NTPC confirms 'cyber attack' from unknown source on Thursday, RCMP investigating

The Northwest Territories Power Corporation says it has "experienced a cyber attack from an unknown source."

Northwest Territories Power Corporation website and email services shut down temporarily

What appears to be a ransomware note is visible on the MyNTPC website Thursday afternoon. (CBC)

The Northwest Territories Power Corporation's (NTPC) website went down Thursday afternoon, leaving some pages to show what appears to be a ransomware message from unknown hackers.

In a news release Thursday evening, the power corporation confirmed it had suffered a "cyber attack from an unknown source." It stated that the attack came early Thursday morning, and that an investigation is underway.

"No timetable has been set for completion of the investigation," the news release reads in part.

"NTPC has been in communication with the territorial and federal governments as well as the Canadian cyber security agency. NTPC is assessing whether the generation, transmission and distribution systems have been impacted."

According to the power corporation, all electricity systems continue to function. The corporation's email system has been shut down until it can "confirm whether it has been compromised."

Updates will be posted to NTPC's social media accounts.

Earlier on Thursday, some visitors to the MyNTPC website were greeted with a text page that begins with: "Hi! Your files are encrypted by Netwalker."

In a message apparently directed to a user in a position to physically shut down NTPC computers, the message stated that no shutdown should be attempted as that could destroy data contained on the computer.

The message had instructions directing the reader to download a "tor-browser," an internet browser that allows users to access what is sometimes called the dark web, in order to verify that decryption of files is possible by visiting a website and inputting a line of code.

The message did not explicitly state whether there is a ransom, or what it could be, but the offer to decrypt a single file was advertised as "for free."

Doug Prendergast, spokesperson for NTPC, said the cyber attack was a ransomware attack, but did not say if any ransom had been set. Earlier in the day, NTPC had said it was too soon to confirm a ransomware attack.

Ransomware is a type of malicious software that allows hackers to view a computer's files, gather information and spread through its network, unbeknownst to the user. The software then encrypts the files and the attackers demand payments from victims to release the data.

RCMP told CBC on Friday morning that it's aware of the alleged "security breach to website and data, with a local utilities provider."

They said their federal investigations unit is investigating but police don't have updates at this time.

'The last thing we need'

Bogdan Stanciu, an IT professional, went to pay his NTPC bill online Thursday when he found the message.

"I was surprised. It sucks because with everything else going on, some crucial infrastructure being hit is the last thing we need," Stanciu said.

He added, "If they have backup, which they almost certainly do, they can just roll it back" unless the backups have been hacked as well.

In an email to CBC, Brett Callow, a threat analyst with anti-malware company Emsisoft, said he's aware of of Netwalker exploits against a U.S. health-care provider and the Toll Group, an Australian logistics firm.

Callow said that "it'll likely be more than the website that's affected."

"Ransomware generally does what it's supposed to do: encrypt data," Callow said. "In some cases, the encryption is not properly implemented enabling us to crack it, but that's not the case with NetWalker. It's secure."

Callow said NetWalker is also known as Mailto.

"I can't say how serious the attack may be," Callow added.

"The actors may have only been able to access the server that hosts the website, or they may have been able to penetrate further and encrypt other systems. In the Toll Group incident, the attack caused significant disruption and it took the company approximately six weeks to fully return to normal operations."

This is what some users saw when they visited the MyNTPC website on Thursday afternoon. The "Readme" document leads to what appears to be a ransomware note. (CBC)

A ransomware attack in Nunavut took the territorial government two weeks to recover from last November.

With files from Donna Lee and Avery Zingel