Toronto-based engineering company Black & McDonald, which works on critical infrastructure projects in Canada, including for the military, has reportedly been hit with a ransomware attack.
While the company has yet to publicly comment on the cyberattack, a spokesperson for Ontario Power Generation confirmed that it was unrelated to the company’s operations and that there had been no impact to the firm’s cybersecurity.
Cybersecurity experts have raised concerns, however, suggesting that the attack represents a greater threat to Canada’s national security than the recent attack on Indigo Books & Music Inc. The worry is that the cyberattack is linked to Russia, which poses serious questions for the country’s security agencies.
Black & McDonald, which employs 5,500 staff and had sales of over $1.5bn last year, provides engineering and construction services for nuclear power plants, airports, and the Toronto Transit Commission, among other things.
Its subsidiary, Canadian Base Operators, has multi-million-dollar contracts with the Defence Department for the support of Canadian military bases, with one contract signed in 2020 worth $157m over a decade.
However, as the details of the ransomware attack are scarce, experts say that assurances of no impact should be taken with a grain of salt, and they call for more information to be made available.
Cybersecurity officials in Canada have been warning for years about the need to strengthen the country’s cyber defences, particularly for critical infrastructure.
The country has already experienced the impact of a cyberattack, with hackers accessing the private data of over 58,000 Newfoundlanders last year and wiping out the information technology systems of the province’s largest health authority, causing appointments to be cancelled, including for cancer care.
Cybersecurity experts warn that successful cyberattacks on critical infrastructure could be far more serious, as the number of devices used to control nuclear power plants, air-traffic control systems, and other infrastructure can be accessed remotely.
