Cyber threat bulletin: People’s Republic of China-sponsored cyber activity against Canadian provincial, territorial, Indigenous, and municipal governments

PRC cyber actors compromise Canadian government networks

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) is warning Canadian provincial, territorial, Indigenous, and municipal governments, as well as Indigenous governance organizations, of the threat from the People’s Republic of China (PRC).

PRC cyber actors almost certainly pose the greatest ongoing cyberespionage threat to Canada. The Cyber Centre has previously warned that PRC cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. activity outpaces other nation state cyber threats in volume, sophistication, and breadth of targeting^{Footnote 1}. PRC actors are well resourced, persistent, and capable of sustaining multiple concurrent operations in Canada.

We have observed repeated targeting of all levels of government, as well as multiple compromises of government networks. While individual instances of targeting are very likely opportunistic, such as the PRC exploiting weak defences, they collectively represent a significant strategic threat to the security of Canadian systems. It is important to note that when the Cyber Centre is aware of cyber threat activity targeting an entity, we alert them of that threat.

Our assessment is based on reporting from multiple sources. We rely on CSE’s foreign intelligence mandate to provide us with valuable insights into adversary behaviour in cyberspace. We also leverage the Cyber Centre’s experience defending Government of Canada information systems.

Provincial, territorial, Indigenous, and municipal governments are ongoing targets

The PRC almost certainly views provincial, territorial, Indigenous, and municipal governments as valuable targets for cyberespionage. Cyber threat activity targeting these levels of government likely mirrors the ongoing activity targeting the Government of Canada. All government networks hold information on decision-making and regional affairs, as well as personal information of Canadians.

PRC cyber threat actors often serve the direct or indirect requirements of PRC intelligence services. Their targets frequently reflect the PRC’s national policy objectives. These cyber threat actors routinely seek to compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. networks to acquire information that will provide an economic or diplomatic advantage in the PRC-Canada bilateral relationship. They also look to obtain information related to technologies prioritized in the PRC’s central planning. Additionally, PRC cyber threat actors frequently aim to collect large datasets containing personal information, likely for the purposes of bulk data analysis and further targeting.

Governments at all levels manage large networks with unique services, often relying on a complex web of managed service providers (MSPs) and third-party vendors. PRC cyber actors have accessed victims by exploiting MSPs and software vendors, creating opportunities to access government networks.

PRC cyber actors are sophisticated and difficult to detect

PRC cyber actors avoid detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. , blend into normal system traffic, and access targets at scale. It is likely, therefore, that some PRC cyber activity goes unnoticed by network defenders.

PRC cyber threat actors operate in ways that make it more difficult to detect their activity, including:

• compromising small office and home office (SOHO) routers—usually those located in the same geographic area as their victims—and using these routers as proxy networks to hide the origins of their activity
• “living off the land” using a system’s built-in network administration tools, including using legitimate, compromised credentials and logging into victim networks via public-facing appliances like virtual private networks (VPN)
• adjusting their operations to remain undetected following the release of information related to ongoing campaigns
• compromising trusted service providers to access client information or networks
• rapidly weaponizing and proliferating exploits for newly revealed vulnerabilities

Information sharing enables detection and remediation

While the threat to federal networks from the PRC is the Cyber Centre’s most significant concern, Government of Canada information and communication technology is also where we have the greatest visibility. We draw on multiple sources and partners to identify malicious cyber threat activity targeting other levels of government in Canada. However, without information from potential victims, the Cyber Centre is unable to determine the size, scope, and impact of cyber threat activity.

Information sharing is necessary to enable effective detection and remediation, particularly when dealing with sophisticated cyber threat actors like those sponsored by the PRC. The scope and scale of cyber activity targeting provincial, territorial, Indigenous, and municipal governments remains largely unknown. Information sharing allows the Cyber Centre to better assess threats, collectively mitigate and respond, and inform potential victims and targets as soon as possible.

Mitigating this threat

The Cyber Centre encourages provincial, territorial, Indigenous, and municipal governments, as well as Indigenous governance organizations, to bolster their awareness of and protection against sophisticated cyber threat activity. This includes fostering increased information sharing between federal, provincial, Indigenous, and municipal government partners to enable more effective threat detection and remediation.

