A leading cyber-crime expert says foreign hackers who launched a massive attack on Canadian government computers last fall also broke into the data systems of prominent Bay Street law firms and other companies to get insider information on an attempted $38-billion corporate takeover.

Daniel Tobok, whose international cyber-sleuthing company was called in by a number of the firms hit by the attacks, says the hacking spree from computers in China were all connected to last year's ultimately unsuccessful takeover bid for Potash Corporation of Saskatchewan.

"All those different attacks on companies, law firms and government were all interconnected — they weren't isolated incidents," he said in an interview with CBC News.

Other hacking cases

February 2011: U.S. computer security firm McAfee reports hackers operating from China stole sensitive information from Western oil companies in the United States, Taiwan, Greece and Kazakhstan, beginning in November 2009.

March 2010: Citizen Lab and the SecDev Group discover computers at embassies and government departments in 103 countries, including the Dalai Lama's office and India, were compromised by an attack originating from servers in China. They dub the network involved "GhostNet."

January 2010: Google claims cyberattacks from China have hit it and at least 20 other companies. Google shuts down its China operations.

June 2009: A top-secret memo by the Canadian Security Intelligence Service warns that cyber attacks on government, university and industry computers have been growing "substantially."

February 2008: Quebec provincial police say they dismantled a computer hacking network that targeted unprotected computers around the world, including government computers.

The cyber-forensics guru with prominent clients around the world calls the assault on Canadian companies and the government "one of the biggest attacks we have ever seen."

Tobok said hackers penetrated the computer systems of at least seven of Canada's leading law firms in what experts believe was an attempt to mask the real target of the attacks — the few firms directly involved in the aborted Potash deal.

The foreign hack-attack on Canadian law firms was "very sophisticated and highly targeted," he said.

The hackers appeared to have been hunting exclusively for information on the Potash deal, and there was no evidence they had penetrated the confidential files of other clients of the firms affected.

"I think the law firms did a pretty good job in dealing with this attack … and no other clients were harmed. I mean this was not a fishing expedition to download all of the law firms' client files."

One of the law firms representing PotashCorp in the deal is Bay Street's legendary Stikeman Elliott.

In a prepared statement, the firm told CBC News it is "aware of the threat posed by hackers, as well as by viruses, malware and other means of infiltrating computer systems.

"Accordingly, there are safeguards, audit processes and other measures in place that we believe to be appropriate.

"We cannot comment on client matters specifically, but can say that we are not aware of any compromised client information as a result of our systems being breached."

220-computer-hacking-cp

A foreign hack-attack on Canadian firms probing for information on last year's failed bid for PotashCorp was 'very sophisticated and highly targeted,' according the head international cyber-sleuthing company contacted by several of the firms.

In a similar statement, another prominent law firm involved in the Potash deal, Blake, Cassels & Graydon, said it was "not aware of any compromise of client information as a result of any attempt to breach our systems."  

"We take our obligations of confidentiality to our clients and the integrity of our systems very seriously," the firm said.

'Nobody knew the severity'

Tobok said, at first, no one investigating the Potash cyber-attacks connected the dots between the widespread attack on the government and similar invasions of the law firms and other companies.

He said his company was first called in to investigate a series of odd computer glitches at one of the firms hit in the attacks.

"We received a direct call just like we do every other day, (saying) 'I think that we have a problem here. Here is what is happening. Can you guys come and take a look at it?' 

"And nobody knew the severity of the issue or what was happening. They were just noticing that they had a problem."

That was not long after the giant Australian resources conglomerate BHP Billiton had launched its ultimately unsuccessful bid for Potash Corp in August 2010, and several months before the federal government revealed its own computers had been hacked.

Over the ensuing few months, Tobok's company got similar calls from at least two other firms, and that's when his investigators began to notice a pattern.

"While there are hundreds of attacks a year, there were certain things about those attacks that had a certain signature on them that made it all connected," he said.

Tobok says eventually investigators "at a very high level" were able to match that signature to the attacks on the federal government.

The Conservative government finally stepped in and killed the whole Potash deal, but not before federal computer systems had taken the hardest cyber-hit of all.

P.O.V.

Should Ottawa spend more to defend their computers? Take our survey.

The hackers' successful penetration of the Canadian government computers forced federal security officials to shut down all internet connections to the federal Finance Department and Treasury Board, along with Defence Research and Development Canada —  an agency of the Department of National Defence — in an attempt to prevent the further theft of sensitive data.

Almost a year later, all three departments are still without full internet access.

The government initially tried to downplay the severity of the attack, claiming no information had been stolen.

But a government memo obtained by CBC News earlier this year stated that "data has been exfiltrated and privileged accounts have been compromised."

'Malware' designed to gather PotashCorp info

The hackers used the same so-called "spear-phishing" technique to break into otherwise highly protected computers in the government, law firms and other companies hit by the attacks.

The hackers sent each target organization a series of emails purporting to be from senior federal officials or firms involved in the PotashCorp deal.

When infected email attachments were opened, they embedded in the target computer network so-called "malware" specifically designed to gather information on the PotashCorp deal.

Exactly why hackers went to such extraordinary lengths to get inside information on the ultimately ill-fated PotashCorp takeover remains a matter of some speculation.

China, one of the world's biggest consumers of potash-based fertilizers, was reportedly against the takeover bid that would have put the world's largest producer in the hands of BHP.

The Financial Times reported that China's state-owned chemical company, Sinochem Group, had even hired several large international investment banking firms to assess ways to disrupt the BHP takeover bid.

The Chinese government has denied any role in the cyber-espionage fiasco, and experts say the fact the computers used in the attacks were in China does not necessarily mean the hackers were there, too.

At the time of the attack, Russian interests were also rumoured to be eyeing a possible takeover of PotashCorp if the BHP bid failed.

While Tobok isn't pointing fingers, he estimates the PotashCorp attack had to have involved more than 100 hackers, leaving little doubt in his mind the whole thing was the work of a foreign intelligence service, or was otherwise "state-sponsored."

He says the hacking methods used were so sophisticated the intruders almost completely erased their tracks after the attacks.

Almost.

"No crime is perfect," he said.