Cyber Incident Victim: Black & McDonald
Date:
Mar 2023
Location:
Canada
Summary
A ransomware attack targeted a major Canadian engineering firm with contracts supporting military bases, power plants, and transportation infrastructure. The company notified key clients, including national defense and power generation entities, prompting precautionary measures such as temporary email communication blocks. While clients reported no operational impacts, cybersecurity experts warned of significant national security risks due to potential data exfiltration and possible involvement of state-affiliated threat actors. Critical infrastructure vulnerabilities were emphasized, with concerns that stolen data could facilitate future attacks or end up with hostile nation-states. The firm declined to publicly confirm attack details, including mitigation efforts or the ransomware's origin, fueling expert skepticism about the scope and consequences despite client assurances of unaffected systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Around March 1, 2023, the Canadian engineering firm Black & McDonald experienced a ransomware attack. The Toronto-based company, which holds significant contracts supporting military installations, nuclear power facilities, and transportation infrastructure, did not publicly confirm the incident or disclose operational details. Black & McDonald’s clients, including the Department of National Defence (DND), Ontario Power Generation (OPG), and the Toronto Transit Commission (TTC), were notified. OPG stated the attack had no impact on its operations following an immediate investigation. Defence Construction Canada (DCC), the agency managing military contracts, blocked incoming emails from Black & McDonald as a precaution, shifting communications to phone or in-person interactions until the email system was restored. The DND confirmed the company reported the breach in early March but offered no information on the ransomware’s origin or mitigation steps.
The attack raised concerns among cybersecurity experts due to Black & McDonald’s role in critical national infrastructure. The company holds multimillion-dollar contracts with the DND, including a 10-year, $157 million agreement for military base support, and provides services to nuclear plants and airports. Experts highlighted potential national security implications, noting ransomware groups with alleged ties to Russia, North Korea, or Iran could exploit stolen data for further attacks. Industry analysts like David Shipley of Beauceron Security cautioned that absent evidence of data compromise does not definitively rule it out, emphasizing risks of undetected exfiltration. Terry Cutler of Cyology Labs warned that access to operational data could enable physical infrastructure targeting. Despite assurances from clients about minimal disruption, calls intensified for improved transparency and stronger cybersecurity frameworks across critical sectors, referencing prior incidents like the Newfoundland health system cyberattack. The lack of mandatory incident reporting mechanisms in Canada contributed to uncertainties around attack frequency and systemic vulnerabilities.