OTTAWA — A Russian-backed cybercriminal group successfully infiltrated a Quebec municipality’s water treatment plant, gaining the ability to manipulate critical systems including water pressure and chemical treatment levels, according to the Communications Security Establishment (CSE) Canada’s 2025-2026 Annual Report released Monday.
A “Ticking Timebomb” for Infrastructure
While the report did not name the specific municipality affected, it confirmed that the hackers gained access to Human-Machine Interface (HMI) systems. This level of access provided the group with the capability to “covertly control pumps, chlorine dosing, pressure settings and monitoring/alerts systems.” The incident highlights a shift in strategy for foreign cyber actors. “State-sponsored actors are becoming more aggressive and are moving beyond traditional espionage to conduct more disruptive activities,” the CSE report stated.
Officials warned that such breaches are not always intended for immediate sabotage. Instead, they are often used as “ticking timebombs,” allowing foreign adversaries to establish a foothold that can be exploited for disruption or extortion during periods of heightened geopolitical tension between Russia and Canada.
Detection and Response
The discovery of the breach was notable for its cross-border coordination. The CSE noted that the incident was not initially detected by Canadian internal monitors but was brought to light when the Organization of American States’ (OAS) cybersecurity network reported that NoName had claimed responsibility for the intrusion on the group’s own communication channels.
Upon notification, the CSE’s Canadian Centre for Cyber Security worked with partners to mitigate the threat and secure the facility’s systems.
A Growing National Security Threat
The Quebec incident is part of a broader, more volatile landscape described in the CSE’s annual report. Over the past year, the agency responded to over 3,200 cyber incidents affecting federal organizations and critical infrastructure sectors, including energy and critical minerals.
The report also emphasized the growing strategic threat posed by Russia and China in the Canadian Arctic. CSE officials warned that these nations are increasingly engaging in activities that “seek to shape access, infrastructure, and decision-making in the region,” extending well beyond traditional military concerns.
Broader Offensive Operations
The 2025-2026 report also highlighted the CSE’s use of its specialized mandate to conduct offensive “active” cyber operations, which are carried out in tandem with partners like the Canadian Armed Forces Cyber Command:
-
Fentanyl Trafficking: The agency disrupted a network of foreign cybercriminals who were brokering the sale of chemical precursors used to synthesize fentanyl.
-
Extremist Groups: The CSE conducted operations to undermine a foreign extremist group, successfully limiting their ability to radicalize and recruit Canadians by dismantling their online credibility.
-
Ransomware Infrastructure: Working with the “Five Eyes” intelligence alliance, the CSE launched a cyberattack against an unnamed ransomware-as-a-service group, rendering its systems inoperable and deleting vast quantities of stolen data.
As network vulnerabilities continue to rise in both number and severity, the CSE is urging Canadian organizations to remain vigilant, emphasizing that the protection of critical infrastructure like water and energy sectors remains a top-tier national security priority.
