The Duties Beyond Assisting the Public: Darknet Threats Against Canadian Health & Support Organizations

Noy Reuveni, Threat Intelligence Team Leader

As if a global pandemic crisis isn’t enough, organizations focused on the health and support of citizens have been forced to combat not only a widespread virus (and the public needs that come with it), but also threats coming at them from the underground world. As the pandemic continues to affect all types of both private- and government-affiliated organizations worldwide, KELA’s Cyber Intelligence Center took a look into various assets pertaining to Canadian health and support organizations to assess how their attack surfaces may be affected. This blog post will highlight just a couple of darknet findings that our team has detected, which exemplify how threat actors are targeting these types of organizations in Canada.

Exploring New Victims

As COVID-19-related scams continue to rise, actors behind cheque fraud have now expanded their portfolio, targeting a new group of victims — Canadian relief programs. Take the Canadian Emergency Response Benefit (CERB) for example. Our analysts at KELA discovered various offerings for cheques claimed to resemble those of CERB, inviting fraudsters to profit by receiving potential funding. It works very simply. Threat actors make these cheques ready to use by offering buyers either scans or prints of lookalike government cheques, which they then can deposit into their “drop” accounts, preferably via mobile deposit.

Here’s a peak into some of the CERB offerings that were available last week on a credible and well-known Canadian-focused underground market:

Exploring New Markets

Familiar and “everyday” threats are targeting very sensitive organizations during this crisis, but there are some rather “new” threat types booming as well. In addition to the botnet markets, hacking forums, instant messaging platforms, and other underground sites that KELA automatically monitors, KELA’s technologies now gather intelligence from automated shops that sell access to compromised servers.

We dived into a market of this type and detected webshell access to a subdomain of the one of the largest hospitals in Toronto (among other health-related organizations) for sale. The fortunate threat actor that purchases this can instantly be granted access to remotely control the hospital’s server at any time, which in turn enables them to perform a variety of different actions depending on the breached server purchased. To state an example, let’s take something very common that’s been hitting many headlines recently – ransomware attacks. Being granted access to controlling one’s servers from a distance can, among other things, lead to a ransomware attack, therefore placing organizations in a high-risk situation amid all other COVID-19 issues they are faced with. Organizations – especially those related to the healthcare sector – cannot afford even the smallest potential cyber attack as they deal with larger, more critical issues.

These are two examples of webshell access for sale pertaining to two different health-related organizations in Canada. These listing were posted in a remote access marketplace. KELA’s DARKBEAST indexes data from this market, among others, and allows users to search through them in real-time.

What Can We Do?

Let’s state the truth: threat actors – for the most part – aren’t on pause with much of the rest of the world. So, the real question asked is How can security practitioners develop some level of protection as COVID-19 continues? The key here is for organizations to establish and maintain resiliency – in our case, with targeted threat intelligence monitoring. These professionals should be investing all efforts in monitoring their sensitive assets as seen by the underground community, in an aim of deterring potential cyberattacks against them. With proactive monitoring, organizations related to the health and support of citizens can focus their efforts on dealing with citizen-focused issues during these unprecedented times.


Interested in learning more about how you can receive real-time targeted intelligence straight from KELA’s data lake? Contact us today to learn more.