Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime

Canada Busts Suspect Tied to 'Multiple Ransomware Attacks'

US Federal Grand Jury Also Indicts Canadian for Medical Data Breach in Alaska
Canada Busts Suspect Tied to 'Multiple Ransomware Attacks'
Ontario Provincial Police Deputy Commissioner Chuck Cox speaks at a Dec. 7, 2021, virtual press conference.

Canadian police have arrested an Ottawa, Ontario, resident on suspicion of being tied to "multiple ransomware attacks" as well as malware campaigns that amassed victims in Canada, the U.S. and potentially beyond.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

Matthew Philbert, 31, was arrested by Ontario Provincial Police on Nov. 30, and remains in custody following a 23-month investigation.

Separately, a U.S. indictment against Philbert was unsealed earlier this week.

The Ontario Provincial Police investigation into Philbert, which is part of a law enforcement investigation with the code name Project Coda, began after the FBI in January 2020 alerted the OPP to ransomware and malware attacks with a suspected origin in Canada.

Canadian authorities launched their own investigation, led by the OPP's Cyber Operations Section - part of its Criminal Investigation Branch - backed by the Royal Canadian Mounted Police's National Cybercrime Coordination Unit, with assistance from the EU's law enforcement agency, Europol.

On Tuesday, police in Canada announced that Philbert has been charged with fraud, unauthorized use of a computer, and "possession of device to obtain unauthorized use of a computer system or to commit mischief."

Attacks allegedly tied to Philbert hit "many targets, including individuals, businesses, municipalities and their respective data and information systems and infrastructure," said OPP Deputy Commissioner Chuck Cox at a Tuesday virtual press conference. While authorities have not accused Philbert of attacking any victims in the EU, Europol's involvement suggests investigators might suspect that he has done so.

Investigators seized numerous items from Philbert, including "laptops, a tablet, hard drives, external drives, a bitcoin seed phrase, and a quantity of blank cards with magnetic strips embedded in them, as well as external storage devices," said Detective Inspector Matt Watson of the OPP's Criminal Investigation Branch at the Tuesday press conference.

Many of these attacks allegedly involved ransomware. "These incidents affected a significant number of businesses, government agencies, and private individuals throughout Canada and the United States," Watson said. "I'll steer clear of the specific details of the targets who were hit, as that's evidentiary in nature and I don't want to compromise future court proceedings."

Indictment in Alaska Federal Court

Philbert was also indicted by a federal grand jury in Anchorage, Alaska, on Sept. 17, 2020.

A two-count indictment, charging the defendant with computer fraud and conspiracy to commit computer fraud, was unsealed Monday after the defendant's arrest in Canada and appearance at the Ontario Court of Justice in Ottawa.

The U.S. investigation is being led by the FBI's field office in Anchorage, the Department of Justice says.

The indictment accuses Philbert of being part of a criminal conspiracy that used malware and resulted in damage to multiple systems operated by the state of Alaska, around April 28, 2018. The defendant "conspired with others known and unknown against the United States," said Brian Abellera, the FBI's assistant legal attache in Ottawa, at the Tuesday press conference.

The indictment also accuses Philbert of "the modification, impairment and potential modification and impairment of the medical examination, diagnosis, treatment and care of one or more individuals," as well as posing "a threat to public health and safety" and causing damage to "10 or more protected computers."

The U.S. indictment says there is probable cause that based on the allegations, Philbert would be subject to federal criminal forfeiture rules, which require a defendant to "forfeit to the United States of America any property, real or personal, which constitutes or is derived from proceeds traceable to the violations." If the proceeds cannot be found or have diminished in value, the government says it "intends to seek forfeiture of substitute property."

Phishing Attacks

Canadian investigators say Philbert and accomplices often targeted victims using "malspam," aka malicious spam or phishing attacks. "That's where unsolicited emails with infected attachments were sent to the victims. If the infected attachments were opened by the victim, then it would provide the suspects with access to the person's computer," the OPP's Watson said.

"The unauthorized access provided the suspects with the ability to monitor their computer, view their web camera, collect usernames, passwords and login credentials," he said. "The suspect would then gain access to the victim's online banking, and unauthorized transactions would occur without the victim's knowledge or consent. Further, the unauthorized access would also allow for the deployment of malware and ransomware in future dates."

HIPAA Breaches in Alaska

U.S. authorities have not offered further details about the attack in which Philbert allegedly participated, as detailed in the indictment. But as Bleeping Computer has reported, the Alaska Department of Health and Social Services has reported that on April 26, 2018, it suffered a malware attack that compromised multiple systems used by a division of public assistance, or DPA, that is part of the state's DHSS.

Investigators said the attack involved Zeus, which is information-stealing malware that began life in 2011 as a banking Trojan. The source code for the malware was subsequently leaked, and variants of the malware continue to be refined and used by criminals.

"A DPA computer in the Northern region was infected with a Zeus/Zbot Trojan virus, resulting in a potential Health Insurance Portability and Accountability Act (HIPAA) and an Alaska Personal Information Protection Act (APIPA) breach of more than 500 individuals," Alaska's DHSS reported in June 2018.

"The DHSS security team conducted an investigation which revealed the infected computer accessed sites in Russia, had unauthorized software installed, and other suspicious computer behavior that provided strong indications of a computer infection," it says. "The computer had documents including information on pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, criminal justice, health billing, Social Security numbers, driver's license numbers, first and last names, birthdates, phone numbers, and other confidential data. Hackers may have used the infected computer to steal data."

Single Breach: 700,000 Victims

When state authorities first reported the breach to federal authorities, they suspected only 501 people had been affected. But by January 2019, state officials had revised their assessment, saying they were notifying approximately 700,000 individuals that their personally identifiable information and medical data may have been exposed, leaving them at increased risk of identity theft.

That wasn't the first breach to result in the exposure of Alaskans' medical records.

In 2012, the state was fined $1.7 million as part of a HIPAA settlement for a 2009 breach tied to the theft of an unencrypted USB drive that potentially contained Medicaid beneficiaries' health information.

In September, meanwhile, Alaska's Department of Health and Social Services said it was notifying "all Alaskans" that their medical information may have been compromised via a "highly sophisticated" cyberattack, tied to nation-state attackers, that it first detected in May.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.