Cyber Incident Victim: National Capital Commission

On or around April 3, 2023, the National Capital Commission (NCC) became the target of a cyber attack that successfully disrupted its online services. The federal agency, responsible for planning and development in Canada's Capital Region, confirmed the incident on Friday, April 7. A spokesperson, Valérie Dufour, identified the event as a “denial of service” attack, an external assault conducted with the specific intention of making the NCC's primary website unavailable to the public. The attack rendered the NCC's webpage and other associated online services inoperable, effectively taking them offline.

The NCC's response to the incident was initiated promptly. The organization stated that its internal systems and any personal data it held were not compromised during the attack, indicating the breach was limited to service availability rather than a penetration of secure data repositories. To manage the situation, the NCC engaged in a collaborative effort with external cybersecurity experts. This included working closely with the Canadian Centre for Cyber Security, the national authority on cyber threats, as well as their own commercial hosting partners. The stated objective of this collaboration was to restore the website's functionality both quickly and securely, though no specific target date for a full restoration was provided by the agency at the time of their announcement.

With its primary communication channel disabled, the NCC adapted its public outreach strategy. The organization pivoted to using its established social media accounts on platforms including Facebook, Twitter, and Instagram to maintain a line of communication with the public and disseminate information while the main website remained offline. This action was confirmed as a temporary measure to ensure continued public engagement during the service outage.

This incident occurred within a broader context of coordinated cyber activity targeting Canadian entities. In the days surrounding the NCC attack, other prominent Canadian websites were similarly hit by disruptive cyberattacks. Confirmed targets included the official website of Prime Minister Justin Trudeau, the Port of Quebec, and the Laurentian Bank. Furthermore, Quebec’s provincial power utility, Hydro-Quebec, reported that its website and mobile application were knocked offline by a cyberattack on April 6. A pro-Russian hacker group known as NoName057(16) publicly claimed responsibility for the attack on Hydro-Quebec. This group, which reportedly operates on Moscow’s orders, emerged in March 2022 and has been involved in a significant number of cyberattacks against the United States and its allies as a form of support for the Russian government's actions in Ukraine.

While no group immediately claimed responsibility for the NCC attack, the timing, nature, and targets of the surrounding incidents strongly suggest it was part of the same coordinated campaign. Cybersecurity expert Steve Waterhouse, a lecturer at Universite de Sherbrooke, characterized these denial of service attacks as a form of “cyber protest.” He explained that such attacks are among the easiest forms of cyber assault to perform, as they are designed to overwhelm a website with traffic until it crashes rather than to infiltrate systems to steal specific data or information. The primary objective is disruption and the generation of fear or inconvenience, not data exfiltration.

The Canadian Centre for Cyber Security provided analysis on this type of threat, noting that these attacks typically cause more fear than actual physical or long-term harm. However, the Centre also used the occasion to reiterate its recommendations for organizations to adopt protective measures to bolster their cyber defenses. The incident prompted a high-level response from the Canadian government. Defence Minister Anita Anand issued a public statement on April 6, urging all Canadian critical infrastructure organizations to adhere to government recommendations for protecting against cyberattacks. Her statement took the unusual step of outlining specific, direct actions for these organizations to take, emphasizing the heightened threat environment. Minister Anand explicitly stated that operators of critical systems powering communities, providing internet access, delivering health care, or operating any essential services must prioritize the protection of their systems, diligently monitor their networks, and apply all available mitigations.

The impact of the attack on the NCC was a sustained period of digital silence from its primary web presence, forcing a reliance on secondary platforms for public communication. The consequences were operational and communicative, hindering the agency's ability to share information through its main channel and requiring a shift in resources to manage the outage and restoration efforts. The broader impact was its contribution to a wave of disruptions aimed at Canadian infrastructure, which served to highlight the vulnerability of public-facing digital services to relatively simple but effective attack methods. The incident underscored the ongoing cyber threats faced by Western nations and their institutions from politically motivated hacker groups. The NCC's experience served as a concrete example of the type of attacks that prompted the Canadian government to issue renewed and specific warnings to the operators of the country's critical infrastructure.