Canada’s Water & Energy Sectors Breached by Hacktivist Attackers in 2024
Executive Summary
In early 2024, multiple Canadian critical infrastructure sectors, including water and energy facilities, were breached by hacktivist groups. According to the Canadian Centre for Cyber Security, attackers exploited exposed internet-facing industrial control systems, gaining access and, in some instances, making unauthorized modifications that could have resulted in dangerous physical effects. The threat actors, likely with a political or ideological motive, targeted operational technology (OT) environments, highlighting the vulnerabilities present in essential public services and raising alarm over the potential for severe disruption or damage.
This breach reflects a broader trend of hacktivist-driven attacks targeting critical infrastructure worldwide, often leveraging OT/IT convergence and insufficient network segmentation. The incident underscores the urgent need for modern security controls, enhanced monitoring, and robust response strategies to keep pace with rapidly evolving threat actor tactics in the industrial sector.
Why This Matters Now
The attack demonstrates how hacktivists are increasingly capable of targeting and compromising OT systems that underpin vital services like water and energy. With growing digitalization and remote access in critical infrastructure, the risk of wide-reaching, real-world impacts from cyberattacks is higher than ever, making advanced segmentation, monitoring, and compliance urgent priorities for operators.
Attack Path Analysis
Hacktivists initially gained access to critical infrastructure networks, likely exploiting unencrypted traffic or misconfigured interfaces. They escalated their privileges to manipulate industrial controls and moved laterally within segmented network zones, potentially targeting east-west traffic paths. The attackers established command and control using covert channels or unmonitored egress to coordinate malicious activities. Exfiltration of sensitive or configuration data was possible via unsecured outbound paths. Ultimately, they modified industrial systems, creating the risk of dangerous conditions or operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers gained access to the environment by exploiting exposed interfaces or unencrypted network traffic, possibly leveraging vulnerabilities in remote access or misconfigured services.
Related CVEs
CVE-2025-2566
CVSS 9.3A deserialization of untrusted data vulnerability in Kaleris Navis N4 Terminal Operating System allows unauthenticated remote code execution.
Affected Products:
Kaleris Navis N4 Terminal Operating System – All versions prior to the latest patch
Exploit Status:
exploited in the wildCVE-2025-5087
CVSS 6A cleartext transmission of sensitive information vulnerability in Kaleris Navis N4 Terminal Operating System allows attackers to extract sensitive credentials via insecure HTTP communication.
Affected Products:
Kaleris Navis N4 Terminal Operating System – All versions prior to the latest patch
Exploit Status:
exploited in the wildCVE-2025-20014
CVSS 9.3An operating system command injection vulnerability in mySCADA myPRO allows attackers to execute arbitrary commands on affected systems.
Affected Products:
mySCADA myPRO – All versions prior to the latest patch
Exploit Status:
exploited in the wildCVE-2025-20061
CVSS 9.3An operating system command injection vulnerability in mySCADA myPRO allows attackers to execute arbitrary commands on affected systems.
Affected Products:
mySCADA myPRO – All versions prior to the latest patch
Exploit Status:
exploited in the wildCVE-2025-22457
CVSS 9A buffer overflow vulnerability in Ivanti Connect Secure VPN appliances allows remote code execution.
Affected Products:
Ivanti Connect Secure – 9.X and 22.7R2.5 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Exploit Public-Facing Application
Modify Control Logic
Service Stop
Device Restart/Shutdown
Manipulation of Control
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication for All System Components
Control ID: 7.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Strong Authentication & Access Management
Control ID: Identity Pillar
NIS2 Directive – Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Primary target of hacktivist campaign breaching water and energy facilities, requiring enhanced industrial control systems security and encrypted traffic protection.
Oil/Energy/Solar/Greentech
Critical infrastructure vulnerabilities exposed through hacktivist breaches, necessitating zero trust segmentation and threat detection capabilities for operational technology environments.
Government Administration
National security implications from critical infrastructure attacks require comprehensive multicloud visibility, policy enforcement, and anomaly detection across government-regulated utility sectors.
Computer/Network Security
Increased demand for industrial control system protection, east-west traffic security, and inline IPS solutions following successful hacktivist infiltration campaigns.
Sources
- Canada says hacktivists breached water and energy facilitieshttps://www.bleepingcomputer.com/news/security/canada-says-hacktivists-breached-water-and-energy-facilities/Verified
- CISA Releases ICS Advisories Addressing Current Vulnerabilities and Exploitshttps://cyberpress.org/cisa-releases-ics-vulnerabilities/Verified
- Critical Vulnerabilities in mySCADA myPRO Pose Significant Risks to Industrial Control Systemshttps://1898advisories.burnsmcd.com/critical-vulnerabilities-in-myscada-mypro-pose-significant-risks-to-industrial-control-systemsVerified
- Ivanti patches serious Connect Secure flawhttps://www.techradar.com/pro/security/ivanti-patches-serious-connect-secure-flawVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, workload microsegmentation, encrypted transport, and strict egress policy enforcement would have provided layered defenses—limiting attackers’ ability to move, escalate, or communicate, while providing detection and containment at each phase of the kill chain.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents credential theft and packet sniffing on data-in-transit.
Control: Zero Trust Segmentation
Mitigation: Restricts privilege boundaries to enforce least privilege and workload isolation.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized east-west movement between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound traffic and detects anomalous egress behavior.
Control: Cloud Firewall (ACF)
Mitigation: Monitors and restricts outbound data flow, identifying exfiltration attempts.
Detects unauthorized manipulation of critical services and triggers incident response.
Impact at a Glance
Affected Business Functions
- Water Treatment
- Oil and Gas Operations
- Agricultural Processing
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of operational data, including system configurations and control parameters, which could be exploited to cause further disruptions or unauthorized control of industrial processes.
Recommended Actions
Key Takeaways & Next Steps
- • Rapidly encrypt all critical and lateral cloud and on-prem network traffic to prevent data exposure and packet sniffing.
- • Enforce Zero Trust segmentation and microsegmentation of workloads, restricting access to industrial controls only to strictly required identities.
- • Implement automated east-west traffic security and real-time anomaly detection to identify and block malicious movement within critical networks.
- • Deploy granular egress controls and cloud firewalls to prevent unauthorized outbound connections and data exfiltration attempts.
- • Establish centralized visibility and continuous policy enforcement across all cloud and hybrid environments, with regular security posture reviews.
