The Sunshine Coast Regional District (SCRD) is warning the public to be on the lookout for suspicious emails that appear to come from regional district staff.
On Monday, Oct. 24, the SCRD shared an update on its website and social media: “The SCRD is aware of a high volume of emails being received recently that purport to be from SCRD staff, but instead originate from non-SCRD emails, and contain malicious attachments. These emails are targeting phishing, and do not originate from the SCRD. As always, please be cautious when clicking links or opening attachments in emails if they are at all suspicious.”
The SCRD recommends deleting the emails without opening any links or attachments contained in them, and recommended reading the Canadian Centre for Cyber Security's tips on recognizing and avoiding phishing attacks.
Some people who emailed the SCRD months ago – or even more than a year ago – have received new emails this week that include a copy of the previous correspondence between them and SCRD staff, but the sender's email address is different. Emails include an attachment and ask for a response. SCRD corporate officer Sherry Reid confirmed some staff members have also received the suspicious emails.
“Although the emails may indicate they are from an SCRD staff person by name, they are universally from entirely bogus email addresses,” Reid said in an email to Coast Reporter.
The SCRD is now investigating these emails “in light of the recent cyber security incident,” Reid said. A ransomware attack targeted the Sunshine Coast Regional District (SCRD) in September, locking the local government out of its emails and website for nearly 16 hours.
The Sept. 8 and 9 attack came with a demand that the SCRD respond to LockBit by Oct. 4.
Threat analyst weighs in
When asked if these phishing emails are connected to the September ransomware attack, Brett Callow, a threat analyst with software company Emsisoft, said yes, unless the SCRD had another breach. Other malware sometimes is able to steal email and automatically embed the old messages to look like replies, he added. "This could be what’s happening here. Or it could be the work of somebody who had access to the data stolen by LockBit. Or it could be something else," Callow said.
The emails containing previous correspondence with the SCRD now being used for phishing is not particularly unusual, Callow says, and ransomware operators have done this before.
Potentially, the ransomware group could have all of the emails from the server they accessed or they could have extracted a selection, he said.
For now, Callow says to assume that any email received from the SCRD is not from the SCRD. His advice is similar to the regional district’s: don’t open attachments or links.
For the SCRD, Callow says they can continue to keep people up to date.
“When data is stolen it cannot be unstolen,” he said. “There is absolutely no way that a data breach can be undone. Even if the district were to pay the ransom, all they would receive would be a pinky promise that the stolen data would be destroyed. A pinky promise that is coming from cyber criminals carries very little weight.” Callow added that there have been cases where an organization pays a ransom, only to be blackmailed a second time.
The recent suspicious emails have not been reported to the RCMP, Reid added, because “Email spam and phishing attempts are, unfortunately, an ongoing and regular phenomenon that we are all faced with on a daily basis. We have found no evidence of any circumstance in this situation that would suggest a report to the RCMP is in order at this time.”