TORONTO

Metrolinx briefly considered halting transit service after North Korean cyberattack

Paul Bliss and Rachael D'Amore CTV News Toronto
Published Wednesday, January 24, 2018 6:43PM EST Last Updated Wednesday, January 24, 2018 7:44PM EST

Text:

Upon learning of an attempted cyberattack from North Korea, a source tells CTV News Toronto that Metrolinx’s CEO briefly considered shutting down transit service while they tackled the threat.

According to a source close to the situation, senior managers discussed the possibility of pulling the plug on all GO Transit rail and bus service at an “intense” meeting.

The source said the new CEO, Phil Verster, “put safety first” during the deliberations and demanded reassurance from the company’s IT and operations teams that customers were not at risk before deciding to keep transit service running.

Last week, a team of government-employed counter-hackers was able to detect North Korean malware that had penetrated the provincial transit agency’s firewall and stop it before any damage was done.

While the attack originated in North Korea, it’s believed it was routed through a server in Russia before hitting Toronto and Metrolinx.

The agency did not elaborate on how exactly the threat was uncovered or how it presented itself.

“We found it quickly, dealt with it quickly,” Metrolinx’s spokesperson Anne Marie Aikins said.

“There are all kinds of systems that are computerized within Metrolinx. We operate GO Transit, UP Express, the PRESTO system, that’s on a completely separate system to ensure further protection.”

She said that customer’s information was never at risk, thanks to the work of government-employed “ethical hackers.”

“These are expert hackers who work for us who know how to read these things, who know how to anticipate them, who know how to be on the lookout for them and can understand how to protect us all,” Treasury Board President Eleanor McMahon said.

According to the source, the malware that attempted to infiltrate Metrolinx wasn’t programmed to do any serious damage or steal information. It’s believed it was designed to stay dormant within Metrolinx’s system – if it successfully breached it – eventually allowing the hacker to use its newfound access as a springboard to penetrate other targets.

Roy Boisvert, the former assistant director of intelligence at CSIS and now an Ontario-based security advisor, said it’s likely the hacker was trying to find access to and attack other leading economic countries.

Boisvert says Ontario businesses and its government are attacked “relentlessly.”

“Data in 2018 is the new oil, it is the most sought after commodity, it is highly targeted by nation-states,” he said.

Last month, U.S. President Donald Trump’s administration pegged North Korea as the perpetrators behind the WannaCry ransomware attack. The administration said it was able to link North Korea to the attack through evidence collected at major companies such as Microsoft and other victims.

The attack infected hundreds of thousands of computers worldwide in May of 2018, particularly damaging the U.K.’s National Health Service.

Metrolinx has roughly 3.2 million active PRESTO cards within Ottawa, Toronto and Hamilton.

Aikins said she’s confident “safety was not compromised” on any system in the agency’s arsenal.

“Again, our PRESTO data and servers are a unique system, they’re separate and apart, so that wasn’t affected at all,” she said. “We were very confident, so we continued to operate.”

-- With files from The Canadian Press

RELATED IMAGES

view larger image

Prime Minister Justin Trudeau makes a policy announcement at GO Transit's Willowbrook Rail Maintenance Facility in Toronto on Friday, March 31, 2017. Ontario transit agency Metrolinx says it was the target of a cyberattack that originated in North Korea, but no personal information was compromised and systems that operate its trains and buses were not affected. THE CANADIAN PRESS/Chris Young