressure victims into paying ransoms. Bird Construction confirmed the incident through a public statement, acknowledging the encryption of company files but asserting no operational business impact occurred. The company engaged leading cybersecurity experts to restore access to affected systems and files, maintaining normal business functions throughout the incident response. While Bird Construction did not disclose whether ransom payments were made, the Maze group publicly claimed responsibility for the attack in December 2019, approximately one month before CBC's January 26, 2020 report. The compromised data's exact nature remained unspecified, though the company's extensive federal contracting history heightened scrutiny of potential vulnerabilities.
The incident drew attention due to Bird Construction's role as a significant Canadian federal contractor, having secured 48 Department of National Defence contracts worth over $406 million between 2006-2015, alongside projects for the RCMP and Public Services and Procurement Canada. No evidence emerged that classified government information was compromised, but the attack prompted examination of supply chain security practices for non-classified government contractors. The RCMP acknowledged awareness of the breach but declined to confirm any investigative actions. Cybersecurity analysts highlighted the incident as part of a broader pattern where attackers target smaller contractors as entry points to government-adjacent networks, citing parallels to the 2017 Australian defence contractor breach. Bird Construction maintained that restoration efforts successfully addressed the encryption impacts without disrupting ongoing operations or contractual obligations.