Cyber Incident Victim: International Joint Commission

On or around August 28, 2023, the International Joint Commission (IJC), a binational organization established by the 1909 Boundary Waters Treaty between the United States and Canada, experienced a significant cybersecurity incident. The IJC, which is responsible for managing lake and river systems along the U.S.-Canada border by approving projects affecting water levels and flows, investigating transboundary issues, and offering solutions, found itself the target of a cyberattack. The incident came to public light following claims made by the NoEscape ransomware gang on Monday, September 11, 2023. The cybercriminal group publicly asserted that they had successfully compromised the IJC's networks and exfiltrated a substantial quantity of data. They claimed to have stolen approximately 80 gigabytes of sensitive information, which included a variety of internal documents such as contracts, geological files, and conflict of interest forms.

The NoEscape ransomware gang, which had first emerged in May of 2023, utilized its typical tactics by issuing a ransom demand to the International Joint Commission. The group publicly listed the IJC as a victim on their platform, a common method used by ransomware actors to pressure organizations into paying. They provided a ten-day deadline for the commission to respond to their financial demands, though the specific monetary amount they were seeking was not disclosed in their public statements. This practice of setting a deadline is intended to create a sense of urgency and force a quicker decision from the victim organization regarding whether to pay the ransom to prevent the public release or sale of the stolen data.

In response to these claims and the internal detection of the security issue, the International Joint Commission officially acknowledged the incident on Wednesday, September 13. An IJC spokesperson confirmed that the organization was indeed dealing with a cybersecurity incident and stated that measures were being taken to investigate and resolve the situation. The spokesperson's statement was deliberately limited, and the organization declined to elaborate on specific details surrounding the attack. They did not confirm whether law enforcement agencies in either the United States or Canada had been contacted to assist in the investigation. Furthermore, the IJC did not provide any information regarding whether the cyberattack had caused operational disruptions to its critical mission of managing cross-border waters or if its offices in Washington, D.C., Ottawa, and Windsor were experiencing technical difficulties as a result of the breach.

The context of this attack places it within a broader pattern of cyber threats targeting critical infrastructure, particularly water management systems. The NoEscape group had, since its emergence, claimed responsibility for attacks on a diverse range of entities prior to targeting the IJC. Their known victims included Germany’s bar association, Hawaiʻi Community College, several Australian companies, a hospital in Belgium, and manufacturing companies in both the United States and the Netherlands. This pattern demonstrates the group's operational flexibility and their willingness to target both public and private sector organizations across the globe. The selection of the International Joint Commission highlights a concerning trend where organizations involved in managing or legislating water systems are increasingly becoming focal points for cybercriminal activity.

This incident occurred against a backdrop of heightened regulatory and governmental focus on the cybersecurity vulnerabilities of water systems. Earlier in the year, in March, the U.S. Environmental Protection Agency (EPA) had passed new rules that added cybersecurity requirements to the annual audits that states must conduct for public water systems. This regulatory move was itself the subject of ongoing legal proceedings, with state lawmakers and federal regulators in court disputing the new mandates. The attack on the IJC served to underscore the very concerns that prompted the EPA's regulatory action. In the same week that the IJC confirmed its incident, the Cybersecurity and Infrastructure Security Agency (CISA) announced a new initiative to offer free vulnerability scanning services to drinking water and wastewater systems throughout the United States. This program was designed to provide weekly automated scans of internet-accessible assets, generating reports on known vulnerabilities, offering week-to-week comparisons, and suggesting mitigations to strengthen their cyber defenses. CISA explicitly noted that while these water systems are vital for community wellbeing, they are not immune to cyberattacks, a statement that was grimly validated by the breach of the binational commission.

The full extent of the data breach at the International Joint Commission, the exact method of initial access used by the attackers, and the specific operational impact on the IJC's day-to-day functions remained unclear from the publicly available information. The organization maintained a position of providing minimal public details as its investigation continued. The incident represents a serious compromise of a binational governmental body tasked with a critical environmental and infrastructural mission, highlighting the vulnerabilities within even the most essential sectors to the tactics of sophisticated ransomware groups. The theft of 80 gigabytes of data, including sensitive contractual and geological information, poses significant risks beyond immediate operational disruption, potentially affecting international water management agreements and projects. The event stands as a stark example of the evolving cyber threats facing public sector institutions and critical infrastructure operators globally.