Cyber Incident Victim: Northwest Territories Power Corporation
Date:
Apr 2020
Location:
Canada
Summary
The Northwest Territories Power Corporation experienced a ransomware attack involving the Netwalker variant, prompting an immediate shutdown of its IT services and email systems to contain the incident. Operations were disrupted, though electricity generation and distribution remained functional during the investigation to assess potential breaches of generation, transmission, and distribution systems. Attackers compromised the corporation’s online payment portal, displaying a ransom note demanding cooperation for file decryption. Netwalker has been associated with phishing campaigns exploiting COVID-19 fears, including previous attacks on global entities like transportation firms and health agencies. This incident follows prior regional cyber threats but is distinct from an earlier ransomware attack on Nunavut’s government systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the morning of April 30, 2020, the Northwest Territories Power Corporation (NTPC) experienced a ransomware attack attributed to the Netwalker variant, prompting an immediate shutdown of its information technology services to contain the incident. The corporation issued a news release that evening confirming the attack and stating that most operations were affected by the IT disruption, though electricity generation, transmission, and distribution systems remained functional. As a precaution, NTPC disabled its email system pending confirmation of whether it had been compromised and directed stakeholders to monitor social media for updates. Initial public indications of the attack emerged earlier that afternoon through social media posts acknowledging IT system issues, while the corporation’s website became inaccessible. Residents attempting to access MyNTPC, the online payment portal, encountered a directory listing four files, one of which contained a ransom note stating, “Hi! Your files are encrypted by Netwalker,” and demanding cooperation to obtain a decrypter program. The note warned against independent recovery attempts to avoid permanent data loss.
NTPC launched an investigation to assess the attack’s impact on operational systems and determine whether unauthorized access occurred, though no timeline for resolution was provided. Netwalker, identified as a relatively new ransomware strain first documented in mid-2019, had previously targeted entities such as an Australian transportation company and an Illinois health agency. Cybersecurity firm Cynet linked its spread to phishing campaigns exploiting COVID-19 fears, including an attempted attack on Spanish healthcare workers via emails with malicious attachments disguised as coronavirus information. The incident differed from a late-2019 ransomware attack on Nunavut’s government systems. Yellowknife North MLA Rylund Johnson highlighted the growing threat, referencing Nunavut’s prior breach and advocating for territory-wide cybersecurity investments, stating, “Presently it’s a matter of when, not if.” The NWT government had previously emphasized vigilance against COVID-19-related scams in March 2020, sharing reports on ransomware targeting government agencies.