In addition to increased cooperation, the Cyber Centre urges provincial, territorial, Indigenous, and municipal governments, as well as Indigenous governance organizations, to adopt the following measures:

• manage your identities and use multi-factor authentication (MFA)
  • separate user and privileged accounts to make it more difficult for threat actors to gain access to administrator or privileged accounts, even if common user accounts are compromised
  • see Separating user and privileged accounts from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information
• use phishing-resistant MFA
  • prioritize accounts with the highest risk, such as privileged administrative accounts for key IT systems
  • see Phishing-resistant MFA from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information
• establish a robust vulnerability management program for all systems and services that are accessible from the internet
• patch all known exploited vulnerabilities in internet-facing systems within a risk-informed timespan
  • prioritize patching more critical assets first
  • see Cross-Sector Cyber Security Goal 1.1 from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information
• maintain comprehensive and historical logging information
  • collect and store logs for use in both detection and incident response activities (for example, forensics), including the following logs:
    • access- and security-focused (for example, intrusion detection systems / intrusion prevention systems)
    • firewalls
    • data loss prevention
    • VPNs
  • see Cross-Sector Cyber Security Goal 2.15 from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information
• audit network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes
• reduce the response time for critical breaches by identifying and implementing priority monitoring of critical identities and resources
• have a cyber incident response and recovery plan, as well as continuity of operations and communications plans
  • be prepared to use them
  • see Cross-Sector Cyber Security Goal 1.3 and Cross-Sector Cyber Security Goal 5.0 from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information
• implement network segmentation to reduce the likelihood that threat actors will access the operational technology network after compromising the IT network
  • see Cross-Sector Cyber Security Goal 2.5 from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information
• contact the Cyber Centre to inform us of suspicious or malicious cyber activity
  • see Cross-Sector Cyber Security Goal 4.0 from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information

Some of the mitigation measures above are covered in the Cyber Centre’s newly published Cyber Security Readiness Goals (CRGs). The CRGs consist of 36 foundational goals that can be used by any organization in Canada to improve its cyber security posture. The Cyber Centre encourages organizations of all sizes to implement all the CRGs as a minimum baseline for cyber security protection.

The Cyber Centre is working with provincial and territorial partners to mitigate ongoing compromises and to warn of potential malicious cyber threat activity from sophisticated actors. We are also enabling other levels of government to better assess threats and remediate compromises to their systems. In January 2024, following a series of cyber incidents targeting northern institutions, the Cyber Centre began proactively deploying sensors to territorial government IT assets in Yukon, the Northwest Territories, and Nunavut. These sensors detect malicious cyber activity in devices at the network perimeter PerimeterThe boundary between two network security zones through which traffic is routed. and in the cloud. They are one of the Cyber Centre’s most important tools for defending Government of Canada networks.

Useful resources

Refer to the following online resources for more information and for useful advice and guidance.

Reports and advisories

• Cyber threat assessments
  • National Cyber Threat Assessment 2025-2026
  • Cyber Threats to the Democratic Process: 2023 update
• Joint advisories and partner publications
  • UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians
  • Joint cyber security advisory on PRC state-sponsored cyber threat
  • Technical approaches to uncovering and remediating malicious activity
  • Mitigating cyber threats with limited resources: Guidance for civil society
  • Joint guidance for executives and leaders of critical infrastructure organizations on protecting infrastructure and essential functions against PRC cyber activity
  • Identifying and mitigating living off the land techniques
  • Joint guidance on network intrusion threats from PRC state-sponsored cyber group

Advice and guidance

• Cyber Security Readiness Goals (CRGs): Securing our most critical systems
• Cross-Sector Cyber Security Readiness Goals Toolkit
• Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
• Security considerations for your website (ITSM.60.005)
• Top 10 IT security actions to protect internet connected networks and information (ITSM.10.089)
• Top 10 IT security action items: No. 2 patch operating systems and applications (ITSM.10.096)