Cyber Incident Victim: Hydro-Quebec

On April 13, 2023, the website of Hydro-Quebec, Quebec's primary power utility, was rendered inaccessible due to a cyberattack. The pro-Russia hacker group known as NoName057(16) publicly claimed responsibility for the incident. In an online post translated from Russian, the group stated, "Continuing our visits to Canada... The website of Hydro-Québec, the company responsible for generating and transmitting electricity in Quebec, was put down." This attack was part of a broader series of cyber incidents targeting Canadian organizations that week, including the websites of Prime Minister Justin Trudeau, the Laurentian Bank of Canada, and the Port of Montreal and Port de Québec, for which pro-Russia groups also claimed responsibility.

Hydro-Quebec confirmed to CTV News that its website had been targeted by a "cyber attack" overnight on Wednesday, April 12. The utility's spokesperson, Lynn St-Laurent, stated that the company's security team quickly detected the attack. The specific nature of the attack was identified as a "denial of service" attack. This type of attack functions by overwhelming a system with a massive volume of superfluous requests, causing it to become overloaded and unavailable to legitimate users. Despite the disruption, Hydro-Quebec assured the public that its critical systems responsible for electricity generation and transmission were not impacted by the incident.

The impact of the denial of service attack was significant but limited to the public-facing website and associated application. As of approximately 11:00 a.m. on April 13, parts of the Hydro-Quebec website remained down. Some sections, such as the outages map, remained accessible to the public. However, other critical sections, including the Customer Space page where customers manage their accounts, would not load. The Hydro-Quebec mobile application was also affected by the outage, experiencing similar accessibility issues. The company emphasized that the attack was solely a disruption of service and did not involve a breach of its data systems.

Hydro-Quebec was explicit in its assessment that no data compromise occurred. Spokesperson Lynn St-Laurent stated there were no "infiltrations" or "exfiltrations" of sensitive data or customer information. No personal data was compromised as a result of the attack. The incident was characterized as highly disruptive but not sophisticated, effectively preventing access to web services without penetrating the organization's internal networks or exfiltrating any data.

The response to the incident was managed by Hydro-Quebec's internal cybersecurity team. St-Laurent noted that the utility employs a team of 300 cybersecurity professionals who monitor its digital infrastructure "24/7." This team was responsible for the rapid detection of the attack. Their response involved mitigating the denial of service attack to restore service. The containment efforts focused on managing the flood of malicious traffic to allow legitimate user access to gradually return.

The incident occurred during a period of particular operational strain for Hydro-Quebec. The cyberattack took place exactly one week after a major ice storm had knocked out power for 1.1 million of its customers across Quebec. Power restoration efforts from that weather event had been ongoing throughout the week and were only concluded on the morning of April 13, the same day the website was attacked. This context meant the utility was already managing a large-scale recovery operation while responding to the cyber incident.

Technical analyst Carmi Levy provided context on the nature of a denial of service attack, describing it as "one of the most unsophisticated attacks that exists in the entire cyber security regime." He likened the attack to "a pitchfork-wielding mob shows up at your front door, and they start banging on the door for hours on end. They don't break in, they don't steal anything, they don't damage anything, but you can't come and go. You can't do anything, and your life is essentially on hold." This analogy underscored the disruptive yet non-destructive character of the incident.

The motivation attributed to the attackers by security analysts was geopolitical retaliation. Levy stated, "Because we have stepped forward to help Ukraine [...] Russia has made it very clear that Canada is on its list of countries that it will be targeted in the digital domain." The hacker group's own message, which referenced "continuing our visits to Canada," supported this assessment, positioning the attack as part of an ongoing campaign against Canadian entities. Hydro-Quebec itself could not confirm the attribution to NoName057(16) but acknowledged the website was targeted by a cyber attack.

The consequences of the attack were primarily related to customer access and convenience. Customers were temporarily unable to use the website or mobile app to view their accounts, make payments, or access information beyond the still-functional outages map. The utility's core operational technology (OT) systems controlling the electrical grid were completely segregated from the affected corporate IT systems and experienced no downtime or disruption. Electricity generation and transmission continued without interruption throughout the incident. The full restoration of the Hydro-Quebec website and application to normal functionality was achieved following the mitigation efforts of the cybersecurity team.